Posted: Fri Feb 20, 2009 10:33 am
Luk4ward, you need new glasses.
Bani's Discussion Forums
https://bani.anime.net/banimod/forums/
https://bani.anime.net/banimod/forums/viewtopic.php?f=13&t=6777
and u need a new brain -.-'bennz wrote:Luk4ward, you need new glasses.
Code: Select all
if cmd == "callvote" or cmd == "ref" or cmd == "sa" or cmd == "semiadmin" then
local _, counts = string.gsub (args, "%s", "") -- count spaces
if counts > 1 then
msg = string.format("cpm \"Remove additional spaces!\n")
et.trap_SendServerCommand(cno, msg)
return 1
end
if string.find(args,"%\\") or string.find(args,"%;") then
msg = string.format("cpm \"Invalid string!\n")
et.trap_SendServerCommand(cno, msg)
return 1
end
return 0
end
Code: Select all
string.find(args,"%\\")
Code: Select all
string.find(args,"%;")
yes, it doesnt but i said the WHOLE bug fix for callvote doesn't work. Second of all one typo ";" can change the signature of lua which is neccesary to have a valid league cfg. Third of all we should keep the standard of lua language.Typo: The LUA interpreter doesn't complain about this additional ;
Who knows... !blame
Im writting a lot of posts coz i want to help other ppl, not as u flamming them without reason. And sometimes i can make a mistake. Yes, is it really something new to people? I want to learn man and u are not helping me/others by posting a shit about glasses...You are writing a lot of post, but I get this feeling you 1. Don't read the other things carefully or 2. You just dont' get it.
coz as i said b4 the bugfix code doesnt work at all. And imo such chars shouldnt be allowed in callvotes (for what?). Thats why i want to get rid of all problems (i dnt care if its \n or \r - yes i know the meaning of them). But u r not 100% if there is no any extra bug with \ (like everything in programming)Code:
string.find(args,"%\\")
You are looking for the appearance of \, but why? We should take care of \r and \n. Carriage return & and newline! They are C-like escape sequences.
yes, u r right. But did u test it? I guess not (same with combinedfixes by reyalp)...I want to forbid them coz.......ET is already doing this! You didnt check it either...Also the char ; is mentioned on aligi board as subtitue to \n ...You are not 100% sure too that with hacked client it will work like u described...Code:
string.find(args,"%;")
Why should one forbid the use of an ;?
[btw: actually it should be string.find(args,";").
%x (where x is any non-alphanumeric character) --- represents the character x. This is the standard way to escape the magic! characters. The ; isn't needed here.]
This character is exchanged by a malicious client. IT WON'T REACH THE SERVER. On the other hand, assuming a standard client, this is my patented emo guit vote> /callvote mute "Bennz;quit"
If it passes it will quit MY CLIENT!!! and NOT the server.
Download: http://acpro.wolfteam.pl//category.php?id=1function et_ClientCommand(cno,cmd)
local msg = ""
cmd = string.lower(cmd)
if cmd == "ws" then
local n = tonumber(et.trap_Argv(1))
if not n then
et.G_LogPrint(string.format("wsfix: client %d bad ws not a number [%s]\n",cno,tostring(et.trap_Argv(1))))
return 1
end
if n < 0 or n > 21 then
et.G_LogPrint(string.format("wsfix: client %d bad ws %d\n",cno,n))
return 1
end
return 0
end
if cmd == "callvote" or cmd == "ref" or cmd == "sa" or cmd == "semiadmin" then
local args=et.ConcatArgs(1)
-- et.G_LogPrint(string.format("combinedfixes: client %d %s [%s]\n",cno,cmd,args))
if string.find(args,"%\\") or string.find(args,"%;") then
et.G_LogPrint(string.format("combinedfixes: client %d bad %s [%s]\n",cno,cmd,args))
msg = string.format("cpm \"Invalid string!\n")
et.trap_SendServerCommand(cno, msg)
return 1
end
return 0
end
return 0
end
-- prevent various borkage by invalid userinfo
-- version: 4
-- history:
-- 4 - check length and IP
-- 3 - check for name exploit against guidcheck
-- 2 - fix nil var ref if kicked in RunFrame
-- fix incorrect clientNum in log message for ClientConnect kick
-- 1 - initial release
-- names that can be used to exploit some log parsers
-- note: only console log parsers or print hooks should be affected,
-- game log parsers don't see these at the start of a line
-- "^etpro IAC" check is required for guid checking
-- comment/uncomment others as desired, or add your own
-- NOTE: these are patterns for string.find
badnames = {
-- '^ShutdownGame',
-- '^ClientBegin',
-- '^ClientDisconnect',
-- '^ExitLevel',
-- '^Timelimit',
-- '^EndRound',
'^etpro IAC',
'\\', -- we should kick such players on connect otherwise they cant be kicked in game due to callvote bugfix
';',
'^^',
-- '^etpro privmsg',
-- "say" is relatively likely to have false positives
-- but can potentially be used to exploit things that use etadmin_mod style !commands
-- '^say',
-- '^Callvote',
-- '^broadcast'
}
Code: Select all
if string.find(args,"%\\") or string.find(args,"%;") then
Code: Select all
if string.find(args,"[\r\n]") then
Code: Select all
badnames = {
...
