2 exploit patches related to Agent command.
Re: 2 exploit patches related to Agent command.
Re: 2 exploit patches related to Agent command.
Quote:
Originally Posted by
God Of Sun
Hi,
This blocks server command via UDP and prevents sender UID spoofing. (Also known as proxy hack.)
[./CSCommon/Source/MMatchClient.cpp - MMatchClient::MakeCmdFromTunnelingBlob()]
[./CSCommon/Source/MMatchClient.cpp - MMatchClient::ParseUDPPacket()]
(case MSGID_RAWCOMMAND of switch)
[./CSCommon/Source/MMatchClient.cpp - MMatchClient::ParseUDPPacket()]
(case MSGID_COMMAND of switch)
[./MatchAgent/MMatchAgent.cpp - MMatchAgent::OnCommand()]
[./MatchAgent/MMatchAgent.cpp - MMatchAgent::ParseUDPPacket()]
[./MatchAgent/MMatchAgent.cpp]
[./MatchAgent/MMatchAgent.h - MMatchAgent class]
Is it like this?
Code:
MCommand* MMatchClient::MakeCmdFromTunnelingBlob(const MUID& uidSender, void* pBlob, int nBlobArrayCount)
{
if (nBlobArrayCount != 1)
{
mlog("MakeCmdFromTunnelingBlob: BlobArrayCount is not 1\n");
return NULL;
}
char* pPacket = (char*)MGetBlobArrayElement(pBlob, 0);
int nSize = MGetBlobArraySize(pBlob) - (sizeof(int) * 2);
if ((nSize <= 0) || (nSize >= MAX_BLOB_SIZE))
{
mlog("MakeCmdFromTunnelingBlob: Blob Size Error(size = %d)\n", nSize);
return NULL;
}
char* pData = new char[nSize];
if (!m_PeerPacketCrypter.Decrypt(pPacket, nSize, pData, nSize))
{
delete [] pData;
return NULL;
}
MCommand* pCmd = new MCommand();
if (!pCmd->SetData(pData, &m_CommandManager))
{
delete [] pData;
delete pCmd;
return NULL;
}
delete [] pData;
pCmd->m_Sender = uidSender;
pCmd->m_Receiver = m_This;
MMatchPeerInfo* pPeer = FindPeer(uidSender);
if (pPeer == NULL)
{
delete pCmd;
return NULL;
}
delete [] pData;
// Proxy patch.
// m_pCommandDesc will never be NULL : above SetData() did it everything.
if (!pCmd->m_pCommandDesc->IsFlag(MCDT_PEER2PEER))
{
delete pCmd;
return NULL;
}
pCmd->m_Sender = uidSender;
pCmd->m_Receiver = m_This;
MMatchPeerInfo* pPeer = FindPeer(uidSender);
return pCmd;
}
Re: 2 exploit patches related to Agent command.
Quote:
Originally Posted by
LGPaul
Is it like this?
Code:
MCommand* MMatchClient::MakeCmdFromTunnelingBlob(const MUID& uidSender, void* pBlob, int nBlobArrayCount)
{
if (nBlobArrayCount != 1)
{
mlog("MakeCmdFromTunnelingBlob: BlobArrayCount is not 1\n");
return NULL;
}
char* pPacket = (char*)MGetBlobArrayElement(pBlob, 0);
int nSize = MGetBlobArraySize(pBlob) - (sizeof(int) * 2);
if ((nSize <= 0) || (nSize >= MAX_BLOB_SIZE))
{
mlog("MakeCmdFromTunnelingBlob: Blob Size Error(size = %d)\n", nSize);
return NULL;
}
char* pData = new char[nSize];
if (!m_PeerPacketCrypter.Decrypt(pPacket, nSize, pData, nSize))
{
delete [] pData;
return NULL;
}
MCommand* pCmd = new MCommand();
if (!pCmd->SetData(pData, &m_CommandManager))
{
delete [] pData;
delete pCmd;
return NULL;
}
delete [] pData;
pCmd->m_Sender = uidSender;
pCmd->m_Receiver = m_This;
MMatchPeerInfo* pPeer = FindPeer(uidSender);
if (pPeer == NULL)
{
delete pCmd;
return NULL;
}
delete [] pData;
// Proxy patch.
// m_pCommandDesc will never be NULL : above SetData() did it everything.
if (!pCmd->m_pCommandDesc->IsFlag(MCDT_PEER2PEER))
{
delete pCmd;
return NULL;
}
pCmd->m_Sender = uidSender;
pCmd->m_Receiver = m_This;
MMatchPeerInfo* pPeer = FindPeer(uidSender);
return pCmd;
}
I think only "// Proxy patch." parts are required to edit.
@On-topic : nice release.
Re: 2 exploit patches related to Agent command.
Can you explain better? I do not understand, is how you fix the topic and put the same Solarie? the topic it explains the location of the exploit and give place to replace, I do not understand much ...
