winrar <= 3.42 (latest) stack overflow vulnerabilities number: #17 author: darkeagle mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org date: 06.03.05 vendor: http://rarlabs.com status: vendor dunno about bug :) overview: winrar is one of the best file compressor all over the world :) details: winrar has vulnerability, when user openning very long filename. to overwrite EIP register, needs 509 bytes ( RUS version ). another stupid stack overflow exist in winrar :) when you create archive, put in "Archive name" following: "uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu....\unl0ck.rar" 0x55 bytes over 500 :) but if you put only filename like "unl00.....00ckkkkkkkkkkk.rar" winrar msgz to you msg like "What The Fuck? Filename is t00 long!!!" :) rarlabs thought that they can fuck up stupidz userz. yes. they fucked upped stupidz userz with this protection, but UNL0CK RESEARCHERZ isn't stupidz userz! }:i solution: waiting new version of WinRAR program :) exploit: exploitz see here. I used ret-2-func technique in my exploit and it tested only in WinXP SP2 RUS. greetz: all unl0ckerz, nosystemz, rosielloz, m00z, skew. (c) uKt Research 2004-2005 http://unl0ck.org