[Gurou]

Need for Speed 2 Remote Client Buffer Overflow Exploit

http://www.k-otik.co...fshp2cbof.c.php

:D

[andydis]

yea i saw this posted just this min,

doesnt compile under cygwin;

nfs.c:194: error: redefinition of `std_err'
nfs.c:176: error: `std_err' previously defined here
nfs.c:252:2: warning: no newline at end of file

[BuzzDee]

hmm compiling didnt work :/
could anyone post a compiled exploit? would be gr8! :D

which port do u have to scan for? is it 61220 or 8511? 8511 right?

greetz

[peter_BB]

well i have to ask what do u want to use this for? the chance to find a computer thats playing need for speed 2 is very low and anyway the game is old so the chance is even lower...
just for fun id say

[Copkill]

doesnt compile under Msc++6 :(

[Reaper527]

Compiling...
nfs2hp.c
\nfs2hp.c(133) : error C2065: 'wsadata' : undeclared identifier
\nfs2hp.c(133) : warning C4133: 'function' : incompatible types - from 'int *__w64 ' to 'LPWSADATA'
\nfs2hp.c(135) : error C2275: 'WSADATA' : illegal use of this type as an expression
D:\Program Files\Microsoft Visual Studio .NET 2003\Vc7\PlatformSDK\Include\WinSock.h(347) : see declaration of 'WSADATA'
\nfs2hp.c(135) : error C2146: syntax error : missing ';' before identifier 'wsadata'
\nfs2hp.c(135) : error C2144: syntax error : '<Unknown>' should be preceded by '<Unknown>'
\nfs2hp.c(135) : error C2144: syntax error : '<Unknown>' should be preceded by '<Unknown>'
\nfs2hp.c(135) : error C2143: syntax error : missing ';' before 'identifier'
\nfs2hp.c(136) : warning C4244: '=' : conversion from 'SOCKET' to 'int', possible loss of data

:(
something i noticed that was one of the files that it had set for include (i think it was winerr.h, either way its the one thats included with "" instead of <>) is accually at the bottom of the exploit, so if you don't comment out that include line you get an error saying some things are defined more then once. if anyone has any luck with VC++.net let me know, i'm have no luck with this one :(

[Reaper527]

update for anyone having trouble compiling this, i still haven't found a way to compile it yet, but if you go to the website in the exploit source (http://aluigi.altervista.org/) and then click the advisories link on the left of the page, and go down to the very bottom of the list that brings up, you should see this exploit, and one of the choices is POC, chose this and you'll get a zip with the source as well as a compiled version.

[Train25]

Doesn't need for speed underground use the same port being 242? If so this could be worth a closer look as this is a very popular game

[vnet576]

Heh...yeh thats nice, we'll see all these script kiddies exploiting each other whenever one beats the other in a race.

[BuzzDee]

the exploit is strange....

look this is what i get with the compiled exploit:

D:\hack\nfs>nfs

Need for Speed Hot pursuit 2 <= 242 client's buffer overflow 0.1
by Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org


Usage: nfs <version>

Version:
240 = this is the default (1.0) and more diffused version
242 = the latest patched version, rarely used by players

so where is the ip to be put???

when i type "nfs.exe 240" i get:

D:\hack\nfs>nfs 240

Need for Speed Hot pursuit 2 <= 242 client's buffer overflow 0.1
by Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org

Selected version 240 (nver 18022640)

Binding UDP port 61220
The return address will be overwritten with 0xdeadc0de
Clients:

so what is to do with that exploit.... could it be a local exploit?

buzz

[Train25]

BuzzDee, on Jan 23 2004, 05:28 PM, said:

Binding UDP port 61220
The return address will be overwritten with 0xdeadc0de
Clients:

so what is to do with that exploit.... could it be a local exploit?

buzz

Reading quickly over the code it seems at this point you would enter the IP address of the remote where you see "Clients:"

Depending on what port which was open would depend on what version you would run (ex. Version: nfs 240 or nfs 242)
240 = this is the default (1.0) and more diffused version
242 = the latest patched version, rarely used by players

A little backwards in coding but none the less interesting to see if it works...still trying it on this end

[320X]

Need for Speed Hot pursuit 2 <= 242 client's buffer overflow 0.1
by Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org


Usage: C:\Documents and Settings\Chacal\Escritorio\Debug\NeedForSpeedRemoteClientOverflow.exe <version>

Version:
240 = this is the default (1.0) and more diffused version
242 = the latest patched version, rarely used by players

------------------------------------------------------------------------------------------------

you need to define the remote address hear
"0000" // return address

[BuzzDee]

did anyone succeed with that exploit by now?

[Chris]

vnet576, on Jan 23 2004, 08:56 PM, said:

Heh...yeh thats nice, we'll see all these script kiddies exploiting each other whenever one beats the other in a race.

yeah cant wait ...... :rolleyes: