Luigi Auriemma

Hey today were a guy with the name eVc on my Clan base server (Jedi Knight 3) and hacked the rcon password. I ask him how he do that and he says me that he has modifid his dll and other files and the dll files of the server, so he can download the server config and all other files. He means that works on all servers and he can hack the rcon password of servers with ja+ mod with only one script. He told me something about the Pandora Project. He say only 4 Players know these bugs there names are Toast, Deathspike, BobaFett and eVc. They all programed some hacks for this game. He says that he can download my cfg too. So my question is can any one tell me how to do this?

for JA or JA+ specific bugs I think that evan knows better, so I bet he will have more ideas.

anyway exist at least 2 known vulnerabilities in the quake 3 engine (so problems which go to add the the possible bugs of JA and possibly to the JA+ mod) that give a certain level of access to the server and are the directory traversal which allows to download any file (included server.cfg) if the server has the downloads enabled.
the other is that one which allows to execute commands on the server through the callvote.

if you have the downloads enabled it's at 99% the first one.
other informations about your configurations (version of JA, version of JA+, if downloads are enabled and so on) could be useful.

Okay the server have cl_download 0. The guy say that this work on all games based on the quake 3 engine and the server dont must have cl_download 1 to download the config and any other file. My Jka version is 1.01 the server runs on this version too. My Ja+ version is 1.43 beta the server is a base server so it dont have any mods install. Oh he say that he can crash the processor of the server there the jka server run.

the cvar you must check is sv_allowdownload

No sv_allowdownload is not enabled

anyway there are a lot of inaccuracies in what you say like the fact that "he modifies the dll of his client" and "his server" (eh?!?), the fact that you talk about downloading the files and then about "hack the rcon password" which are 2 things that can be the same or just the opposite thing (the first is a method, the second an effect which can be caused even by the callvote bug and others), the fact that you don't know even the cvar which enables the downloads and so on... so for the moment there is nothing to do.

That guy was a faker. I'm the real eVc and i retired from playing JK/Jka many months ago.

Edit: just read what you actually posted i can just say its lies. Why would he modify your server files just to download the server config? He would need access to the server via some exploit to alter the file, but why? if he has access/privs to change some files.. then he could directly pipe the config into some buffer or download the file directly. I think its some lamer who got lucky getting the rconpassword and is pretending to be people, imagining exploits to portray himself as elite.

My 2c..

uh, can this be a note for everyone who speaks of JK3/JK2 or any other game... PLEASE STATE THE VERSION...
i believe u are referring to jk3 1.01 because u have said something about "JA+ Mod", so i'm just going to go with that.

how can he be editing your server's .dll's, that is actually illegal hacking and u should investigate on that if it is true.
it sounds like some1 is using dirtrav on u if u have sv_allowdownloads on 1...
or if u have voting off, u should turn that off too
i spoke with BobaFett he said he didn't know what "pandora project" was...
i was going to speak with deathspike but he wasn't available at the time...
eVc i'm always trying to find the real one because people keep faking him or giving me false information to contact him
and who the eff is toasty?

but yeah this guy was just bluffing, he has probably just guessed ur password, actually downloaded the password, used callvote exploit or has asked 1 of the people of ur server who has rcon for it (or it is 1 of the people on ur server who has rcon)...

oh but are u really the evc? :P

Yea :), Deathspike can confirm it, as he was the one who brought this topic to my attention.

oh really? lol.
i told bobafett about this post, then he said he would ask deathspike because he has more contact with eVc (you) incase you knew anything about it...
so after like a year and a half searching for the actual person, u end up on a forum... heh :P
can i get ur contact info for like future reasons? email/msn/aim/xfire ? :p

okay really now, i was the admin of this server and there was no sv_allowdownload 1 and there was no callvote before hacking:
983:37 sayteam: ^3eVc: dont kick everyone we just want ban westbam
983:37 sayteam: ^1a^7X^1iom^7'^1s^7}{^1e^7V^1il jim: nice ;-P
983:45 sayteam: ^1a^7X^1iom^7'^1s^7}{^1e^7V^1il jim: ok thats rly good
983:47 sayteam: ^3Bobafett: NEW RCON?
983:49 sayteam: ^3eVc: coz he flame me in mpc
sayteam: ^1a^7X^1iom^7'^1s^7}{^1e^7V^1il jim: wie ist rcon? xD
983:09 sayteam: ^3Bobafett: Cor114577895512
say: ^3Bobafett: we are the anti westbam clan
^3DeathSpike: hahhaa
[QMM] NoCrash: Userid 9 has attempted to execute a command
^3Bobafett: cu
980:09 ClientBegin: 3
980:13 say: ^3eVc: k finaly westbam is banned
980:21 say: ^3Bobafett: jo
980:22 say: ^3eVc: now elts go ban him for other servers
say: ^3eVc: u know pp for powerplay?
989:18 say: ^3eVc: pw
989:23 say: ^1a^7X^1iom^7'^1s^7}{^1e^7V^1il jim: intern or blue >.<
eVc: jim do u have any cool server for hack where we can ban westbam?
987:05 sayteam: ^3eVc: XD
987:34 say: ^1a^7X^1iom^7'^1s^7}{^1e^7V^1il jim: hmm slaystation? bimonswarzone?
987:41 say: ^3Bobafett: bimons not working
987:42 say: ^3eVc: new pw for slaystation?
987:42 say: ^3Bobafett: i think
987:55 say: ^1a^7X^1iom^7'^1s^7}{^1e^7V^1il jim: uff dunno... 1337? leet?
987:58 say: ^3Bobafett: no
988:03 say: ^3Bobafett: ask duri whatever