Re: 2 exploit patches related to Agent command.
Quote:
Originally Posted by
vhrool12
Can you explain better? I do not understand, is how you fix the topic and put the same Solarie? the topic it explains the location of the exploit and give place to replace, I do not understand much ...
Well, you have to find it by ctrl + f,
and you have to add only the //Proxy patch parts.
Re: 2 exploit patches related to Agent command.
Re: 2 exploit patches related to Agent command.
If you discovered this: Good job.
If you ripped this: Give some credits.
You're certain to make some waves with this anyway, it's been private for over 2 years.
Re: 2 exploit patches related to Agent command.
Though I really appreciate your release, this isn't going to work out. Here are a few of my concerns:
- You're placing a flag check in MMatchClient.cpp. Which is client-sided and also unsafe (m_pCommandDesc is assumed not being NULL).
- You shouldn't be disabling TCP tunnelling as it is actually being used when UDP is unavailable. TCP is actually the safe protocol here with verified headers.
- You verify UDP packets based on IP and port at the MatchAgent, which isn't going to patch anything. The header of a UDP packet is rarely verified (other than the checksum) which means that you can easily spoof both IP and port of a UDP packet. E.g. I can send peer info using your IP. I've done this once at Utopia using WinPcap and it was quite a lot of fun, I sent packets of my own with the IP and port of every other player in the stage.
Re: 2 exploit patches related to Agent command.
Quote:
Originally Posted by
Solaire
I can send peer info using your IP (UDP Packet Header). I've done this once at Utopia using WinPcap and it was quite a lot of fun, I sent packets of my own with the IP and port of every other player in the stage.
Would really like to know what ISP you're using, since a lot of them block any such forged packets due to the problematic security risk they pose.
Re: 2 exploit patches related to Agent command.
Quote:
Originally Posted by
12pool3
Would really like to know what ISP you're using, since a lot of them block any such forged packets due to the problematic security risk they pose.
There's not one single ISP in the Netherlands that blocks UDP spoofed packets. And as far as I'm aware, there's only a few that do so in the entire world.
Re: 2 exploit patches related to Agent command.
Quote:
Originally Posted by
Solaire
There's not one single ISP in the Netherlands that blocks UDP spoofed packets. And as far as I'm aware, there's only a few that do so in the entire world.
The majority of ISPs in the world block outgoing packets with IP headers containing a forged source IP.
This has been in effect since RFC 2827: http://www.ietf.org/rfc/rfc2827.txt
Re: 2 exploit patches related to Agent command.
Quote:
Originally Posted by
Solaire
Though I really appreciate your release, this isn't going to work out. Here are a few of my concerns:
Quote:
Originally Posted by
Solaire
- You're placing a flag check in MMatchClient.cpp. Which is client-sided and also unsafe (m_pCommandDesc is assumed not being NULL).
- You shouldn't be disabling TCP tunnelling as it is actually being used when UDP is unavailable. TCP is actually the safe protocol here with verified headers.
- You verify UDP packets based on IP and port at the MatchAgent, which isn't going to patch anything. The header of a UDP packet is rarely verified (other than the checksum) which means that you can easily spoof both IP and port of a UDP packet. E.g. I can send peer info using your IP. I've done this once at Utopia using WinPcap and it was quite a lot of fun, I sent packets of my own with the IP and port of every other player in the stage.
2. TCP tunneling is not implemented.
3. Try ArticGunz :ott1:
Re: 2 exploit patches related to Agent command.
Quote:
Originally Posted by
12pool3
The majority of ISPs in the
world block outgoing packets with IP headers containing a forged source IP.
This has been in effect since RFC 2827:
http://www.ietf.org/rfc/rfc2827.txt
I was aware of that RFC, but it's not implemented here with any ISP as far as I know. Not sure about ISP's in other countries.
Quote:
Originally Posted by
dacharles
2. TCP tunneling is not implemented.
If I recall correctly, it was implemented back in '07 files.
Quote:
Originally Posted by
dacharles
3. Try ArticGunz :ott1:
Why?
Re: 2 exploit patches related to Agent command.
Re: 2 exploit patches related to Agent command.
Quote:
Originally Posted by
dacharles
Patched.
Since you can't patch a protocol-related exploit in a game, I'm assuming you have implemented a workaround. Which would work until someone reverse engineers it.
Re: 2 exploit patches related to Agent command.
Not going too far into detail, but you're retarded if you think this patch solves anything, and furthermore, UDP headers *can* be spoofed.
Your best bet is to encrypt the UDP packets, and force encryption of them.
Re: 2 exploit patches related to Agent command.
Quote:
Originally Posted by
Solaire
Since you can't patch a protocol-related exploit in a game, I'm assuming you have implemented a workaround. Which would work until someone reverse engineers it.
As you said "until someone reverse engineers it".