[HLDS Exploits 1.9
Facunda Ganesh
The Exploit Database is maintained by OffSec, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is a non-profit project that is provided as a public service by OffSec.
The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.
The Google Hacking Database (GHDB) is a categorized index of Internet search engine queries designed to uncover interesting, and usually sensitive, information made publicly available on the Internet. In most cases, this information was never meant to be made public but due to any number of factors this information was linked in a web document that was crawled by a search engine that subsequently followed that link and indexed the sensitive information.
After nearly a decade of hard work by the community, Johnny turned the GHDB over to OffSec in November 2010, and it is now maintained as an extension of the Exploit Database. Today, the GHDB includes searches for other online search engines such as Bing, and other online repositories like GitHub, producing different, yet equally valuable results.
HLDS Exploits 1.8.exe is a malicious file that can be used to attack servers running the Half-Life Dedicated Server (HLDS) application. HLDS is a software that allows users to host their own servers for GoldSrc games, such as Counter-Strike, Half-Life, and Team Fortress Classic. HLDS Exploits 1.8.exe can exploit vulnerabilities in the HLDS software and cause various problems, such as crashing the server, executing arbitrary commands, stealing data, or installing malware.
HLDS Exploits 1.8.exe is a file that contains a collection of exploits for HLDS servers. An exploit is a piece of code that takes advantage of a flaw or weakness in a system or application to perform unauthorized actions. HLDS Exploits 1.8.exe can be used by hackers or malicious players to attack HLDS servers and gain control over them.
HLDS Exploits 1.8.exe is not an official file from Valve or Hitachi-LG Data Storage (HLDS), the developers of HLDS software. It is a file that has been created and distributed by unknown sources on the internet. It can be found on various websites, forums, or file-sharing platforms that offer downloads of HLDS Exploits 1.8.exe or similar files.
HLDS Exploits 1.8.exe works by exploiting vulnerabilities in the HLDS software that allow remote code execution (RCE). RCE is a type of attack that allows an attacker to run arbitrary commands or programs on a target system without the user's consent or knowledge. RCE can be used to compromise the security and functionality of the system, as well as to access or modify data.
HLDS Exploits 1.8.exe can be used to launch RCE attacks against HLDS servers by sending specially crafted packets or requests to the server's port (usually 27015). These packets or requests can trigger the vulnerabilities in the HLDS software and execute the malicious code contained in HLDS Exploits 1.8.exe on the server.
HLDS Exploits 1.8.exe can be difficult to detect because it does not have a visible interface or icon. It can also be disguised as a legitimate file or program by changing its name or extension. However, there are some signs that can indicate that your server has been infected by HLDS Exploits 1.8.exe, such as:
If you suspect that your server has been infected by HLDS Exploits 1.8.exe, you should scan your system with a reputable antivirus software and remove any suspicious files or programs. You should also update your HLDS software to the latest version and apply any security patches available.
Technical details for over 180,000 vulnerabilities and 4,000 exploits are available for security professionals and researchers to review. These vulnerabilities are utilized by our vulnerability management tool InsightVM. The exploits are all included in the Metasploit framework and utilized by our penetration testing tool, Metasploit Pro. Our vulnerability and exploit database is updated frequently and contains the most recent security research.
One night while playing Counter Strike: Condition Zero (CZ), I decided to take a break and challenge myself to find an exploitable bug in the old engine known as GoldSrc. Condition Zero, Half-Life 1, and CS 1.6 all run on the GoldSrc engine, which was created by Valve and is based upon the original Quake engine.
What makes Counter Strike an interesting target is that it relies on a game lobby for players to find and select servers to play on. Upon connecting to the server, the game client will automatically download any required resources (maps, textures, sounds, etc.).Once all of the resources have been downloaded, they have to be loaded and parsed from disk into memory. Only then will the client begin receiving commands and entity updates from the server.
I would like to extend my thanks to the Valve Security team and specifically to Alfred Reynolds who was my liaison during the disclosure process. The whole process, from initial email to fix, lasted less than 30 days. I certainly look forward to disclosing to Valve in the future.
With the ability to programmatically run the engine, I installed BFF, Debugging Tools for Windows, and then started configuring BFF. BFF installs to C:\BFF by default and has the concept of a fuzzing campaign. I started a new one for CZ and then edited the bff.yaml configuration file:
With the fuzzer set up, I copied all of the map files less than 3.0 MB from my czero_downloads/maps folder into the seedfiles\bsp directory. This left me with 74 map files as seeds. I could have used more, but as you will see, finding crashes was not that difficult.
It looks like the jmp target has been controlled from a starting offset via EAX. It looks like an attempt was made to prevent the function pointer index from going above 7, but JGE on x86 is a signed comparison! This means that EAX can go negative (0x80 - 0xff) and pass the check as this signed char is casted to unsigned char for the jump. In WinDBG at the time of the crash, EAX was 0x80. Doing some pointer math of \(0x297bad4 + [0x80 * 4] = 0x297bcd4\) and then a lookup in IDA shows at the calculated address:
From this point (due to DEP) I needed to ROP out of the exception handler frame and back to the old stack. For this I needed a special gadget of the form pop REG32, pop REG32, pop esp, ret or similar. The next tool that helped me start ROPing was !mona running under Immunity DBG.
Dropping into IDA revealed a reasonably simple function (Note: this function was difficult to understand at first and to took me a while to understand the mapping from the BSP file to the code. This is the finished version before I found the source code online and learned the real names and data types. Many days of hard work are being glossed over.)
By reading the excellent IDA decompiled source with struct types, I determined that BFF had corrupted the vec3Count variable. This caused more than 64 VEC3 (three 4-byte floats) to be placed into the VEC3DATA struct causing the numVertsStack and vec3Count variables to be corrupted. vec3Count was corrupted to a large number, which is why we saw the exception at 0286ddd7 mov dword ptr [ecx-8],eax when it overwrote the guard page.
The GL_SubdivideSurface function must return in order to pop the corrupted saved return address off the stack, but there is a tail call of SubdivideSurface which prevents this. Also there is a bounds check on the numVerts which limits it to 60 (not enough to overflow important data).
Further reading of this function made me realize that if could I can somehow change the numVerts input argument then I could quickly bypass this function.To my luck, the GL_SubdivideSurface stack frame had numVerts right below the overflowed buffer. This meant that I could control the variable to fake the number of vertices processed SubdivideSurface, effectively bypassing it.
795a8134c1