CVE-2004-0608
published 2004-12-06CVE-2004-0608: The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier…
PriorityP359critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
73.54%
99.4th percentile
The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier, Postal 2 1337 and earlier, Rune 107 and earlier, Tactical Ops 3.4.0 and earlier, Unreal 1 226f and earlier, Unreal II XMP 7710 and earlier, Unreal Tournament 451b and earlier, Unreal Tournament 2003 2225 and earlier, Unreal Tournament 2004 before 3236, Wheel of Time 333b and earlier, and X-com Enforcer, allows remote attackers to execute arbitrary code via a UDP packet containing a secure query with a long value, which overwrites memory.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arush | devastation | — | — |
| epic_games | unreal_engine | — | — |
| epic_games | unreal_engine | — | — |
| epic_games | unreal_engine | — | — |
| epic_games | unreal_tournament | — | — |
| epic_games | unreal_tournament_2003 | — | — |
| epic_games | unreal_tournament_2003 | — | — |
| epic_games | unreal_tournament_2003 | — | — |
| epic_games | unreal_tournament_2003 | — | — |
| epic_games | unreal_tournament_2003 | — | — |
| epic_games | unreal_tournament_2004 | — | — |
| epic_games | unreal_tournament_2004 | — | — |
| gentoo | linux | — | — |
| infogrames | tacticalops | — | — |
| ion_storm | deusex | — | — |
| nerf_arena_blast | nerf_arena_blast | — | — |
| rage_software | mobile_forces | — | — |
| robert_jordan | wheel_of_time | — | — |
| running_with_scissors | postal_2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit requires only a single UDP packet to port 7787 containing a '\secure\' query prefix with an oversized value; monitor for oversized UDP packets to this port beginning with the '\secure\' token. ↗
- →The exploit packet can be spoofed or sent to a broadcast address, making source IP filtering unreliable; focus detection on payload content (\secure\ prefix + large buffer) rather than source address. ↗
- →Vulnerable UT2004 build versions are 3120, 3186, and 3204; detect via GameSpy \basic\ query response parsing the \gamever\ field to identify unpatched servers (patched version is 3236+). ↗
- →Bad characters in payload are \x5c and \x00; any IDS signature for this exploit should account for these bytes being absent from the shellcode portion of the UDP payload. ↗
- →On Linux targets, the exploit embeds a LEA/JMP gadget (\x8d\x64\x24\x0c\xff\xe4) at offset 48 within the NOP-sled buffer; presence of this byte sequence in a UDP payload to port 7787 is a strong indicator of exploitation. ↗
- ·The GameSpy query port defaults to 7787 UDP but can be manually reconfigured; ensure monitoring covers non-default ports if the server is deployed with a custom query port. ↗
- ·The RunServer.sh script auto-restarts the server after a crash, enabling brute-force exploitation; repeated server crashes on the game server process should be treated as an active exploitation indicator. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Unreal Tournament 2004 (Windows) - 'secure' Remote Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2004-0608 Unreal Tournament 2004 (Windows) - 'secure' Remote Overflow (Metasploit)
Unreal Tournament 2004 (Windows) - 'secure' Remote Overflow (Metasploit)
---
##
# $Id: ut2004_secure.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Unreal Tournament 2004 "secure" Overflow (Win32)',
'Description' => %q{
This is an exploit for the GameSpy secure query in
the Unreal Engine.
This exploit only requires one UDP packet, which can
be both spoofed and sent to a broadcast address.
Usually, the GameSpy query server listens on port 7787,
but you can manually specify the port as well.
The Run
Exploit-DB
Unreal Tournament 2004 (Linux) - 'secure' Remote Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2004-0608 Unreal Tournament 2004 (Linux) - 'secure' Remote Overflow (Metasploit)
Unreal Tournament 2004 (Linux) - 'secure' Remote Overflow (Metasploit)
---
##
# $Id: ut2004_secure.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Unreal Tournament 2004 "secure" Overflow (Linux)',
'Description' => %q{
This is an exploit for the GameSpy secure query in
the Unreal Engine.
This exploit only requires one UDP packet, which can
be both spoofed and sent to a broadcast address.
Usually, the GameSpy query server listens on port 7787,
but you can manually specify the port as well.
The RunServe
Exploit-DB
Unreal Tournament 2004 - 'Secure' Remote Overflow (Metasploit)
exploitdb·2004-07-18
CVE-2004-0608 Unreal Tournament 2004 - 'Secure' Remote Overflow (Metasploit)
Unreal Tournament 2004 - 'Secure' Remote Overflow (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Unreal Tournament 2004 "secure" Overflow (Linux)',
'Description' => %q{
This is an exploit for the GameSpy secure query in
the Unreal Engine.
This exploit only requires one UDP packet, which can
be both spoofed and sent to a broadcast address.
Usually, the GameSpy query server listens on port 7787,
but you can manually specify the port as well.
The RunServer.sh script will automatically restart the
server upon a
Metasploit
Unreal Tournament 2004 "secure" Overflow (Linux)
metasploit
Unreal Tournament 2004 "secure" Overflow (Linux)
Unreal Tournament 2004 "secure" Overflow (Linux)
This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh script will automatically restart the server upon a crash, giving us the ability to bruteforce the service and exploit it multiple times.
Metasploit
Unreal Tournament 2004 "secure" Overflow (Win32)
metasploit
Unreal Tournament 2004 "secure" Overflow (Win32)
Unreal Tournament 2004 "secure" Overflow (Win32)
This is an exploit for the GameSpy secure query in the Unreal Engine. This exploit only requires one UDP packet, which can be both spoofed and sent to a broadcast address. Usually, the GameSpy query server listens on port 7787, but you can manually specify the port as well. The RunServer.sh script will automatically restart the server upon a crash, giving us the ability to bruteforce the service and exploit it multiple times.
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/unsecure-adv.txthttp://marc.info/?l=bugtraq&m=108787105023304&w=2http://www.gentoo.org/security/en/glsa/glsa-200407-14.xmlhttp://www.securityfocus.com/bid/10570https://exchange.xforce.ibmcloud.com/vulnerabilities/16451http://aluigi.altervista.org/adv/unsecure-adv.txthttp://marc.info/?l=bugtraq&m=108787105023304&w=2http://www.gentoo.org/security/en/glsa/glsa-200407-14.xmlhttp://www.securityfocus.com/bid/10570https://exchange.xforce.ibmcloud.com/vulnerabilities/16451
2004-12-06
Published