cbcvebase.
CVE-2004-0735
published 2004-07-27

CVE-2004-0735: Buffer overflow in Medal of Honor (1) Allied Assault 1.11v9 and earlier, (2) Breakthrough 2.40b and earlier, and (3) Spearhead 2.15 and earlier, when playing…

PriorityP348high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
62.11%
99.1th percentile
Buffer overflow in Medal of Honor (1) Allied Assault 1.11v9 and earlier, (2) Breakthrough 2.40b and earlier, and (3) Spearhead 2.15 and earlier, when playing on a Local Area Network (LAN), allows remote attackers to execute arbitrary code via vectors such as (1) the getinfo query, (2) the connect packet, and other unknown vectors.

Affected

5 ranges
VendorProductVersion rangeFixed in
electronic_artsmedal_of_honor_allied_assault
electronic_artsmedal_of_honor_allied_assault
electronic_artsmedal_of_honor_allied_assault
electronic_artsmedal_of_honor_allied_assault
electronic_artsmedal_of_honor_allied_assault

Detection & IOCsextracted from sources · hover to see the quote

commandgetinfo <oversized_buffer>\r\n\r\n
bytes
\xff\xff\xff\xff\x02getinfo
bytes
\xff\xff\xff\xff\x02getinfo <overflow_buffer>
bytes
\xff\xff\xff\xff\x01infoResponse\n\\pure\\0...\\crash\\<BOFWIN>\\challenge\\xxx
bytes
\xff\xff\xff\xff\x02getstatus xxx\n
bytes
\x33\xc9\x81\xe9\x2d\xff\xff\xff\x8b\xd4\xf7\xda\x2b\xca\x90\x90\x90\x90\x90
  • Alert on UDP packets to port 12203 containing the 4-byte magic \xff\xff\xff\xff followed by \x02 and the string 'getinfo' with a payload exceeding normal query length (>20 bytes after 'getinfo ').
  • Alert on UDP packets to port 12203 containing \xff\xff\xff\xff\x01 followed by 'infoResponse' and a '\\crash\\' key with a value longer than expected (overflow delivered via the crash key in the infoResponse packet targeting LAN clients).
  • Detect oversized getinfo UDP queries to port 12203: the PoC buffer for Windows overflow is 516 bytes and for Linux is 1044+ bytes; any getinfo query body exceeding ~20 bytes should be treated as suspicious.
  • The Metasploit module targets Medal of Honor Allied Assault v1.0 using a 'call ebx' gadget at 0x406957; presence of this return address in a UDP payload to port 12203 is a strong exploit indicator.
  • ·The server filters certain characters, requiring alphanumeric shellcode; standard shellcode byte-pattern signatures will not match the Linux Spearhead exploit payload.
  • ·The exploit targets the main thread, so there is only one exploitation attempt possible per server instance before it crashes; brute-forcing return addresses is not feasible.
  • ·The Metasploit module's bad characters list only excludes null bytes (\x00), meaning most byte values are usable in the payload; signature-based detection must account for a wide range of payload bytes.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.