This repository contains PoC to exploit Neverwinter Nights: Enhanced Editions. This blogpost details vulnerabilities and exploitation.
- Windows version: 10.0.19045.2965
- Neverwinter Night Enhanced Editions: vulnerable version 88.8193.36-13
poc-server-1.js instruments NWN game server to trigger a memory leak vulnerablility.
poc-server-2.js instruments NWN game server to receive memory leak and exploit a second vulnerability. This will execute calc.exe on victim.
Machine 1 :
- Launch a multiplayer game with scenario Prelude
- Attach to nwmain.exe with frida
frida nwmain.exe -l poc-server-1.js
Machine 2 (IP: 192.168.56.105) :
- Launch a multiplayer game with scenario Chapter 3
- Attach to nwmain.exe with frida
frida nwmain.exe -l poc-server-2.js
Victim :
-
Connect to server 1
-
Create or choose a character and begin to play.
-
On machine 1 : type
exploit();in frida console (After the module Prelude has been loaded). Script will redirect player to server 2. -
On machine 2 : type
exploit();in frida console (After the module Chapter 3 has been loaded). Script will exploit vulnerability to executecalc.exe.