winrar <= 3.42 (latest) stack overflow vulnerabilities

number: #17
author: darkeagle
mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org
date: 06.03.05
vendor: http://rarlabs.com
status: vendor dunno about bug :)

overview:

winrar is one of the best file compressor all over the world :)

details:

winrar has vulnerability, when user openning very long filename.
to overwrite EIP register, needs 509 bytes ( RUS version ).

another stupid stack overflow exist in winrar :)
when you create archive, put in "Archive name" following:

"uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu....\unl0ck.rar"
0x55 bytes over 500 :)

but if you put only filename like "unl00.....00ckkkkkkkkkkk.rar"
winrar msgz to you msg like "What The Fuck? Filename is t00 long!!!" :)
rarlabs thought that they can fuck up stupidz userz. yes. they fucked upped
stupidz userz with this protection, but UNL0CK RESEARCHERZ isn't stupidz userz! }:i

solution:

waiting new version of WinRAR program :)

exploit:

exploitz see here.
I used ret-2-func technique in my exploit and it tested only in WinXP SP2 RUS.

greetz:
all unl0ckerz, nosystemz, rosielloz, m00z, skew.

(c) uKt Research
    2004-2005
http://unl0ck.org