server nuker
Moderators: Forum moderators, developers
server nuker
found a guy crashing a server at will today. i hadn't heard of anyone doing this recently in ET, but i know it's been a really bad problem in rtcw. perhaps the method has bled over into et now? anyway here are the details i managed to grab:
etpro version: 3.1.9
server ip: 82.165.255.44:27961
ASE format: ^3Crazyy-88 ^4ETPro|48ms|82.165.255.44:27961
crasher's alias: ^0X^.-^2AsSaSsIn^.-^0X
crasher's guid (not that it's worth a wet fart): 6bc0a93a
he was bragging about his leet h4x0r skillz, gave a countdown and crashed it on cue. repeated it a few times to prove it was no fluke. i played his little game a while and mentioned the old vsay overflow, he said it was nothing like that, but more sophisticated. also, his snaps and cl_maxpackets were specifically set to 40 and 76 respectively, which would indicate he's a relatively serious/regular player.
demo: http://nunya.000k2.com/asdf/et_crasher_ ... in-x.dm_83
if anybody knows who this assclown is, do the right thing and rat him out so he can be eliminated from the e-genepool
update: http://www.teamwarfare.com/viewplayer.a ... SaSsIn%2DX - no way of proving it's the same person, but it's an exact name match. ili__xtreme_ili_1 at yahoo dot com
and according to splatterladder.com he only lurks on that server and one other (under that alias)
more: http://www.migamer.com/modules.php?name ... file&u=417 - since he lists "his" website as insecure.org, i have to believe this is the same elite genius as well - x7r3m30n3 at hotmail dot com
also: http://www.migamer.com/modules.php?name ... highlight=
"X-AsSaSsIn-X Config aka Vanity aka Spaz "
aim screenname: x7r3m30n3
and another possible YIM: ill3g4l_3rr0r_x7r3m3_0n3
and finally: Location: Connecticut, USA
oh more: Im spaz The Wolf aka vanity aka X-AsSaSsIn-X
and a URL: http://www.geocities.com/acidx_mousepad/assassincfg.zip
and his desktops, revealing some of his interests: http://www.geocities.com/Acidx_mousepad/Desktops.html
obviously this could all mean somebody downloaded this guy's config and the real assassin is in fact innocent. but again, the affinity for security websites would suggest otherwise. meh, i'm trying...
etpro version: 3.1.9
server ip: 82.165.255.44:27961
ASE format: ^3Crazyy-88 ^4ETPro|48ms|82.165.255.44:27961
crasher's alias: ^0X^.-^2AsSaSsIn^.-^0X
crasher's guid (not that it's worth a wet fart): 6bc0a93a
he was bragging about his leet h4x0r skillz, gave a countdown and crashed it on cue. repeated it a few times to prove it was no fluke. i played his little game a while and mentioned the old vsay overflow, he said it was nothing like that, but more sophisticated. also, his snaps and cl_maxpackets were specifically set to 40 and 76 respectively, which would indicate he's a relatively serious/regular player.
demo: http://nunya.000k2.com/asdf/et_crasher_ ... in-x.dm_83
if anybody knows who this assclown is, do the right thing and rat him out so he can be eliminated from the e-genepool
update: http://www.teamwarfare.com/viewplayer.a ... SaSsIn%2DX - no way of proving it's the same person, but it's an exact name match. ili__xtreme_ili_1 at yahoo dot com
and according to splatterladder.com he only lurks on that server and one other (under that alias)
more: http://www.migamer.com/modules.php?name ... file&u=417 - since he lists "his" website as insecure.org, i have to believe this is the same elite genius as well - x7r3m30n3 at hotmail dot com
also: http://www.migamer.com/modules.php?name ... highlight=
"X-AsSaSsIn-X Config aka Vanity aka Spaz "
aim screenname: x7r3m30n3
and another possible YIM: ill3g4l_3rr0r_x7r3m3_0n3
and finally: Location: Connecticut, USA
oh more: Im spaz The Wolf aka vanity aka X-AsSaSsIn-X
and a URL: http://www.geocities.com/acidx_mousepad/assassincfg.zip
and his desktops, revealing some of his interests: http://www.geocities.com/Acidx_mousepad/Desktops.html
obviously this could all mean somebody downloaded this guy's config and the real assassin is in fact innocent. but again, the affinity for security websites would suggest otherwise. meh, i'm trying...
Last edited by ouroboro on Mon Feb 14, 2005 9:45 am, edited 7 times in total.
Please direct all gameplay-changing feature requests here.
Just a couple days ago there was a post on bugtraq with an exploit which crashes almost all q3 engine games remotely, FWIW. I'm not sure about the politc of posting it here directly, but it is easy enough to find.
Expect more of this
The person who posted the exploit also posted a program claims to patch the executable. Looking at the source, it appears to be genuine, but I'm not sure if it would upset etpros own in-memory patching or anti-cheat. From the way the exploit works, it seems that you might also be able to block with a firewall.
If you want to track the guy down, you have to get the server logs. From there, you can get the IP. Once you have the IP, league admins can check their records (both matches and web site access to see if it is any of their users). Even if the person has a dynamic IP, they may be identifiable. The pb and etpro GUIDs can also help. (pb guids can be changed, but you cannot easily pick an arbitrary one, so if you DO find that GUID on a different server log, you can be pretty certain it was same guy. etpro guids are harder to change, but may not be unique.)
