####################################################################### Luigi Auriemma Application: Halocon no website currently working, however should be http://www.zaboo.net Versions: <= 2.0.0.81 (seems the latest available version) Platforms: Windows Bug: socket termination Exploitation: remote, versus server Date: 16 Jan 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Halocon is a remote server manager written by jazper (http://www.zaboo.net). It is no longer supported but some admins still use it. ####################################################################### ====== 2) Bug ====== An empty UDP packet (zero bytes) leads to the automatic termination of the Halocon server's socket. So the admin will be no longer able to send remote commands to the Halocon application. Halocon uses the UdpPort part of the Ip*works! v5 library (http://www.nsoftware.com) and in the first moment I thought this was the cause of the bug (everything said that when I debugged the code) but after the tests made by NSoftware and me on both v5 and v6 versions we have seen this was wrong or partially wrong. I don't know what specific build of Ip*works! is used by Halocon, however I have preferred to note this little doubt. ####################################################################### =========== 3) The Code =========== My Lithtech proof-of-concept is enough to send an empty UDP packet: http://aluigi.altervista.org/poc/lithsock.zip Halocon works on port 2305 by default, so remember to specify it when use the proof-of-concept. ####################################################################### ====== 4) Fix ====== No fix. #######################################################################