Luigi Auriemma

me@aluigi.org [PGP]

News QuickBMS Research MyToolz Advisories Proof-of-concepts Fake players bug Patches Password recovery MyMusic TestingToolz About... RSS feeds
aluigi.org zenhax old forum mirror   Twitter LinkedIn
SEARCH
adv.htm
    info

    Buffer-overflow in Quake 4 (GetInfo) (game)
    20 May 2013:  paper
adv.htm
    unrealcbof

    Negative memcpy in id Tech 4 engine (game)
    Enemy Territory: Quake Wars, Wolfenstein, ...
    05 Jul 2010:  adv -
adv.htm
    aa3again

    Client array overflow in id Tech 4 engine (game)
    Enemy Territory: Quake Wars, Wolfenstein, ...
    19 Jun 2010:  adv -
adv.htm
    poc - idtech4carray

    Client buffer-overflow in Enemy Territory: Quake Wars 1.5 (game)
    18 Jun 2010:  adv -
adv.htm
    gem2bugs

    Denial of Service in PunkBuster (09 Aug 2009) (game)
    America's Army 2/3, Battlefield 2*, Call of Duty 1/2/4/5, Crysis, DOOM 3, Enemy Territory, ETQW, FEAR, Fuel of War, Need for Speed, Quake 3/4, RTCW, Soldier of Fortune II, Wolfenstein, ...
    09 Aug 2009:  reference -
adv.htm
adv.htm
    dropteamz

    Format string in the Doom 3 engine through PunkBuster (game)
    Doom 3, Quake 4, Prey, ...
    01 Oct 2007:  adv -
adv.htm
    italiano - nascarzero

    Files and cvars overwriting in Quake 3 engine (1.32c / rev 803 / ...) (game)
    some of the possible vulnerable games/engines are listed here
    27 Jun 2006: 
adv.htm
    italiano - neoenginex

    Client buffer-overflow in Quake 3 engine (1.32c / rev 795 / ...) (game)
    some of the possible vulnerable games/engines are listed here
    02 Jun 2006: 
adv.htm
    q3cbof

    Buffer-overflow in the WebTool service of PunkBuster for servers (minor than v1.229) (game)
    America's Army 2, Battlefield 2*, Call of Duty 1/2, DOOM 3, Enemy Territory, FEAR, Quake 3/4, RTCW, Soldier of Fortune II, ...
    23 May 2006:  adv -
adv.htm
    poc - codmsgboom

    In-game players kicking in the Quake 3 engine (game)
    Call of Duty, Quake III Arena, Return to Castle Wolfenstein, Soldier of Fortune II, Star Wars Jedi Knight II: Jedi Outcast, Star Wars Jedi Knight: Jedi Academy and Wolfenstein: Enemy Territory
    02 Apr 2005: 
adv.htm
    adv - xinkaa

    Infostring crash and shutdown in the Quake 3 engine (game)
    Call of Duty, Quake III Arena, Return to Castle Wolfenstein, Soldier of Fortune II, Star Trek Voyager: Elite Force, Star Trek: Elite Force II, Star Wars Jedi Knight II: Jedi Outcast, Star Wars Jedi Knight: Jedi Academy, Wolfenstein: Enemy Territory, ...
    12 Feb 2005: 
adv.htm
    poc - wilco

    Quake 3 con\con exploit (funny) (game)
    27 May 2003:  adv -
poc.htm
poc.htm
poc.htm
  • TeamViewer host <= 4.0.5543 resources consumption 0.1 (teamvieweird)
    notes: the server must have the "Accept KeepAlive sessions" option enabled (it's automatically activated if "Enable DirectIn Performance optimization" is selected), then note that the default tcp port seems to be 5938 and not 5939.

