rFactor 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113480 漏洞类型 缓冲区溢出
发布时间 2007-08-18 更新时间 2007-08-22
CVE编号 CVE-2007-4444 CNNVD-ID CNNVD-200708-339
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/30507
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-339
|漏洞详情
rFactor是一款电脑赛车模拟游戏。rFactor处理ID0x80或0x88报文的函数中存在缓冲区溢出,但这个溢出不会覆盖返回地址,只能修改服务器的某些缓冲区。远程攻击者利用这个漏洞,攻击者必须查询服务器UDP34297端口,通过设置超长的服务器版本创建回复,触发第二次溢出,然后才能覆盖返回地址并可以实现执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/25358/info

The gMotor2 game engine is prone to multiple code-execution and denial-of-service vulnerabilities. Four vulnerabilities were reported.

These vulnerabilities may be triggered by malicious client requests to games that use the affected engine, including rFactor. Successful exploits could crash a game server or let remote attackers execute arbitrary code on the computer hosting affected software.

NOTE: This BID originally stated that the vulnerabilities were in the rFactor game. New information shows that the gMotor2 game engine and multiple games that use the engine are vulnerable. This BID was updated to reflect this new information. 

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/30507.zip
|参考资料

来源:BID
名称:25358
链接:http://www.securityfocus.com/bid/25358
来源:BUGTRAQ
名称:20070818MultiplevulnerabilitiesinrFactor1.250
链接:http://www.securityfocus.com/archive/1/archive/1/477023/100/0/threaded
来源:SECUNIA
名称:26526
链接:http://secunia.com/advisories/26526
来源:MISC
链接:http://aluigi.org/poc/rfactorx.zip
来源:XF
名称:rfactor-ids-bo(36093)
链接:http://xforce.iss.net/xforce/xfdb/36093
来源:BUGTRAQ
名称:20070927Re:MultiplevulnerabilitiesinrFactor1.250
链接:http://www.securityfocus.com/archive/1/archive/1/480921/100/200/threaded
来源:BUGTRAQ
名称:20070925Re:MultiplevulnerabilitiesinrFactor1.250
链接:http://www.securityfocus.com/archive/1/archive/1/480591/100/200/threaded
来源:www.rfactor.net
链接:http://www.rfactor.net/?page=news_09-26_1255
来源:SREASON
名称:3037
链接:http://securityreason.com/securityalert/3037
来源:forum.racesimcentral.com
链接:http://forum.racesimcentral.com/showthread.php?t=298659