server nuker

Discussion for any ET/ETPro/BayonET bugs or cheats you find...

Moderators: Forum moderators, developers

User avatar
ouroboro
Posts: 662
Joined: Mon Jul 26, 2004 6:52 pm

server nuker

Post by ouroboro »

found a guy crashing a server at will today. i hadn't heard of anyone doing this recently in ET, but i know it's been a really bad problem in rtcw. perhaps the method has bled over into et now? anyway here are the details i managed to grab:

etpro version: 3.1.9
server ip: 82.165.255.44:27961
ASE format: ^3Crazyy-88 ^4ETPro|48ms|82.165.255.44:27961
crasher's alias: ^0X^.-^2AsSaSsIn^.-^0X
crasher's guid (not that it's worth a wet fart): 6bc0a93a

he was bragging about his leet h4x0r skillz, gave a countdown and crashed it on cue. repeated it a few times to prove it was no fluke. i played his little game a while and mentioned the old vsay overflow, he said it was nothing like that, but more sophisticated. also, his snaps and cl_maxpackets were specifically set to 40 and 76 respectively, which would indicate he's a relatively serious/regular player.

demo: http://nunya.000k2.com/asdf/et_crasher_ ... in-x.dm_83

if anybody knows who this assclown is, do the right thing and rat him out so he can be eliminated from the e-genepool

update: http://www.teamwarfare.com/viewplayer.a ... SaSsIn%2DX - no way of proving it's the same person, but it's an exact name match. ili__xtreme_ili_1 at yahoo dot com

and according to splatterladder.com he only lurks on that server and one other (under that alias)

more: http://www.migamer.com/modules.php?name ... file&u=417 - since he lists "his" website as insecure.org, i have to believe this is the same elite genius as well - x7r3m30n3 at hotmail dot com

also: http://www.migamer.com/modules.php?name ... highlight=

"X-AsSaSsIn-X Config aka Vanity aka Spaz ;-)"

aim screenname: x7r3m30n3
and another possible YIM: ill3g4l_3rr0r_x7r3m3_0n3

and finally: Location: Connecticut, USA

oh more: Im spaz The Wolf aka vanity aka X-AsSaSsIn-X

and a URL: http://www.geocities.com/acidx_mousepad/assassincfg.zip

and his desktops, revealing some of his interests: http://www.geocities.com/Acidx_mousepad/Desktops.html

obviously this could all mean somebody downloaded this guy's config and the real assassin is in fact innocent. but again, the affinity for security websites would suggest otherwise. meh, i'm trying...
Last edited by ouroboro on Mon Feb 14, 2005 9:45 am, edited 7 times in total.
Please direct all gameplay-changing feature requests here.
WiLZy
Posts: 29
Joined: Mon Sep 15, 2003 4:29 am
Location: My PC

Post by WiLZy »

Without console logs I think that would be impossible to know it.
Best Regards
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Post by ReyalP »

Just a couple days ago there was a post on bugtraq with an exploit which crashes almost all q3 engine games remotely, FWIW. I'm not sure about the politc of posting it here directly, but it is easy enough to find.

Expect more of this :cry:

The person who posted the exploit also posted a program claims to patch the executable. Looking at the source, it appears to be genuine, but I'm not sure if it would upset etpros own in-memory patching or anti-cheat. From the way the exploit works, it seems that you might also be able to block with a firewall.

If you want to track the guy down, you have to get the server logs. From there, you can get the IP. Once you have the IP, league admins can check their records (both matches and web site access to see if it is any of their users). Even if the person has a dynamic IP, they may be identifiable. The pb and etpro GUIDs can also help. (pb guids can be changed, but you cannot easily pick an arbitrary one, so if you DO find that GUID on a different server log, you can be pretty certain it was same guy. etpro guids are harder to change, but may not be unique.)
send lawyers, guns and money
User avatar
zinx
Posts: 267
Joined: Fri Jan 16, 2004 12:37 pm
Location: US
Contact:

Post by zinx »

There's a post on bugtraq about this -
http://www.securityfocus.com/archive/1/390286
There's apparently a "fixer" which modifies your binaries to avoid the attack somewhat, though I don't know if it works with ET. Be sure to not use it on the client you play with, because it will set off anticheat. It shoud be fine on the server.
Zinx Verituse http://zinx.xmms.org/
User avatar
bani
Site Admin
Posts: 2780
Joined: Sun Jul 21, 2002 3:58 am
Contact:

Post by bani »

if the patcher doesnt work, i think we could possibly release an ettv with the fix.
uber-noob
Posts: 285
Joined: Sat Dec 20, 2003 2:02 pm
Location: Germany
Contact:

