Server Exploit - Remote Crash

[SheenBR]

Recently, a so called fix for a bug called "BUUM" in BR forums was released. It was apparently the lead cause of unknow crashs among all owners of private servers. The fix was originally released in BR forums, but it was not released in a professional way. No proof-of-concept, no explanation of the bug, and no ways of reproducing it. Not any further explanation. Only two files were released, that injects itself into the server, changing the server memory and fixing the bug.
I will not post links of the original files, but instead I will make this more of a discussion because this can lead to other people finding other bugs, and understand how this bug in particular works, and how we can prevent it - and others - in better ways.

Credits for releasing those two files: microamazing


ATTENTION: This "FIX" is only for server files based on JPT and MAGIC.

Part 1 - The Original Code

005739D2   > 8B43 38        MOV EAX,DWORD PTR DS:[EBX+38]            ;  Case 50321010 of switch 0056F521
005739D5   . C74424 20 9821>MOV DWORD PTR SS:[ESP+20],2198
005739DD   > 8B4B 34        MOV ECX,DWORD PTR DS:[EBX+34]
005739E0   . 8B53 3C        MOV EDX,DWORD PTR DS:[EBX+3C]
005739E3   . 894424 1C      MOV DWORD PTR SS:[ESP+1C],EAX
005739E7   . 8D4424 14      LEA EAX,DWORD PTR SS:[ESP+14]
005739EB   . 50             PUSH EAX
005739EC   . 55             PUSH EBP
005739ED   . 895424 30      MOV DWORD PTR SS:[ESP+30],EDX
005739F1   . 894C24 2C      MOV DWORD PTR SS:[ESP+2C],ECX
005739F5   . E8 26E5FEFF    CALL 00561F20
005739FA   . E9 97030000    JMP 00573D96

This is the piece of code that will hande the packet with 50321010 opcode received from any client. I'm not sure about its structure or what it does, but it is related to a Hack log. We can see some values being moved from the packet buffer to ECX and EDX, moved to the stack and then a call to offset 561F20 is made. Also 2198h is moved to the stack. We can see in the call, where it is handled:

00563F1D  |> 817F 0C 982100>CMP DWORD PTR DS:[EDI+C],2198
00563F24  |. 75 5C          JNZ SHORT 00563F82
00563F26  |. E8 F8420600    CALL 005C8223
00563F2B  |. 99             CDQ
00563F2C  |. B9 0A000000    MOV ECX,0A
00563F31  |. F7F9           IDIV ECX
00563F33  |. 8B86 C4AE0000  MOV EAX,DWORD PTR DS:[ESI+AEC4]
00563F39  |. 83C2 14        ADD EDX,14
00563F3C  |. 3BC2           CMP EAX,EDX
00563F3E  |.^0F8F 8CF6FFFF  JG 005635D0
00563F44  |. 8B57 10        MOV EDX,DWORD PTR DS:[EDI+10]
00563F47  |. 8B47 08        MOV EAX,DWORD PTR DS:[EDI+8]
00563F4A  |. 8B8E FC6D0000  MOV ECX,DWORD PTR DS:[ESI+6DFC]
00563F50  |. 52             PUSH EDX
00563F51  |. 50             PUSH EAX
00563F52  |. 81C1 0C430000  ADD ECX,430C
00563F58  |. 51             PUSH ECX
00563F59  |. 0FB74C24 28    MOVZX ECX,WORD PTR SS:[ESP+28]
00563F5E  |. 8D56 40        LEA EDX,DWORD PTR DS:[ESI+40]
00563F61  |. 52             PUSH EDX
00563F62  |. 0FB75424 2A    MOVZX EDX,WORD PTR SS:[ESP+2A]
00563F67  |. 8D46 20        LEA EAX,DWORD PTR DS:[ESI+20]
00563F6A  |. 50             PUSH EAX
00563F6B  |. 0FB74424 2C    MOVZX EAX,WORD PTR SS:[ESP+2C]
00563F70  |. 51             PUSH ECX
00563F71  |. 52             PUSH EDX
00563F72  |. 50             PUSH EAX
00563F73  |. 8D4C24 40      LEA ECX,DWORD PTR SS:[ESP+40]
00563F77  |. 68 58646000    PUSH 00606458                     ;  ASCII "%d:%d:%d - ID:( %s ) / Name:( %s ) / IP ( %s ) Warning invincible Mode ( %d )( %d )
"
00563F7C  |. 51             PUSH ECX
00563F7D  |. FFD5           CALL EBP
00563F7F  |. 83C4 28        ADD ESP,28

We can see it writes to the LogFile, with values from the packet. (invincible mode (%d)(%d)). The values are retrieved from EDI+10 and EDI+8.

