Luigi Auriemma

me@aluigi.org [PGP]

News QuickBMS Research MyToolz Advisories Proof-of-concepts Fake players bug Patches Password recovery MyMusic TestingToolz About... RSS feeds
aluigi.org zenhax old forum mirror   Twitter LinkedIn
SEARCH
adv.htm
    Files and cvars overwriting in Quake 3 engine (1.32c / rev 803 / ...) (game)
    some of the possible vulnerable games/engines are listed here
    27 Jun 2006:  adv - italiano - q3cfilevar
adv.htm
    Client buffer-overflow in Quake 3 engine (1.32c / rev 795 / ...) (game)
    some of the possible vulnerable games/engines are listed here
    02 Jun 2006:  adv - italiano - q3cbof
adv.htm
    In-game players kicking in the Quake 3 engine (game)
    Call of Duty, Quake III Arena, Return to Castle Wolfenstein, Soldier of Fortune II, Star Wars Jedi Knight II: Jedi Outcast, Star Wars Jedi Knight: Jedi Academy and Wolfenstein: Enemy Territory
    02 Apr 2005:  adv - italiano - poc -
adv.htm
    Infostring crash and shutdown in the Quake 3 engine (game)
    Call of Duty, Quake III Arena, Return to Castle Wolfenstein, Soldier of Fortune II, Star Trek Voyager: Elite Force, Star Trek: Elite Force II, Star Wars Jedi Knight II: Jedi Outcast, Star Wars Jedi Knight: Jedi Academy, Wolfenstein: Enemy Territory, ...
    12 Feb 2005:  adv - italiano - poc -
adv.htm
    poc - swb

    Broadcast memory corruption in Soldier of Fortune II 1.03 (refer to q3infoboom too) (game)
    23 Nov 2004:  adv -
adv.htm
    poc - haloboom

    Broadcast shutdown in Call of Duty 1.4 (refer to q3infoboom too) (game)
    05 Sep 2004:  adv -
adv.htm


    Quake 3 con\con exploit (funny) (game)
    27 May 2003:  adv - italiano - poc -
poc.htm
  • TeamViewer host <= 4.0.5543 resources consumption 0.1 (teamvieweird)
    notes: the server must have the "Accept KeepAlive sessions" option enabled (it's automatically activated if "Enable DirectIn Performance optimization" is selected), then note that the default tcp port seems to be 5938 and not 5939.

  • Quake 3 engine Cbuf_Execute commands execution universal proof-of-concept 0.1 (q3cbufexec)
    universal patcher which gets the original client executable of a game based on the Quake 3 engine and generates a new modified one which converts the ';' chars in the commands sent by the client to carriage-returns for testing a vulnerability which allows to execute server's game commands through a malformed callvote.
    details of the vulnerability are available here and here.
poc.htm
    /callvote map "none;rconpassword empty"
    /callvote timelimit "123;rconpassword none"

  • q3unban plugin for proxocket 0.1 (q3unban_proxocket)
    read the q3unban_proxocket.txt file inside the package.

poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
  • Half-Life <= 1.1.1.0 passive buffer-overflow test 0.1 (hlbof-client)
    This proof-of-concept waits vulnerable Half-life clients and crashs them. Use a debugger to see the exception and the overwritten return address (overwritten by 0x2e504945)

  • Quake 3 con/con proof-of-concept + heartbeat emulator (q3concon)
    this proof-of-concept is a fake Quake 3 server that sends a message containing the con\con string to all the clients that try to get information from it. If the client that receives the string is a Windows95/98/98SE system without the con\con patch it will be crashed immediately. The problem happens on some games based on the Quake 3 engine. I have personally tested Quake 3 and Soldier of Fortune 2. The games I have tested and are NOT vulnerables are Return to Castle Wolfenstein and Medal of Honor: Allied Assault
papers.htm
papers.htm
    the result of the checks can be dumped in a file through the classical command-line redirection (> dump.txt).

    this tool calculates all the possible Punkbuster GUIDs for each available game, in fact Punkbuster runs on different games with different engines so there are some differences in the method used by each game to calculate the pb_guid (example Q3 and SoF2 differs from RTCWET).
    so remember that the results could be different than the right GUID of a specific game, EACH GAME USES SMALL DIFFERENCES IN THE CALCULATION OF THE GUID SO THIS TOOL IS ONLY AN EXAMPLE.

    -->
papers.htm
papers.htm
    simple decoder/encoder for the PK3 files of QuakeLive beta.

  • Multi engine RCON tool and password guesser 0.2.3d (multircon)
    useful tool, previously known as q3rcon, for sending RCON commands to servers which use different engines and support RCON (remote administration).
    currently it supports the Quake 3, Medal of Honor, Half-Life, IGI2, Doom 3 and Quake 2 engines (so not only these games but all the others derived by them too).
    the tool contains tons of options and features and also some password guessing functions which include brute forcing and wordlists.
papers.htm
papers.htm
  • Quake 3 engine GUID MD5 0.1 (q3_guid)
    the md5_init() modification used to calculate the cl_guid hash of cd-key (that contained in "cl_guid").