  • Quake 3 engine Cbuf_Execute commands execution universal proof-of-concept 0.1 (q3cbufexec)
    universal patcher which gets the original client executable of a game based on the Quake 3 engine and generates a new modified one which converts the ';' chars in the commands sent by the client to carriage-returns for testing a vulnerability which allows to execute server's game commands through a malformed callvote.
    details of the vulnerability are available here and here.
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
poc.htm
  • Half-Life <= 1.1.1.0 passive buffer-overflow test 0.1 (hlbof-client)
    This proof-of-concept waits vulnerable Half-life clients and crashs them. Use a debugger to see the exception and the overwritten return address (overwritten by 0x2e504945)

  • Quake 3 con/con proof-of-concept + heartbeat emulator (q3concon)
    this proof-of-concept is a fake Quake 3 server that sends a message containing the con\con string to all the clients that try to get information from it. If the client that receives the string is a Windows95/98/98SE system without the con\con patch it will be crashed immediately. The problem happens on some games based on the Quake 3 engine. I have personally tested Quake 3 and Soldier of Fortune 2. The games I have tested and are NOT vulnerables are Return to Castle Wolfenstein and Medal of Honor: Allied Assault
poc.htm
papers.htm
papers.htm
  • COGS Gamearena IRC proxy 0.2.2a (cogs_irc)
    this tool acts as a proxy server that lets to use any IRC client to join the COGS chat on thearena-chat.gamearena.com.au:4445.
    note: if a channel requires a key, try with cogs, example: /join #quake4demo cogs
    read the text file inside.

papers.htm

  • PunkBuster messenger 0.1 (pbmsgs)
    Note that EvenBalance has removed or limited such feature in almost all the games, so is still possible to send some types of messages but not multiple messages at too short intervals from outside, read the updates of this advisory for info about the flooding performed in-game.
    tool for sending anonymous external messages to any server which uses PunkBuster like America's Army, the Battlefield series, the Call of Duty series, DOOM 3, Enemy Territory and QUAKE Wars, the F.E.A.R. series, Medal of Honor: Airborne, Prey, Quake III Arena, Quake 4, the Rainbow Six series, Return to Castle Wolfenstein, Soldier of Fortune II and many others.

  • Punkbuster master server file downloader 0.1.1 (pbmsdown)
papers.htm
papers.htm
    a basic tool and a text file which describe how to get the session password needed to use the own Quake Live account on the jabber/xmpp service of xmpp.quakelive.com from outside the game, so using any normal client supporting this open protocol (for example Pidgin):
     - Username: your username
    - Domain/server: xmpp.quakelive.com
    - Resource: quakelive
    - Password: the XAID password got with this tool/method
papers.htm
papers.htm

  • Multi engine RCON tool and password guesser 0.2.3d (multircon)
    useful tool, previously known as q3rcon, for sending RCON commands to servers which use different engines and support RCON (remote administration).
    currently it supports the Quake 3, Medal of Honor, Half-Life, IGI2, Doom 3 and Quake 2 engines (so not only these games but all the others derived by them too).
    the tool contains tons of options and features and also some password guessing functions which include brute forcing and wordlists.
papers.htm
papers.htm
  • Quake 3 engine GUID MD5 0.1 (q3_guid)
    the md5_init() modification used to calculate the cl_guid hash of cd-key (that contained in "cl_guid").

  • Online cd-key checker for Quake III 0.2.1 (q3onlinekeycheck)
    checks if your cd-key is valid offline and also online, in fact it simply contacts the server authorize.quake3arena.com and waits for a response.
    this new version has also a function letting you to use a text file containing all the keys you want to check (a key for each line) and if a key seems valid the program rechecks it to avoid false positives.
papers.htm
    this new version has also a function letting you to use a text file containing all the keys you want to check (a key for each line) and if a key seems valid the program rechecks it to avoid false positives.

  • Quake 3 engine huffman algorithm 0.3 (q3huff)
    simple version of the Quake 3 huffman algorithm, ALL the code is from huffman.c of the Quake 3 1.32 GPL source code.
    I have only modified some variables and the prototype of the decompressing and compressing functions for a faster and simpler usage. An usage example is here.
papers.htm
papers.htm
    and this is the small piece of algorithm that does the check.