'^^',
...
I removed count spaces because otherwise gamers cant kick/mute a player with spaces in nick. So we should take care of players name too. The only way is to deny any parametr with \\. I tested the Reyalp's code and it doesnt work with \r\n (there is no debug line in log file). And how r u so sure that its working?bennz wrote:I don't think we need a Who-rulez-teh-str33t-contest, as well as, you I'm here to help. I can't help you if you do not listen to me.
Please tell me, why did you remove the only line of code, that saved you from being exploited?
It is not necessary to catch that in a 'collvote' but of course you have to check:Code: Select all
if string.find(args,"%\") or string.find(args,"%;") then
Code: Select all
if string.find(args,"[\r\n]") then
Oh lord... otherwise you are going to be fucked :/
Just leave the combindesfixes code as it is, except the ;
I don't deny ReyalP's guilt, he will blames the booze
How does it happen that you say the callvote fix is not working & why are you sure I didn't test it?
Nope, it will kick only players with ^^ or more carats. I tested it also and u propably not as usual? No offence ;pbennz wrote: Please note:You may not allow certain names or charakters, ok. But if someone joins with the nick "^1Luke", he will get kicked, because he has a caret as first character. If you would like to kick a player with a caret followed by another caret somewhere in his name you may use> '%^%^',Code: Select all
badnames = { ... '^^', ...
or set the fourth argument of 'string.find' to true if you dont wan't to use patterns at all. (http://www.lua.org/manual/5.0/manual.html#5.3 --> A value of true as a fourth, optional argument plain turns off the pattern matching facilities, so the function does a plain "find substring" operation, with no characters in pattern being considered "magic".)
No offence
Code: Select all
----------------------------------------
badname '^1Luke' matching pattern '^^'
badname '^^Luke' matching pattern '^^'
badname '^^Luke' matching pattern '%^%^'
badname 'L^^uke' matching pattern '%^%^'
badname 'Luke^^' matching pattern '%^%^'
----------------------------------------
Mmm kay...Luk4ward wrote:Third of all we should keep the standard of lua language.
...
I tested it also and u propably not as usual?
ACpro:bennz wrote:Anyway, here is a sample code to demonstrate the two patterns '^^' and '%^%^'.
I hope the link works: http://www.file-upload.net/download-149 ... e.lua.html
The output is>Your intentions are good, but it's the wrong pattern. Same for '$$$', it matches the name 'Luke$$' or 'Luke$$$'. It doesn't match 'Luke$$$asf', BECAUSE: (http://www.lua.org/manual/5.0/manual.html#5.3)Code: Select all
---------------------------------------- badname '^1Luke' matching pattern '^^' badname '^^Luke' matching pattern '^^' badname '^^Luke' matching pattern '%^%^' badname 'L^^uke' matching pattern '%^%^' badname 'Luke^^' matching pattern '%^%^' ----------------------------------------
Patterns
A pattern is a sequence of pattern items. A `^´ at the beginning of a pattern anchors the match at the beginning of the subject string. A `$´ at the end of a pattern anchors the match at the end of the subject string. At other positions, `^´ and `$´ have no special meaning and represent themselves.