  • Online cd-key checker for Quake III 0.2.1 (q3onlinekeycheck)
    checks if your cd-key is valid offline and also online, in fact it simply contacts the server authorize.quake3arena.com and waits for a response.
    this new version has also a function letting you to use a text file containing all the keys you want to check (a key for each line) and if a key seems valid the program rechecks it to avoid false positives.
papers.htm

  • Quake 3 engine huffman algorithm 0.3 (q3huff)
    simple version of the Quake 3 huffman algorithm, ALL the code is from huffman.c of the Quake 3 1.32 GPL source code.
    I have only modified some variables and the prototype of the decompressing and compressing functions for a faster and simpler usage. An usage example is here.
  • Q3ms 0.1 (q3ms)
papers.htm
papers.htm
    this little tool simply lets you to know if a Soldier of Fortune 2 cd-key is locally valid (offline) or not.
    and this is the small piece of algorithm that does the check.

  • Q3keycheck 0.1 (q3keycheck)
    this little tool simply lets you to know if a Quake 3 CD-Key is valid or not locally (offline).
    and this is the small piece of the algorithm used for the check.
papers.htm
papers.htm
quickbms.htm
  • support for bits operation and switchable little/big endian
  • simple and dynamic language that allows to make many operations reducing the percentage of archives and formats that can't be supported easily
  • verbose option (-V) that displays all the needed details during reversing and testing of file formats
  • HTML output (-H) that automatically applies colors and names to the fields parsed during the usage of the scripts: example for zip.bms on q3infoboom.zip
  • possibility to use the tool as a blind scanner of compression, encryption and crc/checksum algorithms
  • support for network sockets, SSL and http/https
fakep.htm
fakep.htm
    - Star Wars Jedi Knight: Jedi Academy
    - Wolfenstein: Enemy Territory (2.60 too but requires a bit of practice, use -B ? for the info)
    - others
    the tool can be also used to test the so called "q3unban" bug automatically, which allows a client on a banned IP address to join the server.
    exists also a support for servers which require online authentication (like a valid online cdkey) but only Quake 3 Arena has been supported and tested.

patches.htm
patches.htm
patches.htm
    works with almost any Windows executable, full details are visualized when launched

  • Quake 3 engine RCON half-second limit disabler (Windows and Linux) 0.1.2b
    (q3rconz)
    this patch disables the anti-bruteforcing check in the games that use the Quake 3 engine for avoiding the Denial of Service (admins can't use RCON) caused by the flooding of rcon packets (more info in the file)
    anyway remember that disabling this limitation naturally has other negative sides effects like faster rcon brute forcing, so remember to choose a strong rcon password

patches.htm
patches.htm
patches.htm
testz.htm
  • Unreal engine test server 0.1 (unrealts)
    basic way for emulating an Unreal server and testing the sending of commands to a connected client

  • Quake 3 engine "connect" modifier 0.2 (q3conmod_sudp)
    plugin for sudppipe which allows a simple customization of the "connect" packet for the games which use the Quake 3 engine:
    sudppipe -l q3conmod_sudp.dll -L "\parameter1\value1\parameter2\value2" IP PORT 1234
testz.htm
    sudppipe -l q3conmod_sudp.dll -L "\parameter1\value1\parameter2\value2" IP PORT 1234
    (use -L "" for the runtime help) then from the console of the game type: connect 127.0.0.1:1234
    the following is an example for joining a server which uses PunkBuster with PB disabled (the client will be kicked after some seconds/minutes):
    sudppipe -l q3conmod_sudp.dll -L "\cl_punkbuster\1" SERVER PORT 1234
    then from the client:
    pb_cl_disable
testz.htm
  • Webpostmem 0.1 (webpostmem)
    This tool can be used to check the POST attacks on webservers as for example memory and sockets that are not freed if the client sends less data than how much specified in Content-Lenght. It is the same proof-of-concept I have used for the bugs in Goahead webserver, NULLhttpd and WWW Fileshare Pro.

  • Q3huffdecenc 0.2 (q3huffdecenc)
    compress and uncompress the files containing the "connect" packets of the games that use the Quake 3 engine.

testz.htm
    heartbeat protocol emulator for UT2003. With this little code you can add your IP address to the official Epic UT2003 servers list (http://ut2003master.epicgames.com/serverlist/full-all.txt and demo-all.txt).
    HERE there is the explanation of the protocol.

  • Quake 3 testing server 0.3 (q3ts)
    this server answers to the Quake 3 queries. It supports: getstatus, getinfo, getchallenge, connect (with real-time decompression), rcon and disconnect.
    It supports the infoResponse of Quake 3 arena 1.32, Soldier of Fortune 2 1.03 GOLD, Return to Castle Wolfenstein 1.41, Medal of Honor: Allied Assault 1.11.
41 results found