Luigi Auriemma

DOWNLOAD ->jk3saybof.c<- HERE
or view source on this pastebin: http://pastebin.com/m6d43f37c

This program makes a script that can be executed
from the client game console that will give the server
a too big string throug the /say command and the stack buffer
overflows, and the return adress is overwritten to point at an instruction
that jumps to rhe start of the local buffer we just overflowed,
witch has been filled with user specified shellcode in raw binary format.

Check http://aluigi.org/adv/jamsgbof-adv.txt for info about this voulnerability

If the words above made little sense to you i advise you not to try this.

For the average joe server admin: This exploit can, and most likely will grant evil-doers controll over the computer that the jk3 server runs on, be warned. Luckily it wont work if it's patched against the /say aaaaaaaaaaaaaaa crash

1) wasn't more simple to use the direct link to the code?
http://lamerlord.lamer.la/files/jk3saybof.c

2) ever on the original website there is also a pre-compilied version:
http://lamerlord.lamer.la/files/jk3saybof.exe

3) why posting it now considering that it's stuff already known and old of lot of years?

I posted it now because it could make jk3 1.00 a bit more interesting. create more hate in the game. everybody gets all worked up because this clan snuffed out that clans server, and in the end there will be passionate warfare :)

people will die

------

i dont get it, whats the point of the file when luigi already has the same thing?

Because this one writes a cfg file that will execute shellcode as opposed to just crashing it, and i've only seen the /say aaaaaaaaaaaaaaaaaa poc on luigis site, maybe i've overlooked something

no, this one overwrites ret to point to a "jmp %ecx" instruction in kernel32.dll and %ecx points to the data you send through the /say command at the point of return.

this is the exploit that was used to compromise the servers discussed here: urgent-jedi-academy-1-00-t1156.html

ok sorry for my fail use of google but what is a "shellcode"... what does that do to the server instead of crashing it?

shellcode is code that can be executed from an arbitrary memory address and can be put in memory and remain executable through program input. In this case (and most others) it can't have any 0x00 bytes since it's beinc copied into memory by a string fuction and c strings are terminated by 0x00.

it's called shellcode because you make that code spawn a shell that's piped over a tcp socket connected to a remote host you control.

all the action is in 1.01. your wasting your time in 1.00 lol

meh, 1.01 is filled to the brim with dipshit kids whos only motivation for putting up a server is the admin superpowers.

+1

Does this exploit apply only to the /say command in 1.0 and is it vulnerable in 1.1? I've been doing some tests with buffers and q_stryct stuff in 1.01 and some stuff is still vulnerable , for instance, makermod 1.1b and ja+ 2.3 and below are susceptible to /tell buffer overflow, which can probably be exploited throguh your program.

also, some stuff that calls g_logprintf is vulnerable

I havent gotten the chance to test out bugs in 1.01 yet, but when i'm done with a few other projects i'm ready to tear down 1.01.

hey lamer, jump online some time. I want your advice over something.