  • Q3keycheck 0.1 (q3keycheck)
    this little tool simply lets you to know if a Quake 3 CD-Key is valid or not locally (offline).
    and this is the small piece of the algorithm used for the check.
papers.htm
    it's totally useless for the people but it's a good start for understanding a bit about the protocol and the types of encryptions to expect to find.
    quick usage: dump the content of ALL the connections made to port 3074 of the demonware master server in one raw file and then launch the tool specifiying it and the own "secretsauce".
    if you don't know the secretsauce just use your nickname and the bracketsless cdkey (it will calculate it, it's just the XORing of these two parameters).
    if the game doen'st use a secretsauce (like Enemy Territory Quake Wars demo) just put a zero or ""


papers.htm
papers.htm
quickbms.htm
    rk Reign 2, Delta Force 1 / 2 / Landwarrior, Descent 1 / 3, Destruction Derby, Black Hawk Down, Doom 1 / 2, Duke Nukem 3d, Dune 1 / 2, Dungeon Keeper 2, EA Cricket 2004, Echelon, Electranoid, Emperor, Empire 2, Escape From Monkey Island, Esoteria, Etherlords, Evil Islands, Far Cry, FIFA 1999 / 2000 / 2001 / 2002 / 2003, Final Fantasy 7, Frank Herbert's Dune, Fuzzy's World, Giants Citizen Kabuto, Gunlock, Gunman Chronicles, Gunship!, Half-Life 1 / Blue Shift / OppForce, Heretic 1 / 2, Heroes Chronicles Series, Heroes of Might and Magic 1 / 3, Hexen 1 / 2, Hidden and dangerous, Hitman, Homeworld, Hostile Waters, Imperialism II, Imperium Galactica II, Kingdom O Magic, Kingpin, Kohan, Laser Light, Lemmings 2 (VOC), Lemmings Revolution, Lord of the Rings BFME, Master of Magic, Master of Orion 1 / 2, Mechwarrior 4 Merc, Micro Machines 2, Mortyr, MTX Mototrax, Nascar Heat, Need for Speed Hot Persuit 2, Need for speed Underground 2, No One Lives Forever, Outlaws, Outlive, Planescape Torment, Populous 3, Port Royale, Prince of Persia SOT, Project Eearth, Quake 1 / 2, Rage Of Mages, Red Baron 3D, Rollercoaster Tycoon Css, SadCom, Shadow Warrior, Sim Theme Park audio, Sin, Soldier of Fortune, Star Trek (BOTF), Star Wars GBG, Starlancer, Sudden strike, Syndicate Wars, Terminator Future Shock, The 7th Guest, The Lost Vikings, Theme Hospital, Theme Park World, Thunderhawk, Tombraider 3, Total Annihilation, Transport Tycoon Deluxe, Twilight CD, US Navy Fighters, Warcraft 1 / 2, Worms 1, Xatax, You Don't Know Jack-->
  • ZenHAX forum
fakep.htm
fakep.htm
    it uses some files (called join_files) needed for each specific game because, except some of them, many games use some particulars parameters in the join packet which sometimes change even between different game versions.
    read the text file inside for all the needed information, details and examples.
    latest dp8games package: 30 Aug 2005
    example of games which use the DirectPlay 8 protocol: Age of Wonders Shadow Magic, Bandits, Besieger, Dangerous Waters, Deer Hunter 2004 and 2005, Dungeon Siege 1 and 2, DXQuake 3, FairStrike, Freelancer, G.I. Combat Episode I, Gekkeiju, Giants: Citizen Kabuto, Hidden " Dangerous 2 / SS, Homeworld 2, Il rosso e il nero, Jolt3D, Judge Dredd vs Death, Locomotion, Monopoly Tycoon, New World Order, No brakes 4x4 racing, O.R.B, Operation Blockade, Operation Flashpoint, Perimeter, Pro Bass Fishing 2003, Pro Rugby Manager 2004, Robot Arena 2, S.W.I.N.E., Sacrifice, Scorch an Island, SkyTracks, State of Emergency, Steel Tide, Supreme Ruler 2010, Trophy Hunter 2003, True Crime Streets of LA, Vietcong, Warlords Battlecry III, Warrior Kings, Wings of War, Condor, FSHost and more.

