Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Valve Steam In-Home Streaming gaming software probe / match with additional nse starter file

From: Kristian Erik Hermansen <kristian.hermansen () gmail com>
Date: Tue, 21 Apr 2015 06:14:15 -0700
Hello nmap devs,

I was recently fuzzing around with the Valve Steam In-Home Streaming
gaming protocol and thought it may be useful to contribute back some
helpful base probes / nse bits. See below.


nmap-service-probes
"""
Probe TCP valve-steam q|\x03\x03\x03\xff\x03|
rarity 2
ports 27036
match valve-steam m|\x15\x03\x03\x00\x02\x02\x16|
"""

valve-steam.nse
"""
description = [[
Determines whether Valve's Steam In-Home Streaming gaming control port
is responding on a remote server.
This script currently only tests whether the servers responds with a
known identifying payload.
Research is based on a very limited understanding of the protocol
learned from blind fuzzing.

References:
* Steam Support Page:
https://support.steampowered.com/kb_article.php?ref=3629-RIAV-1617#networkports
* Independent Research:
https://codingrange.com/blog/steam-in-home-streaming-discovery-protocol
]]

---
-- @usage
-- nmap -p 27036 <ip> --script valve-steam
--
-- @output
-- PORT   STATE SERVICE REASON
-- 27036/tcp open  valve-steam
-- |_valve-steam: Possible Valve Steam gaming software detected
--
--

categories = {"default", "safe", "discovery"}

author = "Kristian Erik Hermansen <kristian.hermansen+nmap () gmail com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";

portrule = function(host, port)
    return port.protocol == "tcp"
            and port.number == 27036
            and port.state == "open"
end

action = function(host, port)

  local socket = nmap.new_socket()
  socket:connect(host, port)
  socket:send("\x03\x03\x03\xff\x03")
  s,response = socket:receive()
  socket:close()

  local out = ""

  if string.match(response, "\x15\x03\x03\x00\x02\x02\x16") then
    out = "Possible Valve Steam gaming software detected"
  else
    out = nil
  end

  return out

end
"""

There are other probes and more advanced things that can be done to
invoke havoc remotely in Valve Steam, but I will save those 0day for
another time if / when Valve actually implements a paid bug bounty
program :) Until then, here is a platform for other researchers to
start poking around. Yes, apparently Valve thought it was a great idea
to enable this feature by default and bind it to external interfaces
so that it can receive input from the Internet (the features are
really intended for the local LAN only, AFAIK). I tested this on a
bunch of different tcp/27036 endpoints and ~85% responded successfully
as actual Valve Steam software. I set the rarity level at 2 because
the port number is not very common and the success factor on the probe
is high.

Let me know if you have any questions...
-- 
Regards,

Kristian Erik Hermansen
https://www.linkedin.com/in/kristianhermansen
https://google.com/+KristianHermansen
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: