|
Luigi Auriemmaaluigi.org (ARCHIVE-ONLY FORUM!) |
|
It is currently 19 Jul 2012 15:36
|
View unanswered posts | View active topics
Author |
Message |
evan1715
|
Post subject: Q3UNBAN, Q3FILL, q3cfilevar, q3noclient Posted: 27 Oct 2007 01:27 |
|
Joined: 05 Oct 2007 01:20 Posts: 402 Location: Florida
|
ok for the q3unban, when i try it, it doesnt work, u execute it before u enter a server right?
the q3fill, what do u mean supports automatic unban, what does that do, does it hide the ip when it fills up the server?
and q3cfilevar isnt that a patch under PoC? also what does it do, i read the adv.text but wheres the crash and also does it ONLY work on quake 3, or all q3 engine
Last edited by evan1715 on 15 Nov 2007 00:11, edited 1 time in total.
|
|
Top |
|
|
|
|
|
|
|
aluigi
|
Post subject: Posted: 27 Oct 2007 13:05 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
q3unban is an experimental PoC since adding stuff (additional useless cvars) after the "connect" packet is not easy without modifiying the original client code (or binary).
I have made also a video which can probably explains the thing better than words:
http://aluigi.altervista.org/video/q3unban.avi
(if the link doesn't work copy it in the browser's bar or go in the Video section)
q3fill implements just the q3unban PoC in the perfect way and it's completely automatic.
When the banning message is received it adds an additional cvar so that the total length of the "connect" packet is longer than 1024 bytes and so the server can't add the \ip\ field (or can add it partially) avoiding the banning check.
q3cfilevar is a patch (but NOT a patch which fixes bugs) which transforms the Quake 3 1.32c binary in the proof-of-concept which overwrites the clients files and cvars.
It's only for the Quake 3 game, and only version 1.32c
|
|
Top |
|
|
evan1715
|
Post subject: Posted: 27 Oct 2007 14:38 |
|
Joined: 05 Oct 2007 01:20 Posts: 402 Location: Florida
|
oooh so with q3fill all u need to do is what u would normally do to u use it, right? no need to have a command that unbans it?
\q3fill (ip) (port) right?
q3cfilevar ok now i know its for q3 only, now i dont need to worry about it :P
Results:
I watched ur video and tried it, it still says im banned from a server.
When I use q3fill it says im still banned.
Here's a pic of q3fill
http://i36.photobucket.com/albums/e35/e ... q3fill.jpg
|
|
Top |
|
|
aluigi
|
Post subject: Posted: 27 Oct 2007 15:00 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
Yes q3fill does everything in automatic without additional options.
In your case (the still Banned message) I think about some possibilities:
- that engine version uses a buffer bigger than 1024, but I doubt
- it doesn't have the anti-overflow protection so it can still write the \ip\ cvar
- handles the banning in a completely different way
- the server has banned you using different rules, for example is not your IP to have been banned but the cvars used in the "connect" command... this is a particular technique used by some mods to prevent q3fill (naturally this hypotesis is valid only if the tested server is not yours and so you are not sure what type of banning has been performed)
The Quake 3 engine is evolved in time so probably some old versions or some implementation of the engines work in different ways or don't have that specific protection (snprintf) which allows the exploiting of the bug.
|
|
Top |
|
|
evan1715
|
Post subject: Posted: 27 Oct 2007 15:53 |
|
Joined: 05 Oct 2007 01:20 Posts: 402 Location: Florida
|
alright ive also used that to join servers im not banned from and...
1. after it loads everything, the game crashes and exits.
2. it gives an error msg ingame that says "Info string length exceeded"
i get that if i try to press any bind and when i connect and i cant change my name, is it because the cmd line is too long?
and btw this is on jk2 1.02
picture http://i36.photobucket.com/albums/e35/e ... 3unban.jpg
|
|
Top |
|
|
aluigi
|
Post subject: Posted: 27 Oct 2007 16:05 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
Unfortunately these are the downside of this type of exploitation (non-modified executable), the errors and the crash you see are caused by a bug in the client due to the lack of snprintf (it should result in something like a buffer-overflow in some cases).
Actually the other ways for exploiting this bug are:
- modifying the client executable for forcing it to add the necessary data
- writing a hooker which does the same work
- writing a proxy which does this work
- writing a plugin for my sudppipe tool
- playing with setu or the cl_anonymous cvars of my example PoC for finding a decent value
imho the plugin solution is the most easy at the moment and I'm going to check it
|
|
Top |
|
|
evan1715
|
Post subject: Posted: 27 Oct 2007 16:08 |
|
Joined: 05 Oct 2007 01:20 Posts: 402 Location: Florida
|
hmm ok, i geuss it only works for a few games using the executable and for the q3fill unban
|
|
Top |
|
|
aluigi
|
Post subject: Posted: 27 Oct 2007 17:22 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
In attachment there is the plugin for sudppipe
How to use:
sudppipe -l q3unban_sudp.dll IP PORT 1234
then from the console of the game type:
connect 127.0.0.1:1234
Let me know how works so I release it on my website too.
It's compatible also with mohaa and supports also the connect packets with additional stuff after the cvars (only ET should use this thing)
|
|
Top |
|
|
evan1715
|
Post subject: Posted: 27 Oct 2007 17:31 |
|
Joined: 05 Oct 2007 01:20 Posts: 402 Location: Florida
|
i cant understand how to use the tool, it keeps giving me errors
|
|
Top |
|
|
evan1715
|
Post subject: Posted: 27 Oct 2007 17:50 |
|
Joined: 05 Oct 2007 01:20 Posts: 402 Location: Florida
|
alright this is copied and pasted
C:\>q3engine\sudppipe\sudppipe -l q3unban_sudp.dll 66.225.194.131 28070 28070
Simple UDP proxy/pipe 0.3
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
- server: 66.225.194.131 : 28070
- bind UDP port 28070
- load library q3unban_sudp.dll
Error: The specified module could not be found.
i put the all the things inside the plugin folder
|
|
Top |
|
|
aluigi
|
Post subject: Posted: 27 Oct 2007 17:55 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
put the dll in the sudppipe folder (c: in your case), or use -l plugins\q3unban_sudp.dll
|
|
Top |
|
|
evan1715
|
Post subject: Posted: 27 Oct 2007 18:03 |
|
Joined: 05 Oct 2007 01:20 Posts: 402 Location: Florida
|
C:\>q3engine\sudppipe\sudppipe -l plugins\q3unban_sudp.dll 66.225.194.131 28070 28070
Simple UDP proxy/pipe 0.3
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
- server: 66.225.194.131 : 28070
- bind UDP port 28070
- load library plugins\q3unban_sudp.dll
- PLUGIN: q3unban
- ready
ok thats my result, then i connect to it and it still says im banned
|
|
Top |
|
|
evan1715
|
Post subject: Posted: 30 Oct 2007 01:07 |
|
Joined: 05 Oct 2007 01:20 Posts: 402 Location: Florida
|
did u test the q3unban/q3unban_sudp on the latest version of Q3? or like an earlier one, and what all games do u know work on it (other than mohaa what u listed before)
|
|
Top |
|
|
aluigi
|
Post subject: Posted: 30 Oct 2007 15:00 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
Yes I tested the 1.32c version.
Tested with success: jedi academy, enemy Territory and naturally Quake 3 and ioquake3 (since the public exe is still the one released one year ago
Tested without success: Soldier of Fortune II, Jedi Knight II, World of Padman (it uses the fixed ioquake 3 engine)
Naturally I refer ever and only to the latest patched versions of the games as usual
|
|
Top |
|
|
infus3
|
Post subject: Posted: 31 Oct 2007 04:17 |
|
Joined: 17 Oct 2007 08:10 Posts: 31 Location: South Carolina
|
This should work on the Call of Duty series too right?
|
|
Top |
|
|
aluigi
|
Post subject: Posted: 31 Oct 2007 11:34 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
yes it should but I don't know for what reason the server didn't ban me, listip gave me the banned address but my clean client was still able to join
|
|
Top |
|
|
Maverick
|
Post subject: Posted: 01 Nov 2007 20:30 |
|
Joined: 29 Oct 2007 10:20 Posts: 8
|
Who use this tool for CoD ?
That work on the call of duty series?
Type the command string pls!
|
|
Top |
|
|
aluigi
|
Post subject: Posted: 01 Nov 2007 21:53 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
q3fill works with any game based on the Quake 3 engine, except the moh* series for which there is mohaafill.
Just type:
q3fill IP PORT
|
|
Top |
|
|
Maverick
|
Post subject: Posted: 02 Nov 2007 11:23 |
|
Joined: 29 Oct 2007 10:20 Posts: 8
|
ALUIGI sry my wrong ... not Q3FILL
Q3UNBAN who use this for call of duty series and who knows valid strings for the tool
C:\>q3engine\sudppipe\sudppipe -l plugins\q3unban_sudp.dll IP PORT PORT ? two ports..why?
|
|
Top |
|
|
aluigi
|
Post subject: Posted: 02 Nov 2007 14:10 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
the first PORT is that of the server in which you want to join (28960 is the default one of CoD) while the second PORT is your local server.
In the video on my website I have used 1234 for example, check the Video section if you have doubts
|
|
Top |
|
|
evan1715
|
Post subject: Posted: 14 Nov 2007 00:22 |
|
Joined: 05 Oct 2007 01:20 Posts: 402 Location: Florida
|
i didn't want to start a new topic since it's a simple question, how the fizzle do you use q3noclient?
\q3noclient <serverip> <clientip> -s <serverport> -c <clientport>
hmm? i couldn't understand what it was saying on the instructions, nor do u have a q3noclient-adv.txt thing... or any txt for it, except the oldish one
|
|
Top |
|
|
aluigi
|
Post subject: Posted: 14 Nov 2007 10:06 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
The search function pops two results of which one is a detailed explanation:
http://aluigi.org/search.php?src=q3noclient
Anyway using it is very simple, check the following:
q3noclient -s SERVERPORT -c CLIENTPORT SERVERIP CLIENTIP
For example:
q3noclient -s 28070 -c 28070 1.2.3.4 123.123.123.123
Note that this tool uses spoofed packets so you MUST be sure to be able to spoof them.
Typically the configuration which allow it is using a *nix or Win2k/XP system with root/admin rights DIRECTLY connected to Internet, which means that if you do "netstat -an" you see your public Internet IP address.
So if you are behind NAT/firewall/router/proxy you can't
|
|
Top |
|
|
evan1715
|
Post subject: Posted: 15 Nov 2007 00:10 |
|
Joined: 05 Oct 2007 01:20 Posts: 402 Location: Florida
|
Code: C:\>q3engine\q3noclient\q3noclient -s 28070 -c 28070 69.9.170.60 71.230.169.243
Quake 3 engine: client disconnector 0.2 by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org
- from 69.9.170.60:28070 - to 71.230.169.243:28070
Error: Interrupted system call
im using a firewall and a router... so i cant noclient anyone? and that's the error i'll keep getting?
|
|
Top |
|
|
aluigi
|
Post subject: Posted: 15 Nov 2007 10:00 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
Exactly, that error is a classical message.
I already tried some solutions with another user which had the same problem but nothing.
|
|
Top |
|
|
evan1715
|
Post subject: Posted: 15 Nov 2007 21:35 |
|
Joined: 05 Oct 2007 01:20 Posts: 402 Location: Florida
|
so ur saying the only way i can use is if i have a direct connection from my modem to my computer, and turn off firewall?
|
|
Top |
|
|
aluigi
|
Post subject: Posted: 16 Nov 2007 10:41 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
No, what I said is that I don't know other ways for sending spoofed packets in that situation
|
|
Top |
|
|
evan1715
|
Post subject: Posted: 16 Nov 2007 22:17 |
|
Joined: 05 Oct 2007 01:20 Posts: 402 Location: Florida
|
|
Top |
|
|
rewtamus
|
Post subject: Posted: 20 Nov 2007 23:13 |
|
Joined: 19 Nov 2007 02:40 Posts: 8
|
hello luigi, is there a way to patch a server so the q3unban does NOT work?
|
|
Top |
|
|
aluigi
|
Post subject: Posted: 21 Nov 2007 11:29 |
|
Joined: 13 Aug 2007 21:44 Posts: 4068 Location: http://aluigi.org
|
Made just now:
http://aluigi.org/patches/q3unbanfix.lpatch
Should work on both Windows and Linux servers and is based on a simple idea: reserving space for the "ip" field using 1000 instead of all the 1024 bytes of the userinfo field.
|
|
Top |
|
|
rewtamus
|
Post subject: Posted: 21 Nov 2007 18:10 |
|
Joined: 19 Nov 2007 02:40 Posts: 8
|
thank you very much luigi, i am at work right now but i will try it out when i get home.
i will let you know how it works by testing the exploit on my own server once it is patched
|
|
Top |
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum
|
|