Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 11:29

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 16 posts ] 
Author Message
 Post subject: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 31 Jul 2010 14:44 

Joined: 11 Mar 2009 15:46
Posts: 20
DOWNLOAD ->jk3saybof.c<- HERE
or view source on this pastebin: http://pastebin.com/m6d43f37c

This program makes a script that can be executed
from the client game console that will give the server
a too big string throug the /say command and the stack buffer
overflows, and the return adress is overwritten to point at an instruction
that jumps to rhe start of the local buffer we just overflowed,
witch has been filled with user specified shellcode in raw binary format.

Check http://aluigi.org/adv/jamsgbof-adv.txt for info about this voulnerability

If the words above made little sense to you i advise you not to try this.

For the average joe server admin: This exploit can, and most likely will grant evil-doers controll over the computer that the jk3 server runs on, be warned. Luckily it wont work if it's patched against the /say aaaaaaaaaaaaaaa crash


Last edited by droLremaL on 20 Aug 2010 15:37, edited 1 time in total.

Top
 Profile  
 
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 31 Jul 2010 16:54 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
1) wasn't more simple to use the direct link to the code?
http://lamerlord.lamer.la/files/jk3saybof.c

2) ever on the original website there is also a pre-compilied version:
http://lamerlord.lamer.la/files/jk3saybof.exe

3) why posting it now considering that it's stuff already known and old of lot of years?


Top
 Profile  
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 31 Jul 2010 18:06 

Joined: 11 Mar 2009 15:46
Posts: 20
I posted it now because it could make jk3 1.00 a bit more interesting. create more hate in the game. everybody gets all worked up because this clan snuffed out that clans server, and in the end there will be passionate warfare :)

people will die


Top
 Profile  
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 14 Aug 2010 21:07 

Joined: 07 Aug 2008 06:01
Posts: 45
------


Last edited by Kane491 on 30 Aug 2010 05:17, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 15 Aug 2010 17:42 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
i dont get it, whats the point of the file when luigi already has the same thing?


Top
 Profile  
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 15 Aug 2010 18:48 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
stop trolling here ppl, this forum is not for that. if you have nothing to say, just stay quiet. i also agree with Evan, why post things if Luigi has it already.


Top
 Profile  
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 18 Aug 2010 21:56 

Joined: 11 Mar 2009 15:46
Posts: 20
Because this one writes a cfg file that will execute shellcode as opposed to just crashing it, and i've only seen the /say aaaaaaaaaaaaaaaaaa poc on luigis site, maybe i've overlooked something


Top
 Profile  
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 19 Aug 2010 22:42 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
/rcon-on-quake3-and-remote-shell-execution-not-proven-yet-t1449.html

isnt this the same ?


Top
 Profile  
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 20 Aug 2010 15:34 

Joined: 11 Mar 2009 15:46
Posts: 20
no, this one overwrites ret to point to a "jmp %ecx" instruction in kernel32.dll and %ecx points to the data you send through the /say command at the point of return.

this is the exploit that was used to compromise the servers discussed here: urgent-jedi-academy-1-00-t1156.html


Top
 Profile  
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 21 Aug 2010 05:29 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
ok sorry for my fail use of google but what is a "shellcode"... what does that do to the server instead of crashing it?


Top
 Profile  
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 21 Aug 2010 11:06 

Joined: 11 Mar 2009 15:46
Posts: 20
shellcode is code that can be executed from an arbitrary memory address and can be put in memory and remain executable through program input. In this case (and most others) it can't have any 0x00 bytes since it's beinc copied into memory by a string fuction and c strings are terminated by 0x00.

it's called shellcode because you make that code spawn a shell that's piped over a tcp socket connected to a remote host you control.


Top
 Profile  
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 24 Aug 2010 07:31 

Joined: 16 Jan 2010 07:24
Posts: 3
all the action is in 1.01. your wasting your time in 1.00 lol


Top
 Profile  
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 27 Aug 2010 14:58 

Joined: 11 Mar 2009 15:46
Posts: 20
meh, 1.01 is filled to the brim with dipshit kids whos only motivation for putting up a server is the admin superpowers.


Top
 Profile  
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 30 Aug 2010 05:02 

Joined: 07 Aug 2008 06:01
Posts: 45
droLremaL wrote:
meh, 1.01 is filled to the brim with dipshit kids whos only motivation for putting up a server is the admin superpowers.


+1

Does this exploit apply only to the /say command in 1.0 and is it vulnerable in 1.1? I've been doing some tests with buffers and q_stryct stuff in 1.01 and some stuff is still vulnerable , for instance, makermod 1.1b and ja+ 2.3 and below are susceptible to /tell buffer overflow, which can probably be exploited throguh your program.

also, some stuff that calls g_logprintf is vulnerable


Top
 Profile  
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 31 Aug 2010 23:20 

Joined: 11 Mar 2009 15:46
Posts: 20
I havent gotten the chance to test out bugs in 1.01 yet, but when i'm done with a few other projects i'm ready to tear down 1.01.


Top
 Profile  
 
 Post subject: Re: [RELEASE] jk3 /say buffer overflow (full server compromise)
PostPosted: 05 Oct 2010 09:21 

Joined: 16 Jul 2010 18:43
Posts: 10
hey lamer, jump online some time. I want your advice over something.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 16 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: