2 exploit patches related to Agent command.

Removed.

Re: 2 exploit patches related to Agent command.

beast release !!

Re: 2 exploit patches related to Agent command.

Quote:

Originally Posted by God Of Sun

Hi,

This blocks server command via UDP and prevents sender UID spoofing. (Also known as proxy hack.)

[./CSCommon/Source/MMatchClient.cpp - MMatchClient::MakeCmdFromTunnelingBlob()]

Spoiler:

PHP Code:

        return NULL;     }     delete [] pData;          // Proxy patch.     // m_pCommandDesc will never be NULL : above SetData() did it everything.     if (!pCmd->m_pCommandDesc->IsFlag(MCDT_PEER2PEER))     {         delete pCmd;         return NULL;     }          pCmd->m_Sender = uidSender;     pCmd->m_Receiver = m_This;     MMatchPeerInfo* pPeer = FindPeer(uidSender);

[./CSCommon/Source/MMatchClient.cpp - MMatchClient::ParseUDPPacket()] (case MSGID_RAWCOMMAND of switch)

Spoiler:

PHP Code:

                    mlog("MMatchClient::ParseUDPPacket() -> SetData Error\n");                     delete pCmd;                     return;                 }                 MUID uidPeer = FindPeerUID(dwIP, nPort);                 if (uidPeer != MUID(0,0))                 {                     // Proxy patch.                     if (pCmd->GetID() == MC_AGENT_TUNNELING_TCP || pCmd->GetID() == MC_AGENT_TUNNELING_UDP)                     {                         delete pCmd;                         return;                     }                                          pCmd->m_Sender = uidPeer;                 } else {                     // TODO: ?c}a ?oA?CO?sCO.                     sockaddr_in Addr;                     Addr.sin_addr.S_un.S_addr = dwIP;                     Addr.sin_port = nPort;                     char* pszIP = inet_ntoa(Addr.sin_addr);

[./CSCommon/Source/MMatchClient.cpp - MMatchClient::ParseUDPPacket()] (case MSGID_COMMAND of switch)

Spoiler:

PHP Code:

                    mlog("MMatchClient::ParseUDPPacket() -> MSGID_COMMAND SetData Error(%s:%d), size=%d\n",                         pszIP, nPort, nCmdSize);                     delete pCmd; pCmd = NULL;                     return;                 }                 MUID uidPeer = FindPeerUID(dwIP, nPort);                 if (uidPeer != MUID(0,0)) {                     // Proxy patch.                     if (pCmd->GetID() == MC_AGENT_TUNNELING_TCP || pCmd->GetID() == MC_AGENT_TUNNELING_UDP)                     {                         delete pCmd;                         return;                     }                                          pCmd->m_Sender = uidPeer;                 } else {                     // Agent?ILA ?IE’E-ƒÊE A?CCƒÊaLA âc?eCIAo ?ELALU.                     delete pCmd;                     return; /*                     // TODO: ?c}a ?oA?CO?sCO.                     sockaddr_in Addr;                     Addr.sin_addr.S_un.S_addr = dwIP;

[./MatchAgent/MMatchAgent.cpp - MMatchAgent::OnCommand()]

Spoiler:

PHP Code:

        case MC_AGENT_TUNNELING_TCP:    // M2M             {                 // Proxy patch.                 // When TCP tunneling is used normally?                 break;                                  MUID uidSender, uidReceiver;                 if (pCommand->GetParameter(&uidSender, 0, MPT_UID)==false) break;                 if (pCommand->GetParameter(&uidReceiver, 1, MPT_UID)==false) break;                                  MCommandParameter* pParam = pCommand->GetParameter(2);                 if (pParam->GetType()!=MPT_BLOB) break;                 void* pBlob = pParam->GetPointer();                 if( NULL == pBlob ) break;                 int nCount = MGetBlobArrayCount(pBlob);                 OnTunnelingTCP(uidSender, uidReceiver, pBlob, nCount);                 return true;             }

[./MatchAgent/MMatchAgent.cpp - MMatchAgent::ParseUDPPacket()]

Spoiler:

PHP Code:

                MCommandParameterUInt(nPort).GetData(pData, 1024);                 pParamPort->SetData(pData);                 PostSafeQueue(pCmd);             } else if (pCmd->GetID() == MC_AGENT_TUNNELING_UDP) {                 // Proxy patch...                 /*                 pCmd->m_Sender = MUID(0,0);                 pCmd->m_Receiver = m_This;                 PostSafeQueue(pCmd);                 */                                  sockaddr_in addr;                 addr.sin_addr.S_un.S_addr = dwIP;                 addr.sin_port = wRawPort;                                  char szIP[64]; strcpy(szIP, inet_ntoa(addr.sin_addr));                 unsigned int nPort = ntohs(addr.sin_port);                                  MUID uidSender = FindClientUID(szIP, nPort);                 if(uidSender == MUID(0, 0)) break;                                  MCommandParameterUID* pParamSenderUID = (MCommandParameterUID*)pCmd->GetParameter(0);                 if(pParamSenderUID == NULL || pParamSenderUID->GetType() != MPT_UID) break;                                  char nData[1024];                 MCommandParameterUID(uidSender).GetData(nData, sizeof(nData));                 pParamSenderUID->SetData(nData);                                  pCmd->m_Sender = uidSender;                 pCmd->m_Receiver = m_This;                                  PostSafeQueue(pCmd);             }         }         break;     case MSGID_COMMAND:         {             LOG(LOG_FILE, "MMatchAgent::ParseUDPPacket - Not Used\n");         }

[./MatchAgent/MMatchAgent.cpp]

Spoiler:

PHP Code:

    } else {         for (list<MUID>::iterator i=pClient->GetPeerRouteBegin(); i!=pClient->GetPeerRouteEnd(); )         {             MAgentClient* pTargetPeer = GetClient(*i);             if (pTargetPeer == NULL) {                 i = pClient->RemovePeerRoute(*i);                 continue;             }             SendPeerTunnel(pClient, pTargetPeer, pBlob, nCount);             ++i;         }     } } void MMatchAgent::OnDebugTest(const MUID& uidComm, const char* pszMsg) { } // Proxy patch... MUID MMatchAgent::FindClientUID(const char* pszIP, WORD wPort) {     for(MAgentClients::iterator i = m_Clients.begin(); i != m_Clients.end(); i++)     {         MAgentClient* pClient = (*i).second;                  if(stricmp(pClient->GetIP(), pszIP) == 0 && pClient->GetPort() == wPort)         {             return pClient->GetUID();         }     }          return MUID(0, 0); }

[./MatchAgent/MMatchAgent.h - MMatchAgent class]

Spoiler:

PHP Code:

    /// Local ClockAâ Global ClockACEI oPEP     static unsigned long int ConvertLocalClockToGlobalClock(unsigned long int nLocalClock, unsigned long int nLocalClockDistance);     /// Global ClockAâ Local ClockACEI oPEP     static unsigned long int ConvertGlobalClockToLocalClock(unsigned long int nGlobalClock, unsigned long int nLocalClockDistance); public: // For Debug     friend void MDebugUtil_PrintStagePeerList();          // Proxy patch. protected:     MUID FindClientUID(const char* pszIP, WORD wPort); }; #endif

Is it like this?

