[lqlqlq]

Arkshine,
I give some pictures on my previous post.
Look:
[IMG]http://img850.**************/img850/301/4310291b.jpg[/IMG]
All Bulgarian servers have crashed from 2-3 days.
This is new exploit and work.
I tried some methods but it doesn't work.
Server crash with:
unknown char in client command (32) when fake player is connecting to server.
(doesnt have log) - this is log (unknown char in client command (32))
I understand, this is simple info, not verry informative to you, but i dont have words to say how to work this exploit. (i know he's is based on hlds_vcrash)
Look at this post - http://forums.alliedmods.net/showthr...47#post1109447
(Yes, this is good plugin but it doesnt work again.
This is new exploit and this "key":
19e5f1e722f4ab6d0d41c82f89c65295) is used verry populary in this type of exploit, but in new exploit is changed.
He's key is got from everyone, i think that is the "steam key", i found some in google:

Code:

#include <amxmodx>
#include <orpheu>

public plugin_precache()
{
    OrpheuRegisterHook(OrpheuGetFunction("SV_ConnectClient"),"OnSV_ConnectClient")
}

public OrpheuHookReturn:OnSV_ConnectClient()
{
    static info[100],dummy[1]
    read_argv(3,info,charsmax(info))


    for(new i=0;i<8;i++)
        strtok(info,dummy,0,info,charsmax(info),'\')
 
    return equal(info,"19e5f1e722f4ab6d0d41c82f89c65295") ? OrpheuSupercede : OrpheuIgnored
    ||
    equal(info,"f0ef8a36258af1bb64ed866538c9db76") ? OrpheuSupercede : OrpheuIgnored
    ||
    equal(info,"d506d189cf551620a70277a3d2c55bb2") ? OrpheuSupercede : OrpheuIgnored
    ||
    equal(info,"67790c589689e0c8bc9254418f74a7e8") ? OrpheuSupercede : OrpheuIgnored
    ||
    equal(info,"2f7aca2b284b6bd8aedd261c6a5a6b49") ? OrpheuSupercede : OrpheuIgnored
    ||
    equal(info,"a8da12f3f71d87a40ca6c35ee73ad1a5") ? OrpheuSupercede : OrpheuIgnored
    ||
    equal(info,"61b9ce4070c5a3ec287995faa9e6dc49") ? OrpheuSupercede : OrpheuIgnored
    ||
    equal(info,"821bd412a43cd778dd3448791a135275") ? OrpheuSupercede : OrpheuIgnored
    ||
    equal(info,"520a87d91ba71f8dc9a905424b548a7d") ? OrpheuSupercede : OrpheuIgnored
    ||
  equal(info,"861078331b85a424935805ca54f82891") ? OrpheuSupercede : OrpheuIgnored
  ||
  equal(info,"fc919407beff66e210d03f3a72d456c0") ? OrpheuSupercede : OrpheuIgnored
  ||
  equal(info,"dffa71977e9f0a0e6f0ea6d47e8a17bc") ? OrpheuSupercede : OrpheuIgnored
  ||
  equal(info,"dacc732487fb2972a20f49b7070eed64") ? OrpheuSupercede : OrpheuIgnored
}

Yes, but it doesnt work. (author of exploit can always change the key)

Look at this (i found in pastebin)
Plugin:

Code:

    #include <amxmodx>
    #include <orpheu>
    #include <orpheu_advanced>
    #include <orpheu_memory>
     
    public plugin_precache()
    {
        new address = OrpheuGetFunctionAddress(OrpheuGetFunction("Host_Error"))
        OrpheuMemorySetAtAddress(address,"hostErrorBlock",1,0xC3)
    }

function Host_Error:

Code:

{
    "name" : "Host_Error",
    "library" : "engine",
    "arguments" :
    [
        {
            "type" : "char *"
        }
    ],
    "identifiers" :
    [
        {
            "os" : "windows",
            "value" : [0x55,0x8B,0xEC,0x81,0xEC,0x00,0x04,0x00,0x00,0xA1,"*","*","*","*",0x85,0xC0,0x74,0x0D,0x68,"*","*","*","*",0xE8,"*","*","*","*",0x83,0xC4,0x04,0xC7]
        },
        {
            "os" : "linux",
            "value" : "Host_Error"
        }
    ]
}

memory hostErrorBlock:

Code:

    [
        {
            "name"        : "hostErrorBlock",
            "library"     : "engine",
            "type"        : "byte",
            "memoryType"  : "code",
            "identifiers" :
            [
                    {
                            "os" : "windows",
                            "value" : 0
                    },
                    {
                            "os" : "linux",
                            "value" : 0
                    }
            ]
        }
    ]

What do you think about that ?

[Arkshine]

Like you said, that's not informative at all. The 3 lines you see in the console is 'normal', and came from SV_ExecuteClientMessage (the last line inside is SV_DropClient). What I need is debug information after that, to know where it actually crashes. And if you don't give some useful data or a way to crash, I can't magically invoke a ready-anti-exploit.

[lqlqlq]

Ok, I understand. Can you tell me more, how to give you the debug log?
I added this (a few days ago) "-debuglog cs.log" in startup parameters, but even after crashs - no get information in it.
How to do ?

[lqlqlq]

Here is a pic from new exploit:

[Arkshine]

How it's supposed to help ?