Code: Select all
----------------------------------------
badname '^1Luke' DOES NOT match pattern '^^'
badname '^^Luke' matching pattern '^^'
badname '^^Luke' matching pattern '^^'
badname 'L^^uke' matching pattern '^^'
badname 'Luke^^' matching pattern '^^'
----------------------------------------
You dont read what im trying to say...Well...And nothing like that happened if u want to know. If You try i will report your IP.Your words:Mmm kay...Luk4ward wrote:Third of all we should keep the standard of lua language.
...
I tested it also and u propably not as usual?
Enough is enough. You don't seem to listen, unconvincable luke. At first i thought you were just kidding... To make this come to an end> Someone joined the server ET.GamesNet.pl OBJ, changed the rconpassword and added the ip ban mask '4.3.2.1'.
(+ 'killserver' to restart the et server with original rconpw, nobody was hurt)
Im not encouring anyone. I just fixed the code and shared it with others. But i understand u dnt get it like the rest of what i said.You encourage others to use a version of the fix that doesn't work. I hope you will realize that a mistake was made.
Semicolon is optional in lua. Yes it's a mistake on my part, but it's not incorrect according the The Fine ManualLuk4ward wrote:I heard that some ET server got hacked because of the vote exploit. So its working, but with hacked client. Btw i think i found a little typo in your code Reyalp :
as benzz points out searching for a \ will not correctly find CR or LF chars (which are represented by \r and \n). Actually, I should check for \0A and \0D, but the current code worked correctly in all my tests.The unit of execution of Lua is called a chunk. A chunk is simply a sequence of statements, which are executed sequentially. Each statement can be optionally followed by a semicolon
yea, okReyalP wrote:Semicolon is optional in lua. Yes it's a mistake on my part, but it's not incorrect according the The Fine ManualLuk4ward wrote:I heard that some ET server got hacked because of the vote exploit. So its working, but with hacked client. Btw i think i found a little typo in your code Reyalp :
The unit of execution of Lua is called a chunk. A chunk is simply a sequence of statements, which are executed sequentially. Each statement can be optionally followed by a semicolon
Why its incorrect?as benzz points out searching for a \ will not correctly find CR or LF chars (which are represented by \r and \n). Actually, I should check for \0A and \0D, but the current code worked correctly in all my tests.
Yes i tested the exploit on test server with hacked client, but got kicked by ET engine. Can I somehow test my and your code to be sure whats going on? I was just making tests with normal client with /n and /r or any / command and only my modified code worked. I really understand the problem and C code from aluigi's board.If you can actually trigger the exploit with the current code (edit my current code, yours is horribly broken) in place, please send me your test case.
AFAIK, you cannot send a CR or LF char in a command without a hacked client. Sending a \r or \n sequence will not trigger the exploit.
I would strongly suggest that you make sure you have a firm understanding of the problem before posting "fixes" in this thread.
Code: Select all
1. local stripped_name = trim ( uncol ( name ) )
2. if string.find (name,"%^^") or etadmin_name_exploit == "^" then
3. string.gsub(string.gsub(arg, "%^[^%^]", ""), "%^", "") -- function uncol
4. local mstart,mend,cno = string.find(stripped_name,string.lower(badnamepat))
Code: Select all
so theoretically if a client sends the command ' callvote map "mp_leo;quit" ' and the vote passes, quit will be executed after "map mp_leo".
to prevent this Cmd_CallVote_f does the following check:
if( strchr( arg1, ';' ) || strchr( arg2, ';' ) ) {
trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" );
return;
}
but ofc this isn't enough, since the other separators ('\r' and '\n') can also be sent in client commands.
sending such a callvote command from a game client isn't possible without a dll injection/hook/debugger afaik.
Code: Select all
if string.find(args, string.format("%x", 010)) then -- new line
-- or both decimal (MUST have exactly 3 digits)
if string.find(args, "[\013\010]") then
Because the exploit doesn't involve the characters '\' and 'n'. I suggest you learn the difference between an escape sequence and the value it represents.Luk4ward wrote: Why its incorrect?
But your code checks for the wrong thing.I was just making tests with normal client with /n and /r or any / command and only my modified code worked.
This is demonstrably untrue.I really understand the problem and C code from aluigi's board.