fakep.htm
  • Doom 3 engine invisible fake players DoS 0.1.2 (doom3fp)
    at the moment it's compatible only with the following games based on the Doom 3 engine (id Tech 4):
    - Doom 3
    - Quake 4
    - future supported games here (only their checksums are required to use them)
    the tool needs to know a specific CRC which changes for each game so must be updated everytime a new game which uses the Doom 3 engine is released.
fakep.htm
fakep.htm
    - Soldier of Fortune doesn't seem supported or at least not online
    - Code Red: Alien Arena
    - Alien Arena 2006 GE
    - R1Q2 - R1CHs Enhanced Quake II
    - other games
    - other engines
fakep.htm
fakep.htm
    - Star Wars Jedi Knight II: Jedi Outcast
    - Star Wars Jedi Knight: Jedi Academy
    - Wolfenstein: Enemy Territory (2.60 too but requires a bit of practice, use -B ? for the info)
    - others
    the tool can be also used to test the so called "q3unban" bug automatically, which allows a client on a banned IP address to join the server.
    exists also a support for servers which require online authentication (like a valid online cdkey) but only Quake 3 Arena has been supported and tested.
patches.htm
    (etwsfix) - info
    although this patch works also with ET Pro I HIGHLY suggest to use the well known combinedfixes.lua of ReyalP with this mod because it's updated for any problem specific of this game.

  • remember also the Quake 3 engine fixes
patches.htm
    easy to use step by step required because the game overwrites the DLL files in the base folder, the patch is THE SAME of Call of Duty (the bug is the same too)
    You need to download also the codmsgfix patch for Call of Duty you see below
    Gamall Ida has written an interesting solution for all the known bugs which affect Jedi Academy, included the fake players attack: http://gamall-ida.com/f/viewtopic.php?f=3&t=356

  • remember also the Quake 3 engine fixes
patches.htm
patches.htm
patches.htm
patches.htm
patches.htm
patches.htm
patches.htm
    works with any Windows version of the games Allied Assault, Spearhead and Breakthrough
    the official Linux patches are available at Icculus

  • remember also the Quake 3 engine fixes
testz.htm
  • Unreal engine test server 0.1 (unrealts)
    basic way for emulating an Unreal server and testing the sending of commands to a connected client

  • Quake 3 engine "connect" modifier 0.2 (q3conmod_sudp)
    plugin for sudppipe which allows a simple customization of the "connect" packet for the games which use the Quake 3 engine:
    sudppipe -l q3conmod_sudp.dll -L "\parameter1\value1\parameter2\value2" IP PORT 1234
testz.htm
    This tool can be used to check the POST attacks on webservers as for example memory and sockets that are not freed if the client sends less data than how much specified in Content-Lenght. It is the same proof-of-concept I have used for the bugs in Goahead webserver, NULLhttpd and WWW Fileshare Pro.

  • Q3huffdecenc 0.2 (q3huffdecenc)
    compress and uncompress the files containing the "connect" packets of the games that use the Quake 3 engine.

  • Q3sendenc 0.2.1 (q3sendenc)
testz.htm
    heartbeat protocol emulator for UT2003. With this little code you can add your IP address to the official Epic UT2003 servers list (http://ut2003master.epicgames.com/serverlist/full-all.txt and demo-all.txt).
    HERE there is the explanation of the protocol.

  • Quake 3 testing server 0.3 (q3ts)
    this server answers to the Quake 3 queries. It supports: getstatus, getinfo, getchallenge, connect (with real-time decompression), rcon and disconnect.
    It supports the infoResponse of Quake 3 arena 1.32, Soldier of Fortune 2 1.03 GOLD, Return to Castle Wolfenstein 1.41, Medal of Honor: Allied Assault 1.11.
60 results found