| Quake 3 engine, con\con and heartbeats
Author : Auriemma Luigi <firstname.lastname@example.org>
Download : http://www.pivx.com/luigi/poc/q3concon.zip
Well, the following problem is based on the very old con\con bug that
affects unpatched Windows95/98/98SE systems.
If you don't know it take a look here:
I have decided to show this problem to the security community ONLY for
- I think that it is a funny method to crash remote systems through an
original way: multiplayer games and an old famous system bug.
- Probably a great number of people don't know that exists a patch to
the con\con problem and, moreover, that exist this famous problem.
- I like a lot the exploit I have written and probably someone could find
interesting for other tests on the Quake 3 engine 8-)
Quickly: some of the games based on the Quake 3 engine have a funny feature.
They display the image related to the current map played in a multiplayer
First, they get the name of the map passed from the server in the "mapname"
parameter, add a .TGA or other image extensions to this name and finally
to load and display it on the screen.
An example in C language for Quake 3 is the following:
#define Q3 "\xff\xff\xff\xff" "infoResponse\n" "\\punkbuster\\0"
"\\pure\\1" "\\gametype\\0" "\\sv_maxclients\\8"
"\\clients\\1" ------> "\\mapname\\con/con" "\\hostname\\hostname"
I have personally tested some games based on the Quake 3 engine and the
- Quake 3 Arena 1.32
- Soldier of Fortune 2 1.03 GOLD
The games that I have tested and are NOT vulnerables are:
- Return to Castle Wolfenstein 1.41
- Medal of Honor: Allied Assault 1.11
ONLY the clients are vulnerables to this problem.
EXPLOIT FOR QUAKE 3 + HEARTBEAT EMULATOR
I have written an exploit that emulates a Quake 3 server and sends the
It can be compiled on both Unix and Windows and it also sends a heartbeat
packet to the Quake 3 Masterserver (you can disable this feature adding
after the executable name when you launch it).
The heartbeat is the method used by game servers for be included in the
pubblic servers list that is owned by ID-Software.
That mean that the exploit will receive queries from all the Quake 3 clients
in the world and it will send the con/con mapname back to them:
The official patch for the con\con problem (year 2000) can be found here: