AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   Plugins (https://forums.alliedmods.net/forumdisplay.php?f=108)
-   -   [ANY] SRCDS Server Crasher Exploit Patch [6/27/19] (https://forums.alliedmods.net/showthread.php?t=317120)

backwards 06-27-2019 21:26

[ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
3 Attachment(s)
There's a new exploit in the wild which allows any client to attack the server after connecting if you have sv_allowdownload set to 1. On Linux the servers will most likely restart within 30 seconds if there's a watchdog timer installed. On Windows this exploit can be utilized to cause a Blue Screen Of Death on your dedicated hosters box. The exploit involves the use of the RequestFile command and has already been reported to Valve (~8 Months ago) through the bounty bug reward program. The report was ignored by the HackerOne Staff because it didnt meet the standards of "crashing the server" ( Report #472858 ). Even though this can lead to a BSOD if used correctly and as shown in my submited Proof Of Concept. ...

The exploit's POC was stolen from one of my un-secured dedicated test servers recently by some "Hackers" and now is being sold by them. The POC was written to work on all versions of SRCDS so many servers are at risk until valve releases an official patch. I've written my own patch for the community to use until that date comes.

Symptoms of the exploit being used on your server would be to see the text "File '%s' requested from" spammed in your SRCDS console. These messages do not create logs in any document so it may be hard for some users to track what's happening. This is mostly expected to plauge CS:GO/CStrike servers currently.

I've only tested this on css/csgo and it seems to work fine. I'm unaware if any game mode will utilize the request file function after a player conects (for example sprays) but i believe it's handled differently (server sends files rather than client requesting file). Let me know if you run into any issues.

Edit: Added OnFileReceive Hook as well to prevent clients from spamming file sends to the server. Nopped out a message that still prints on file receive when the server has sv_allowupload set to 0 (Untested Changes) Updated 1/2/2021, Please post a report if it crashes on linux or windows CSGO servers


Updated 02/03/2023:
Untested, updated for linux changes.

Newest version: SendFileFix 3.3.zip

RumbleFrog 06-27-2019 23:34

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Eggcellent

SimpleRealistic 06-27-2019 23:44

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
what a server being crashed from console looks like:
https://i.imgur.com/TsBVrI9.png


https://www.youtube.com/watch?v=fMo_Au6QqBo
me doing it

Wanheda 06-28-2019 08:28

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Code:

RequestCount[client] -= 32;
why exactly 32?

Code:

for (new client = 0; client <= MaxClients; client++)
iterating through 32 entities and checking if <= is wrong, you should start your for loop with 1 for that, there's no '0' client (let me mention i might be wrong, not sure)

Code:

for (new client = 1; client <= MaxClients; client++)
after some lines you do the same exact thing but correctly, you should always start with 1 if you're checking <=

anyways, i didnt find any other wrong code besides that

Pan32 06-28-2019 11:05

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by Wanheda (Post 2657014)
iterating through 32 entities and checking if <= is wrong, you should start your for loop with 1 for that, there's no '0' client (let me mention i might be wrong, not sure)

Console is entity 0, although I'm not sure if it's a oversight or the console can play a role in this exploit.

Also to note, MaxClients variates depending on the number of clients the server can accept, so it could be iterating through 10, 32, 64 or whatever number of players the server is set up to.

dustinandband 06-28-2019 20:35

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
why does the plugin loop through all clients every 5 seconds and subtract 32 from their RequestCount?
Spoiler


edit: I'm guessing it's to account for false-positive scenarios in case there's a game mode that happens to send a large amount of files:
Quote:

"I'm unaware if any game mode will utilize the request file function after a player conects (for example sprays) but i believe it's handled differently (server sends files rather than client requesting file)."

Xutax_Kamay 06-28-2019 21:25

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Oh shit man, I feel sorry for you to get your work stolen and not even recognized.

backwards 06-28-2019 22:22

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by dustinandband (Post 2657067)
why does the plugin loop through all clients every 5 seconds and subtract 32 from their RequestCount?

edit: I'm guessing it's to account for false-positive scenarios in case there's a game mode that happens to send a large amount of files:

Yes exactly, some game modes will send player sprays/jingle sound after a client is actively in the server. This will prevent a server of 64 slot players with all custom sprays and no map changes causing false postives from happening. When a new client connects on the same map it will count towards the requestcount.

404UserNotFound 06-29-2019 15:56

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by Xutax_Kamay (Post 2657070)
Oh shit man, I feel sorry for you to get your work stolen and not even recognized.