Part 2 - The FIX

005739ED   . C705 90608400 >MOV DWORD PTR DS:[846090],2
005739F7   ? 90             NOP
005739F8   ? 90             NOP
005739F9   ? 90             NOP
005739FA   . E9 97030000    JMP sv_jpt.00573D96

This is how the "FIX" was released. I'm not sure what the memory address 0x846090 represents, but we can clearly see that the call to the function that writes to the LogFile was removed and value "2" is moved to an offset. So I think.. Is this the correct way of fixing it? Now the LOG is gone, I'm sure if the game developers added this Log its because its important to detect hackers playing your game. See how the lack of information is bad? No information of how to reproduce the bug, so we don't have any other ideas to fix it.

Part 3 - Final Considerations

The way to reproduce this bug was not explained (*sigh*) only this so called fix. The bug is obviously in the code that handles the given packet opcode, so the bug must consist in sending a packet with broken data that would cause the server to have an exception and be forced to close.
I am creating this discussion because it is necessary to everybody to understand how it works so people can protect their servers, and to find out the proper way to reproduce the bug.

 

[Cainan]

Sheen, eu sou o Cainan do Forum BR, e vi o topico AntiBumm SvSide postado pelo JP. Prog disse que para reproduzir o Buum, basta enviar isso : $3000000085004748FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF, mas como nao sou especializado nisso deixo meu entendimento sobre a fala dele...


*Como soube as modificações do JP sendo q estava via DLL ? Necessito de ajuda nessa parte... Obg

Edit: Oh sorry sheen, I forgot about that, but i will translate with Google Tradutor...

------Translated-----

Sheen, I'm Cainan (Br Forum), and i saw the topic AntiBumm SvSide posted by JP. Prog said: To play the Buum, just send it: $3000000085004748FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF, but as I am not specialized at it let my mind about his speech ...




* How did the modifications being that the JP was a DLL? I need help in this part ... Thanks

 

[SheenBR]

This is another BUG, which I also wasn't able to reproduce. Maybe I tested with a wrong server, I dont know.

PS: Please this is an English forum, use EN language to post here! Thanks : Please translate your post so everyone can understand.

 

[ScreamingFox]

There are a number of simple things that will crash a server (i usually test on BPT, but i do not have any client right now) immediately.. Most of PT is poorly programmed (or it is just too old, etc..) and with lots of breaches to exploit.

There are things so simple that one would think it to be a trick from Prince of Persia 2, but it is an easy way to crash PT servers XDD...

 

[microamazing]

Where is my credits? ???
[LINK REMOVED]
just put this two dll's in server folder...

 

[SheenBR]

I already said I won't give any download link, instead, just open OllyDbg and do the fix yourself. Also, the purpose of this thread is to discuss this exploit and not just "protect" against it.

 

[zaharavn]

It has many server exploit - remote crash. A exploit of Sheen is sharing it. Among of exploit

 

[SheenBR]

@zaharavn do you have any info about this flaw in particular? How can it be explored? (the thread's subject flaw I mean)

Also, if you know any other ones and would like to share with us, feel free to do so

 

[ArcanooN]

@zaharavn do you have any info about this flaw in particular? How can it be explored? (the thread's subject flaw I mean)

Also, if you know any other ones and would like to share with us, feel free to do so

sheen based on this "tutorial" is possible to add this protection to another server?

 

[SheenBR]

Sure, all servers works almost the same

 

[smokeac]

Could post references to correct the bug in this executable? http://forum.ragezone.com/f399/pt-server-fresh-leak-gift-813775/

Thanks

 

[SheenBR]

Just find them in the executables this tutorials says to, then you can find in any other by searching for near commands... And no need to bump old threads ^^

Closed