i dont believe you guy's because they hacked known servers like axiom and powerplay etc, and they changed my rcon again! now i have password changed etc.

He could intercept packets xD

My friend knows how to intercept packets. I don't know how he did. oO

That confirms it's not me, the F isnt capitalized, and the colors are wrong :P

Well this is over 15 letters and numbers, big and small - i thought that rcon bruteing is not possible over 15 letters, and it will takes day's, with or without -d 100, to brute this. and the second hacked rconpassword was over 17 letters....

But i think now it was Callvote hacking, become rcon by calling a vote, i dont know how they've done this, but all other servers said that g_allowvote must be 0.
Now i changed allowVote to 0, and theres no hacking since i changed it...

But i dont want to keep that..... I search on a Solution for this callvote hack, i dont know how, so Peoples can you maybe help me...? Maybe Cvar hack playes a role on it.

any solutions?

The only way to fix the callvote exploit is to either disable voting, or get the mod you're running to fix it.

As far as i'm aware, JA+ will have a new release soon with this exploit fixed, same for MB2, i'm not aware of the status for other mods though.

I have just released a beta fix for the Windows versions of the vulnerable games:
post5476.html#p5476

Seems like some people are going around using the callvote exploit to enable SV_ALLOWDOWNLOAD on servers and downloading the configs.

I suppose thats 1 downside of releasing the exploit :/

By the way, I'm guessing this reference to the Pandora Project came from the ESL Forums? I'm guessing your the same guy who made the post there?

http://www.esl.eu/eu/jkja/forum/388/393 ... 1234156625

Also, you should release a completely patched up version of the dedicated server for people to download (linux/win). Including all the patch fixes from the past.

uhmmm I hope you are not referring to me or you meant something else.

if there is something that you don't like feel free to pass your next years learning assembly, debugging and some other technical things and creating patches and work-arounds in your free time for games that you even don't know or have played before.
when you will have done this, release everything for free and open source for people that you don't know.
if this is still not enough make also a patch for any old and new version of a game and for any other game built on the same engine affected by a vulnerability.
oh naturally your patch must work on both the windows version of a game server and on the linux one, maybe bsd and macosx too where available.

when you will have done this you can return in this forum (hoping the world is not finished in the meantime) and you can have a little chance that I will "consider" a similar affirmation.

Maybe the just used another bug since there are still other vulnerabilites in those games....

hm... an ESL Topic posts a callvote bug Fix, but theres a slight damage different, said the poster... i'll test it, theres also a msgboom and forcestringfix in it.

http://esl-fr.verygames.net/jampgamei386.zip

Oh wow; relax. I was only suggesting not forcing you to release one. I figured it would be "nice" (not necessary to do) to release a patched up version (I guess I was only thinking of JKA, since its the game I play(ed). Just run the lpatch of yours on the files, for all the different exploits and make a nice "patched up" package.

But its okay; was just a suggestion though :P Maybe I'll just run your patcher for the JKA dedicated servers and make a release.

FAIL !! There's no illegal hacking !!!! xD Me likes this type of beaches how fck up the whole server system <3 I've been watching my frined how he hack JA+ server. I said him 1 random server (just only me and him inside) and he just need few minutes and BANG!! - I receive full force LOL !

do that again and select a server with sv_allowdownload 0 and g_allowvote 0.
Let's see if he is still able to hack it^^

hah do u think I'm so stupid - I was sure there's no allowdownload or callvote on . Aways there's a way to bypass someting

Is your server patched against the buffer overflow crash? because you can run machine code on the server through that bug.
or it may just happen that you are dealing with a level 3 wizzard :O

there is no knowed way to hack a server without sv_allowdownload 1, or g_allowvote 1, or bruteing........

Well, now we have updatet our Writeconfig Script, and we saw that a possibly might exist, to write Files in a other folder.. if that would be possible, we Can Overwrite The Shadow and Passwd Files in the ../../../../etc folder, which are responsible for the FTP Login etc.. But we didn't find a Command yet. We Tried to write like that:
rcon path (for example)
/home/Username/.duel/base
Then:
rcon writeconfig ../../home/Username/.duel/test.cfg
But it gives an Error:



anyone has an Idea?

Best Regards
Eragon