Code:

MCommand* MMatchClient::MakeCmdFromTunnelingBlob(const MUID& uidSender, void* pBlob, int nBlobArrayCount) { if (nBlobArrayCount != 1) { mlog("MakeCmdFromTunnelingBlob: BlobArrayCount is not 1\n"); return NULL; } char* pPacket = (char*)MGetBlobArrayElement(pBlob, 0); int nSize = MGetBlobArraySize(pBlob) - (sizeof(int) * 2); if ((nSize <= 0) || (nSize >= MAX_BLOB_SIZE)) { mlog("MakeCmdFromTunnelingBlob: Blob Size Error(size = %d)\n", nSize); return NULL; } char* pData = new char[nSize]; if (!m_PeerPacketCrypter.Decrypt(pPacket, nSize, pData, nSize)) { delete [] pData; return NULL; } MCommand* pCmd = new MCommand(); if (!pCmd->SetData(pData, &m_CommandManager)) { delete [] pData; delete pCmd; return NULL; } delete [] pData; pCmd->m_Sender = uidSender; pCmd->m_Receiver = m_This; MMatchPeerInfo* pPeer = FindPeer(uidSender); if (pPeer == NULL) { delete pCmd; return NULL; } delete [] pData; // Proxy patch. // m_pCommandDesc will never be NULL : above SetData() did it everything. if (!pCmd->m_pCommandDesc->IsFlag(MCDT_PEER2PEER)) { delete pCmd; return NULL; } pCmd->m_Sender = uidSender; pCmd->m_Receiver = m_This; MMatchPeerInfo* pPeer = FindPeer(uidSender); return pCmd; }

Re: 2 exploit patches related to Agent command.

Quote:

Originally Posted by LGPaul

Is it like this?

Code:

MCommand* MMatchClient::MakeCmdFromTunnelingBlob(const MUID& uidSender, void* pBlob, int nBlobArrayCount) { if (nBlobArrayCount != 1) { mlog("MakeCmdFromTunnelingBlob: BlobArrayCount is not 1\n"); return NULL; } char* pPacket = (char*)MGetBlobArrayElement(pBlob, 0); int nSize = MGetBlobArraySize(pBlob) - (sizeof(int) * 2); if ((nSize <= 0) || (nSize >= MAX_BLOB_SIZE)) { mlog("MakeCmdFromTunnelingBlob: Blob Size Error(size = %d)\n", nSize); return NULL; } char* pData = new char[nSize]; if (!m_PeerPacketCrypter.Decrypt(pPacket, nSize, pData, nSize)) { delete [] pData; return NULL; } MCommand* pCmd = new MCommand(); if (!pCmd->SetData(pData, &m_CommandManager)) { delete [] pData; delete pCmd; return NULL; } delete [] pData; pCmd->m_Sender = uidSender; pCmd->m_Receiver = m_This; MMatchPeerInfo* pPeer = FindPeer(uidSender); if (pPeer == NULL) { delete pCmd; return NULL; } delete [] pData; // Proxy patch. // m_pCommandDesc will never be NULL : above SetData() did it everything. if (!pCmd->m_pCommandDesc->IsFlag(MCDT_PEER2PEER)) { delete pCmd; return NULL; } pCmd->m_Sender = uidSender; pCmd->m_Receiver = m_This; MMatchPeerInfo* pPeer = FindPeer(uidSender); return pCmd; }

I think only "// Proxy patch." parts are required to edit.

@On-topic : nice release.

Re: 2 exploit patches related to Agent command.

Can you explain better? I do not understand, is how you fix the topic and put the same Solarie? the topic it explains the location of the exploit and give place to replace, I do not understand much ...

Re: 2 exploit patches related to Agent command.

Quote:

Originally Posted by vhrool12

Can you explain better? I do not understand, is how you fix the topic and put the same Solarie? the topic it explains the location of the exploit and give place to replace, I do not understand much ...

Well, you have to find it by ctrl + f,
and you have to add only the //Proxy patch parts.

Re: 2 exploit patches related to Agent command.

Very nice, thanks ^.^

Re: 2 exploit patches related to Agent command.

If you discovered this: Good job.
If you ripped this: Give some credits.

You're certain to make some waves with this anyway, it's been private for over 2 years.

Re: 2 exploit patches related to Agent command.

