Luigi Auriemma

ok for the q3unban, when i try it, it doesnt work, u execute it before u enter a server right?

the q3fill, what do u mean supports automatic unban, what does that do, does it hide the ip when it fills up the server?

and q3cfilevar isnt that a patch under PoC? also what does it do, i read the adv.text but wheres the crash and also does it ONLY work on quake 3, or all q3 engine

q3unban is an experimental PoC since adding stuff (additional useless cvars) after the "connect" packet is not easy without modifiying the original client code (or binary).
I have made also a video which can probably explains the thing better than words:

http://aluigi.altervista.org/video/q3unban.avi

(if the link doesn't work copy it in the browser's bar or go in the Video section)

q3fill implements just the q3unban PoC in the perfect way and it's completely automatic.
When the banning message is received it adds an additional cvar so that the total length of the "connect" packet is longer than 1024 bytes and so the server can't add the \ip\ field (or can add it partially) avoiding the banning check.

q3cfilevar is a patch (but NOT a patch which fixes bugs) which transforms the Quake 3 1.32c binary in the proof-of-concept which overwrites the clients files and cvars.
It's only for the Quake 3 game, and only version 1.32c

oooh so with q3fill all u need to do is what u would normally do to u use it, right? no need to have a command that unbans it?

\q3fill (ip) (port) right?

q3cfilevar ok now i know its for q3 only, now i dont need to worry about it :P

Results:
I watched ur video and tried it, it still says im banned from a server.
When I use q3fill it says im still banned.
Here's a pic of q3fill
http://i36.photobucket.com/albums/e35/e ... q3fill.jpg

Yes q3fill does everything in automatic without additional options.

In your case (the still Banned message) I think about some possibilities:
- that engine version uses a buffer bigger than 1024, but I doubt
- it doesn't have the anti-overflow protection so it can still write the \ip\ cvar
- handles the banning in a completely different way
- the server has banned you using different rules, for example is not your IP to have been banned but the cvars used in the "connect" command... this is a particular technique used by some mods to prevent q3fill (naturally this hypotesis is valid only if the tested server is not yours and so you are not sure what type of banning has been performed)

The Quake 3 engine is evolved in time so probably some old versions or some implementation of the engines work in different ways or don't have that specific protection (snprintf) which allows the exploiting of the bug.

alright ive also used that to join servers im not banned from and...

1. after it loads everything, the game crashes and exits.
2. it gives an error msg ingame that says "Info string length exceeded"
i get that if i try to press any bind and when i connect and i cant change my name, is it because the cmd line is too long?

and btw this is on jk2 1.02

picture http://i36.photobucket.com/albums/e35/e ... 3unban.jpg

Unfortunately these are the downside of this type of exploitation (non-modified executable), the errors and the crash you see are caused by a bug in the client due to the lack of snprintf (it should result in something like a buffer-overflow in some cases).

Actually the other ways for exploiting this bug are:
- modifying the client executable for forcing it to add the necessary data
- writing a hooker which does the same work
- writing a proxy which does this work
- writing a plugin for my sudppipe tool
- playing with setu or the cl_anonymous cvars of my example PoC for finding a decent value

imho the plugin solution is the most easy at the moment and I'm going to check it

hmm ok, i geuss it only works for a few games using the executable and for the q3fill unban

In attachment there is the plugin for sudppipe

How to use:

sudppipe -l q3unban_sudp.dll IP PORT 1234

then from the console of the game type:
connect 127.0.0.1:1234

Let me know how works so I release it on my website too.
It's compatible also with mohaa and supports also the connect packets with additional stuff after the cvars (only ET should use this thing)

i cant understand how to use the tool, it keeps giving me errors

alright this is copied and pasted

C:\>q3engine\sudppipe\sudppipe -l q3unban_sudp.dll 66.225.194.131 28070 28070

Simple UDP proxy/pipe 0.3
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- server: 66.225.194.131 : 28070
- bind UDP port 28070
- load library q3unban_sudp.dll

Error: The specified module could not be found.

i put the all the things inside the plugin folder

put the dll in the sudppipe folder (c: in your case), or use -l plugins\q3unban_sudp.dll

C:\>q3engine\sudppipe\sudppipe -l plugins\q3unban_sudp.dll 66.225.194.131 28070 28070

Simple UDP proxy/pipe 0.3
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org

- server: 66.225.194.131 : 28070
- bind UDP port 28070
- load library plugins\q3unban_sudp.dll
- PLUGIN: q3unban
- ready


ok thats my result, then i connect to it and it still says im banned

did u test the q3unban/q3unban_sudp on the latest version of Q3? or like an earlier one, and what all games do u know work on it (other than mohaa what u listed before)

Yes I tested the 1.32c version.

Tested with success: jedi academy, enemy Territory and naturally Quake 3 and ioquake3 (since the public exe is still the one released one year ago

Tested without success: Soldier of Fortune II, Jedi Knight II, World of Padman (it uses the fixed ioquake 3 engine)

Naturally I refer ever and only to the latest patched versions of the games as usual

This should work on the Call of Duty series too right?

yes it should but I don't know for what reason the server didn't ban me, listip gave me the banned address but my clean client was still able to join

Who use this tool for CoD ?
That work on the call of duty series?
Type the command string pls!

q3fill works with any game based on the Quake 3 engine, except the moh* series for which there is mohaafill.
Just type:

q3fill IP PORT

ALUIGI sry my wrong ... not Q3FILL
Q3UNBAN who use this for call of duty series and who knows valid strings for the tool

C:\>q3engine\sudppipe\sudppipe -l plugins\q3unban_sudp.dll IP PORT PORT ? two ports..why?

the first PORT is that of the server in which you want to join (28960 is the default one of CoD) while the second PORT is your local server.
In the video on my website I have used 1234 for example, check the Video section if you have doubts

i didn't want to start a new topic since it's a simple question, how the fizzle do you use q3noclient?

\q3noclient <serverip> <clientip> -s <serverport> -c <clientport>

hmm? i couldn't understand what it was saying on the instructions, nor do u have a q3noclient-adv.txt thing... or any txt for it, except the oldish one

The search function pops two results of which one is a detailed explanation:

http://aluigi.org/search.php?src=q3noclient

Anyway using it is very simple, check the following:

q3noclient -s SERVERPORT -c CLIENTPORT SERVERIP CLIENTIP

For example:

q3noclient -s 28070 -c 28070 1.2.3.4 123.123.123.123

Note that this tool uses spoofed packets so you MUST be sure to be able to spoof them.
Typically the configuration which allow it is using a *nix or Win2k/XP system with root/admin rights DIRECTLY connected to Internet, which means that if you do "netstat -an" you see your public Internet IP address.

So if you are behind NAT/firewall/router/proxy you can't

im using a firewall and a router... so i cant noclient anyone? and that's the error i'll keep getting?

Exactly, that error is a classical message.
I already tried some solutions with another user which had the same problem but nothing.

so ur saying the only way i can use is if i have a direct connection from my modem to my computer, and turn off firewall?

No, what I said is that I don't know other ways for sending spoofed packets in that situation

oh ok ;)

hello luigi, is there a way to patch a server so the q3unban does NOT work?

Made just now:

http://aluigi.org/patches/q3unbanfix.lpatch

Should work on both Windows and Linux servers and is based on a simple idea: reserving space for the "ip" field using 1000 instead of all the 1024 bytes of the userinfo field.

thank you very much luigi, i am at work right now but i will try it out when i get home.

i will let you know how it works by testing the exploit on my own server once it is patched