:?: :?: :?:

September 06-29-2019 16:00

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
In csgo you just need to use sv_allowdownload 0 and sv_allowupload 0.

This exploit has been running since 2018.

backwards 06-29-2019 20:21

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by September (Post 2657184)
In csgo you just need to use sv_allowdownload 0 and sv_allowupload 0.

This exploit has been running since 2018.

Yes the POC was created and submited to valve in 2018 but wasn't in the public domain until recently.

September 06-30-2019 10:10

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by 1337norway (Post 2657212)
Yes the POC was created and submited to valve in 2018 but wasn't in the public domain until recently.

Who was not publicly available? This "cheat" which crashes the server?

He was in the public domain for a long time. Everyone just forgot about him, and then they remembered ...

Wanheda 06-30-2019 12:23

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by September (Post 2657184)
In csgo you just need to use sv_allowdownload 0 and sv_allowupload 0.

This exploit has been running since 2018.

how about fast dl? uh?

wolvez04 06-30-2019 15:52

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by Wanheda (Post 2657289)
how about fast dl? uh?

Those cvar changes don't effect fastdl.

backwards 06-30-2019 22:12

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by September (Post 2657275)
Who was not publicly available? This "cheat" which crashes the server?

He was in the public domain for a long time. Everyone just forgot about him, and then they remembered ...

All server crashers are not the same, there are multiple exploits discoverd every year which leads to
people abusing them and they eventually get patched by valve as new ones come out.

eliteroyal 07-09-2019 03:26

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by wolvez04 (Post 2657311)
Those cvar changes don't effect fastdl.

are you sure? :/

asdfxD 07-09-2019 13:47

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
fastdl is not working if i change the cvars to 0.

Dragokas 07-13-2019 12:04

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Thank you!

Byte 09-05-2019 09:09

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by 1337norway (Post 2657212)
Yes the POC was created and submited to valve in 2018 but wasn't in the public domain until recently.

This is a bit of a grave dig but I can assure you that this exploit existed in 2017. In fact there was also a patch being used for it in various communities.

backwards 09-19-2019 08:57

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by Byte (Post 2665968)
This is a bit of a grave dig but I can assure you that this exploit existed in 2017. In fact there was also a patch being used for it in various communities.

I know of many similar exploits over the last ~12 years. If you have any links to any of these patches or community logs showing this being abused I would be really interested. I'm 100% sure it's just a similar exploit and not this exact one.

StivJ 02-07-2020 06:19

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Wanted to say thabk you!
For me this plugin helped very well!!

Also what about sv_allowdownload 0, is it really working in CsGo?
I havent tried it yet, but if @september says so, maybe it's true?

SM9 02-07-2020 09:55

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by StivJ (Post 2683012)
Also what about sv_allowdownload 0, is it really working in CsGo?

Yes, I have tested it.

eyal282 02-08-2020 08:22

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by Wanheda (Post 2657014)
Code:

RequestCount[client] -= 32;
why exactly 32?

Code:

for (new client = 0; client <= MaxClients; client++)
iterating through 32 entities and checking if <= is wrong, you should start your for loop with 1 for that, there's no '0' client (let me mention i might be wrong, not sure)

Code:

for (new client = 1; client <= MaxClients; client++)
after some lines you do the same exact thing but correctly, you should always start with 1 if you're checking <=

anyways, i didnt find any other wrong code besides that

You should always start with 1 period.
Code:

for(new i=1;i <= MaxClients;i++)
{
    if(!IsClientInGame(i)) // i is just an entity that can be assigned to a player if it's in the range of 1 <= i <= MaxClients, it is not guaranteed it has been assigned to a player.
        continue;

    KickClient(i, "i i i i i i i i i i i");
}


Sandervraun 04-19-2020 18:06

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Is this exploit still active or is it patched by valve?

Flotz 05-13-2020 13:22

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
CreateFragmentsFromFile: '.txt' doesn't exist.
CreateFragmentsFromFile: '

Receiving failed: too many fragments 38/35 from 79.118.29.217:27005
Receiving failed: too many fragments 72/42 from 86.120.251.36:27005
Receiving failed: too many fragments 41/35 from 79.118.29.217:27005
Receiving failed: too many fragments 76/42 from 86.120.251.36:27005
Receiving failed: too many fragments 45/35 from 79.118.29.217:27005
Receiving failed: too many fragments 80/42 from 86.120.251.36:27005
Receiving failed: too many fragments 49/35 from 79.118.29.217:27005
Receiving failed: too many fragments 84/42 from 86.120.251.36:27005
Receiving failed: too many fragments 68/67 from 86.122.216.112:27005
Receiving failed: too many fragments 53/35 from 79.118.29.217:27005