Post by uber-noob »

bani wrote:if the patcher doesnt work, i think we could possibly release an ettv with the fix.
But that won't help much with running normal servers, or am I wrong there?
It's a real shame that ET won't get the needed update, there are still too much bugs in the engine...
User avatar
bani
Site Admin
Posts: 2780
Joined: Sun Jul 21, 2002 3:58 am
Contact:

Post by bani »

you can use the ettv server binary to run a normal dedicated server.
uber-noob
Posts: 285
Joined: Sat Dec 20, 2003 2:02 pm
Location: Germany
Contact:

Post by uber-noob »

bani wrote:you can use the ettv server binary to run a normal dedicated server.
Oh, thats very nice. So I'll need to have a nice talk to our gameserver provider once a fixed ettv binary is out :).
DG
Posts: 513
Joined: Thu Jul 24, 2003 4:16 am

Post by DG »

On the upside you can really anal people you catch crashing servers, unless theyre in some country whos laws have discovered the internet.
User avatar
RoadKillPuppy
Posts: 207
Joined: Thu Apr 08, 2004 9:21 am
Location: Belgium!
Contact:

Post by RoadKillPuppy »

According to the test tool, the patch works...
linux server (patched file: etded.x86)
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Post by ReyalP »

It worked for me on a win32 server as well.
send lawyers, guns and money
PincheGab
Posts: 64
Joined: Fri Sep 03, 2004 12:26 pm

Post by PincheGab »

Hm... Can you post a compiled linux patcher somewhere? Or (assuming it's not illegal) a patched etded.x86? I'm saying because I'm linux impaired right now, and have no been able to compile the patcher .C file.
Mark
Posts: 411
Joined: Thu Jan 01, 2004 6:10 am
Location: #vpclan@qnet

Post by Mark »

Thx for the hint.

Greets
Mark
Get owned at: Gaming@d1p.de (217.172.182.126:27960)
Image
Hi! I'm a .signature *virus*! Copy me into your ~/.signature to help me spread!
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Post by ReyalP »

The following iptables u32 pattern seems to prevent the exploit. u32 is an optional extension, requiring both a kernel and iptables patch, which you can get using patchomatic from http://www.netfilter.org/

Code: Select all

"0>>22&0x3C@2&0xFFFF=0x2E4:0xFFFF && 0>>22&0x3C@8&0xFFFFFFFF=0xFFFFFFFF && 0>>22&0x3C@12&0xFFFFFFFF=0x67657469 && 0>>22&0x3C@16&0xFFFFFFFF=0x6e666f20"
Description:
# skip TCP header, to 3rd byte of UDP header (4 bytes including dest port and size), mask off dest port, check for length740 (0x2e4) and up
# 0>>22&0x3C@2&0xFFFF=0x2E4:0xFFFF
#
# first 4 bytes of UDP payload match 0xffffffff and next 8 match "geti" "nfo " 0x67657469 0x6e666f20
#0>>22&0x3C@8&0xFFFFFFFF=0xFFFFFFFF && 0>>22&0x3C@12&0xFFFFFFFF=0x67657469 && 0>>22&0x3C@16&0xFFFFFFFF=0x6e666f20

To use this in a firewall chain, you will want something like
iptables -A <mychain> -p udp -d <myserver> --dport <myserverport> -m u32 --u32 <patern listed above> -j DROP

This should work for any q3 engine game (but according to the original advisory, you may have to tweak the size).

It might be confused by fragmented packets. I'd say that any fragmented packets that small are suspect.

You should be able to implement similar things in other decent firewalls. The important parts are UDP packet size, and the following 12 bytes.

edit:
PincheGab wrote:Hm... Can you post a compiled linux patcher somewhere? Or (assuming it's not illegal) a patched etded.x86? I'm saying because I'm linux impaired right now, and have no been able to compile the patcher .C file.
gcc q3infofix_linux.c -o q3infofix
did the trick for me. Then just run ./q3infofix /path/to/etded.x86
send lawyers, guns and money
Mark
Posts: 411
Joined: Thu Jan 01, 2004 6:10 am
Location: #vpclan@qnet

Post by Mark »

yea, was pretty easy.

This should be posted on the big ET sites, so that people start patching their servers.

Someone with a evil mind already crashed "all" EF Servers yesterday evening, so ET maybe next... (Should be pretty easy, so better be prepared).

Greets
Mark
Get owned at: Gaming@d1p.de (217.172.182.126:27960)
Image
Hi! I'm a .signature *virus*! Copy me into your ~/.signature to help me spread!
Post Reply