Though I really appreciate your release, this isn't going to work out. Here are a few of my concerns:

You're placing a flag check in MMatchClient.cpp. Which is client-sided and also unsafe (m_pCommandDesc is assumed not being NULL).
You shouldn't be disabling TCP tunnelling as it is actually being used when UDP is unavailable. TCP is actually the safe protocol here with verified headers.
You verify UDP packets based on IP and port at the MatchAgent, which isn't going to patch anything. The header of a UDP packet is rarely verified (other than the checksum) which means that you can easily spoof both IP and port of a UDP packet. E.g. I can send peer info using your IP. I've done this once at Utopia using WinPcap and it was quite a lot of fun, I sent packets of my own with the IP and port of every other player in the stage.

Re: 2 exploit patches related to Agent command.

Quote:

Originally Posted by Solaire

I can send peer info using your IP (UDP Packet Header). I've done this once at Utopia using WinPcap and it was quite a lot of fun, I sent packets of my own with the IP and port of every other player in the stage.

Would really like to know what ISP you're using, since a lot of them block any such forged packets due to the problematic security risk they pose.

Re: 2 exploit patches related to Agent command.

Quote:

Originally Posted by 12pool3

Would really like to know what ISP you're using, since a lot of them block any such forged packets due to the problematic security risk they pose.

There's not one single ISP in the Netherlands that blocks UDP spoofed packets. And as far as I'm aware, there's only a few that do so in the entire world.

Re: 2 exploit patches related to Agent command.

Quote:

Originally Posted by Solaire

There's not one single ISP in the Netherlands that blocks UDP spoofed packets. And as far as I'm aware, there's only a few that do so in the entire world.

The majority of ISPs in the world block outgoing packets with IP headers containing a forged source IP.
This has been in effect since RFC 2827: http://www.ietf.org/rfc/rfc2827.txt

Re: 2 exploit patches related to Agent command.

Quote:

Originally Posted by Solaire

Though I really appreciate your release, this isn't going to work out. Here are a few of my concerns:

Quote:

Originally Posted by Solaire

You're placing a flag check in MMatchClient.cpp. Which is client-sided and also unsafe (m_pCommandDesc is assumed not being NULL).
You shouldn't be disabling TCP tunnelling as it is actually being used when UDP is unavailable. TCP is actually the safe protocol here with verified headers.
You verify UDP packets based on IP and port at the MatchAgent, which isn't going to patch anything. The header of a UDP packet is rarely verified (other than the checksum) which means that you can easily spoof both IP and port of a UDP packet. E.g. I can send peer info using your IP. I've done this once at Utopia using WinPcap and it was quite a lot of fun, I sent packets of my own with the IP and port of every other player in the stage.

2. TCP tunneling is not implemented.
3. Try ArticGunz :ott1:

Re: 2 exploit patches related to Agent command.

Quote:

Originally Posted by 12pool3

The majority of ISPs in the world block outgoing packets with IP headers containing a forged source IP.
This has been in effect since RFC 2827: http://www.ietf.org/rfc/rfc2827.txt

I was aware of that RFC, but it's not implemented here with any ISP as far as I know. Not sure about ISP's in other countries.

Quote:

Originally Posted by dacharles

2. TCP tunneling is not implemented.

If I recall correctly, it was implemented back in '07 files.

Quote:

Originally Posted by dacharles

3. Try ArticGunz :ott1:

Why?

Re: 2 exploit patches related to Agent command.

Patched.

Re: 2 exploit patches related to Agent command.

Quote:

Originally Posted by dacharles

Patched.

Since you can't patch a protocol-related exploit in a game, I'm assuming you have implemented a workaround. Which would work until someone reverse engineers it.

Re: 2 exploit patches related to Agent command.

Not going too far into detail, but you're retarded if you think this patch solves anything, and furthermore, UDP headers *can* be spoofed.

Your best bet is to encrypt the UDP packets, and force encryption of them.

Re: 2 exploit patches related to Agent command.

Quote:

Originally Posted by Solaire

Since you can't patch a protocol-related exploit in a game, I'm assuming you have implemented a workaround. Which would work until someone reverse engineers it.

As you said "until someone reverse engineers it".