I think this exploit is back, have your plugin and still got this.
All players are kicked with timed out reason......

also getting this: IP rate limit detected distributed packet load (50001 buckets, 2147694531 global count)

Kellan123 08-06-2020 15:16

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
1 Attachment(s)
new syntax (updated plugin)

Physicus 01-27-2021 15:22

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Hi there,


Who knows the problem and can help me?
https://crash.limetech.org/a5veex3osw5s

My server crashes with the new version

"SendFile Exploit Fix (v3.1)"

Fastkill91 05-05-2021 03:54

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
This is still relevant, the last attack was on 04/02/2021, I think the valve has not been fixed yet. Put SendFileFix 3.1 working for a month now, and the attacks stopped!

report
CreateFragmentsFromFile: '.txt' doesn't exist.
CreateFragmentsFromFile: '.txt' doesn't exist.

NeQ 05-06-2021 16:42

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Today, I observed several attempted attacks. This security patch is still needed.

mrdiega 05-10-2021 11:44

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
2 Attachment(s)
i have SendFile Exploit Fix (v3.1) on my server, but it didn't help

my cvars
sv_downloadurl ..... (fastdl)
sv_allowupload 0
sv_allowdownload 1

freak.exe_uLow 05-10-2021 13:40

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by mrdiega (Post 2746452)
i have SendFile Exploit Fix (v3.1) on my server, but it didn't help

my cvars
sv_downloadurl ..... (fastdl)
sv_allowupload 0
sv_allowdownload 1

if you have a fastdl server, both sv things can be at 0

Quote:

sv_allowupload 0
sv_allowdownload 0

FroGeX 06-26-2022 19:13

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
after newest csgo update, plugin stopped work

amogus 11-14-2022 01:55

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
[SM] Failed to load plugin "SendFileExploitFixV3.1.smx": Unable to load plugin (bad header).

Kamizun 02-03-2023 14:03

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
After 02/02 update this plugin is throwing errors:

Code:

L 02/03/2023 - 18:44:40: [SM] Exception reported: Invalid address 0x1 is pointing to reserved memory.
L 02/03/2023 - 18:44:40: [SM] Blaming: exploitfixs/SendFileExploitFixV3.1.smx
L 02/03/2023 - 18:44:40: [SM] Call stack trace:
L 02/03/2023 - 18:44:40: [SM]  [0] LoadFromAddress
L 02/03/2023 - 18:44:40: [SM]  [1] Line 29, D:\SteamCMD\csgo\csgo\addons\sourcemod\scripting\SendFileExploitFixV3.1.sp::OnPluginStart
L 02/03/2023 - 18:44:40: [SM] Unable to load plugin "exploitfixs/SendFileExploitFixV3.1.smx": Error detected in plugin startup (see error logs)


backwards 02-03-2023 15:19

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by Kamizun (Post 2798601)
After 02/02 update this plugin is throwing errors:

Code:

L 02/03/2023 - 18:44:40: [SM] Exception reported: Invalid address 0x1 is pointing to reserved memory.
L 02/03/2023 - 18:44:40: [SM] Blaming: exploitfixs/SendFileExploitFixV3.1.smx
L 02/03/2023 - 18:44:40: [SM] Call stack trace:
L 02/03/2023 - 18:44:40: [SM]  [0] LoadFromAddress
L 02/03/2023 - 18:44:40: [SM]  [1] Line 29, D:\SteamCMD\csgo\csgo\addons\sourcemod\scripting\SendFileExploitFixV3.1.sp::OnPluginStart
L 02/03/2023 - 18:44:40: [SM] Unable to load plugin "exploitfixs/SendFileExploitFixV3.1.smx": Error detected in plugin startup (see error logs)


Updated in the main post, let me know if it crashes or has any issues and I'll fix it.

freak.exe_uLow 02-03-2023 15:46

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by backwards (Post 2798616)
Updated in the main post, let me know if it crashes or has any issues and I'll fix it.

backwards, you upload the files from ServerLagExploitFix in SendFileExploitFixV3.2 version :3

backwards 02-03-2023 17:12

Re: [ANY] SRCDS Server Crasher Exploit Patch [6/27/19]
 
Quote:

Originally Posted by freak.exe_uLow (Post 2798620)
backwards, you upload the files from ServerLagExploitFix in SendFileExploitFixV3.2 version :3

Thanks, I had a miniature stroke or something. I updated it now and it should have the right files.


All times are GMT -4. The time now is 22:23.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.