Expect more of this
The person who posted the exploit also posted a program claims to patch the executable. Looking at the source, it appears to be genuine, but I'm not sure if it would upset etpros own in-memory patching or anti-cheat. From the way the exploit works, it seems that you might also be able to block with a firewall.
If you want to track the guy down, you have to get the server logs. From there, you can get the IP. Once you have the IP, league admins can check their records (both matches and web site access to see if it is any of their users). Even if the person has a dynamic IP, they may be identifiable. The pb and etpro GUIDs can also help. (pb guids can be changed, but you cannot easily pick an arbitrary one, so if you DO find that GUID on a different server log, you can be pretty certain it was same guy. etpro guids are harder to change, but may not be unique.)
send lawyers, guns and money
There's a post on bugtraq about this -
http://www.securityfocus.com/archive/1/390286
There's apparently a "fixer" which modifies your binaries to avoid the attack somewhat, though I don't know if it works with ET. Be sure to not use it on the client you play with, because it will set off anticheat. It shoud be fine on the server.
http://www.securityfocus.com/archive/1/390286
There's apparently a "fixer" which modifies your binaries to avoid the attack somewhat, though I don't know if it works with ET. Be sure to not use it on the client you play with, because it will set off anticheat. It shoud be fine on the server.
Zinx Verituse http://zinx.xmms.org/
- RoadKillPuppy
- Posts: 207
- Joined: Thu Apr 08, 2004 9:21 am
- Location: Belgium!
- Contact:
Thx for the hint.
Greets
Mark
Greets
Mark
Get owned at: Gaming@d1p.de (217.172.182.126:27960)
Hi! I'm a .signature *virus*! Copy me into your ~/.signature to help me spread!
Hi! I'm a .signature *virus*! Copy me into your ~/.signature to help me spread!
The following iptables u32 pattern seems to prevent the exploit. u32 is an optional extension, requiring both a kernel and iptables patch, which you can get using patchomatic from http://www.netfilter.org/
Description:
# skip TCP header, to 3rd byte of UDP header (4 bytes including dest port and size), mask off dest port, check for length740 (0x2e4) and up
# 0>>22&0x3C@2&0xFFFF=0x2E4:0xFFFF
#
# first 4 bytes of UDP payload match 0xffffffff and next 8 match "geti" "nfo " 0x67657469 0x6e666f20
#0>>22&0x3C@8&0xFFFFFFFF=0xFFFFFFFF && 0>>22&0x3C@12&0xFFFFFFFF=0x67657469 && 0>>22&0x3C@16&0xFFFFFFFF=0x6e666f20
To use this in a firewall chain, you will want something like
iptables -A <mychain> -p udp -d <myserver> --dport <myserverport> -m u32 --u32 <patern listed above> -j DROP
This should work for any q3 engine game (but according to the original advisory, you may have to tweak the size).
It might be confused by fragmented packets. I'd say that any fragmented packets that small are suspect.
You should be able to implement similar things in other decent firewalls. The important parts are UDP packet size, and the following 12 bytes.
edit:
did the trick for me. Then just run ./q3infofix /path/to/etded.x86
Code: Select all
"0>>22&0x3C@2&0xFFFF=0x2E4:0xFFFF && 0>>22&0x3C@8&0xFFFFFFFF=0xFFFFFFFF && 0>>22&0x3C@12&0xFFFFFFFF=0x67657469 && 0>>22&0x3C@16&0xFFFFFFFF=0x6e666f20"
# skip TCP header, to 3rd byte of UDP header (4 bytes including dest port and size), mask off dest port, check for length740 (0x2e4) and up
# 0>>22&0x3C@2&0xFFFF=0x2E4:0xFFFF
#
# first 4 bytes of UDP payload match 0xffffffff and next 8 match "geti" "nfo " 0x67657469 0x6e666f20
#0>>22&0x3C@8&0xFFFFFFFF=0xFFFFFFFF && 0>>22&0x3C@12&0xFFFFFFFF=0x67657469 && 0>>22&0x3C@16&0xFFFFFFFF=0x6e666f20
To use this in a firewall chain, you will want something like
iptables -A <mychain> -p udp -d <myserver> --dport <myserverport> -m u32 --u32 <patern listed above> -j DROP
This should work for any q3 engine game (but according to the original advisory, you may have to tweak the size).
It might be confused by fragmented packets. I'd say that any fragmented packets that small are suspect.
You should be able to implement similar things in other decent firewalls. The important parts are UDP packet size, and the following 12 bytes.
edit:
gcc q3infofix_linux.c -o q3infofixPincheGab wrote:Hm... Can you post a compiled linux patcher somewhere? Or (assuming it's not illegal) a patched etded.x86? I'm saying because I'm linux impaired right now, and have no been able to compile the patcher .C file.
did the trick for me. Then just run ./q3infofix /path/to/etded.x86
send lawyers, guns and money
yea, was pretty easy.
This should be posted on the big ET sites, so that people start patching their servers.
Someone with a evil mind already crashed "all" EF Servers yesterday evening, so ET maybe next... (Should be pretty easy, so better be prepared).
Greets
Mark
This should be posted on the big ET sites, so that people start patching their servers.
Someone with a evil mind already crashed "all" EF Servers yesterday evening, so ET maybe next... (Should be pretty easy, so better be prepared).
Greets
Mark
Get owned at: Gaming@d1p.de (217.172.182.126:27960)
Hi! I'm a .signature *virus*! Copy me into your ~/.signature to help me spread!
Hi! I'm a .signature *virus*! Copy me into your ~/.signature to help me spread!