WinRAR buffer overflows.
90d54e16299358d932b6f78041aad06dd2aa92f2df7549d6bdd0263999e2aaf6
winrar <= 3.42 (latest) stack overflow vulnerabilities
number: #17
author: darkeagle
mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org
date: 06.03.05
vendor: https://rarlabs.com
status: vendor dunno about bug :)
overview:
winrar is one of the best file compressor all over the world :)
details:
winrar has vulnerability, when user openning very long filename.
to overwrite EIP register, needs 509 bytes ( RUS version ).
another stupid stack overflow exist in winrar :)
when you create archive, put in "Archive name" following:
"uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu....\unl0ck.rar"
0x55 bytes over 500 :)
but if you put only filename like "unl00.....00ckkkkkkkkkkk.rar"
winrar msgz to you msg like "What The Fuck? Filename is t00 long!!!" :)
rarlabs thought that they can fuck up stupidz userz. yes. they fucked upped
stupidz userz with this protection, but UNL0CK RESEARCHERZ isn't stupidz userz! }:i
solution:
waiting new version of WinRAR program :)
exploit:
exploitz see here.
I used ret-2-func technique in my exploit and it tested only in WinXP SP2 RUS.
greetz:
all unl0ckerz, nosystemz, rosielloz, m00z, skew.
(c) uKt Research
2004-2005
https://unl0ck.org