cbcvebase.
CVE-2006-0460
published 2006-02-17

CVE-2006-0460: Multiple buffer overflows in BomberClone before 0.11.6.2 allow remote attackers to execute arbitrary code via long error messages.

PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
67.75%
99.2th percentile
Multiple buffer overflows in BomberClone before 0.11.6.2 allow remote attackers to execute arbitrary code via long error messages.

Affected

23 ranges
VendorProductVersion rangeFixed in
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone
bomberclonebomberclone>= 0 < 0.11.6.2-10.11.6.2-1
bomberclonebomberclone>= 0 < 0.11.6.2-10.11.6.2-1
bomberclonebomberclone>= 0 < 0.11.6.2-10.11.6.2-1
bomberclonebomberclone>= 0 < 0.11.6.2-10.11.6.2-1
debianbomberclone< bomberclone 0.11.6.2-1 (bookworm)bomberclone 0.11.6.2-1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

port11000/udp
port31337/tcp (Linux shellcode bind port)
port4444/tcp (Win32 shellcode bind port)
bytes
\x00\x00\x00\x00\x38\x03\x41
bytes
\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80
bytes
\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x36
  • Detect oversized UDP packets to port 11000 beginning with the magic header bytes \x00\x00\x00\x00\x38\x03\x41 followed by a large NOP sled — characteristic of the BomberClone exploit.
  • The exploit sends a malformed pkg_error packet (type=0x00, flags=0x00) over UDP with a text field of 816 bytes padded with 0x90 NOP bytes; monitor for anomalously large UDP datagrams to the BomberClone game port (default 11000).
  • The Metasploit module uses a payload space of only 344 bytes with null byte as bad char; the NOP sled is 421 bytes prepended before the payload — look for UDP payloads with long NOP sleds on port 11000.
  • The exploit overwrites the return address with lstrcpyA (ret-into-libc style); on Windows hosts running BomberClone, alert on unexpected lstrcpyA return-address values (0x7c80c729, 0x77e85f08, 0x77e95e8b) appearing in stack frames.
  • Post-exploitation: watch for unexpected listening shells on TCP ports 31337 (Linux) or 4444 (Windows) spawned by the BomberClone process after receiving a malformed error packet.
  • ·The Metasploit shellcode only executes when the victim attempts to close BomberClone, not immediately upon receipt of the exploit packet — detection based solely on immediate post-exploitation activity may miss the trigger window.
  • ·The return addresses for the ret-into-libc technique are OS/SP-specific (XP SP2 Italian, Win2000 SP1 English variants); detections relying on specific RET values will not cover all target configurations.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.