[lqlqlq]

I send you a PM.

[Arkshine]

Just for letting people know here.

lqlqlq says me actually the exploit happens only if you have dproto. So, the problem is with dproto itself since it patches many things in memory and has created probably new flaws. That's something the dproto's author should fix.

Meanwhile, the solution is simple, if you don't want to get the exploit, don't use dproto.

Therefore I'm not going to use my time for dproto's users, not because it's related to non-steam stuff but because the issue is from dproto and not from the game engine.

[veselii]

Hello.
The server falls and without dproto if to use options 47 report and as hltv!

Code listing of disassembled part of Jos(Win32) exploit

Spoiler

Code:

 00460988    mov        eax,dword ptr [eax+358]; TForm1.ComboBox1:TComboBox //Jo's(Win32) start
 0046098E    mov        edx,dword ptr [eax]
 00460990    call       dword ptr [edx+0CC]; TCustomCombo.GetItemIndex //index of exploit type from dropdown list
 00460996    cmp        eax,0E
>00460999    jne        00460A4C
 0046099F    push       460ED4; 'яяяяconnect ' 
 004609A4    push       dword ptr ds:[466E38]
 004609AA    push       460DBC; ' '                 //Server IP
 004609AF    push       dword ptr [ebp-8]
 004609B2    push       460EEC; ' \"\\prot\\'   //Server port
 004609B7    push       dword ptr ds:[466E48]
 004609BD    push       460F00; '\\unique\\0\\raw\\'  //Protocol type
 004609C2    lea        eax,[ebp-130]
 004609C8    call       0045F88C                    ;gen smth of random length with in chars '123456789abcdef'
 004609CD    push       dword ptr [ebp-130]
 004609D3    push       460F18; '\\cdkey\\47adf2fa515ea324a161e8b39ac631bd\" \"'
 004609D8    push       dword ptr ds:[466E4C]
 004609DE    push       460F4C; '\\model\\gordon'
 004609E3    push       dword ptr ds:[466E44]
 004609E9    push       460F64; '\\name\\' 
 004609EE    lea        
 
eax,[ebp-134]
 004609F4    call       0045F7D4       ;//Randomized nickname from '0123456789ABCDEFGHJKLMNPQRSTUVWXYZ'
 004609F9    push       dword ptr [ebp-134]
 004609FF    push       460F74; '\"'
 00460A04    lea        eax,[ebp-12C]
 00460A0A    mov        edx,0F
 00460A0F    call       @LStrCatN  
 00460A14    mov        edx,dword ptr [ebp-12C]  
 00460A1A    mov        eax,dword ptr [ebp-4]
 00460A1D    mov        eax,dword ptr [eax+304]; TForm1.IdUDPClient3:TIdUDPClient
 00460A23    call       TIdUDPClient.Send         ;//Connecting toserver
 00460A28    lea        edx,[ebp-138] //
 00460A2E    mov        eax,462478;               
 00460A33    call       0045F444                  ;Very long string o_0
 00460A38    mov        edx,dword ptr [ebp-138]
 00460A3E    mov        eax,dword ptr [ebp-4]
 00460A41    mov        eax,dword ptr [eax+304]; TForm1.IdUDPClient3:TIdUDPClient
 00460A47    call       TIdUDPClient.Send  ;//FUCK YEAH.... 
 00460A4C    push       1F4
 00460A51    call       kernel32.Sleep
 
 'Disassembled part of Jo's(Win32) Exploit

The person by name of PomanoB, had been wrote a plug-in which doesn't allow to work this vulnerability, but alas with a plug-in the server works incorrectly
Source code

Spoiler

Code:

/* Plugin generated by AMXX-Studio */

#include <amxmodx>
#include <orpheu>
#include <orpheu_memory>
#include <orpheu_advanced>

#define PLUGIN "Anti Jo's Win32 Exploit"
#define VERSION "0.1.0"
#define AUTHOR "PomanoB"

#define MAX_VALUES 20000

public plugin_init()
{
	register_plugin(PLUGIN, VERSION, AUTHOR)
	
	OrpheuRegisterHook(OrpheuGetFunction("SV_ReadClientMessage"), "SV_ReadClientMessage")
}


public OrpheuHookReturn:SV_ReadClientMessage(a)
{
	static r, data[4]
	
	
	OrpheuGetBytesAtAddress(a + 88, data, 4)
	r = data[0] | data[1]<<8 | data[2]<<16 | data[3]<<24
	
	if (r >= MAX_VALUES)
	{
		OrpheuMemorySetAtAddress(a + 88, "dummyEngineMemory", 1, 0)
		return OrpheuSupercede
	}
	
	OrpheuGetBytesAtAddress(a + 92, data, 4)
	r = data[0] | data[1]<<8 | data[2]<<16 | data[3]<<24
		
	if (r >= MAX_VALUES)
	{
		OrpheuMemorySetAtAddress(a + 92, "dummyEngineMemory", 1, 0)
		return OrpheuSupercede
	}
	return OrpheuIgnored
}

Whether there are here people which will correct the given vulnerability?
Thanks

[veselii]

Patch SWDS.DLL (anti Jo's from PomanoB & SH@RK)
www.myac.msk.ru/ftp/patch_anti_jos.zip

dedicated-server.ru (c)

[joropito]

I'm trying to hook engine function "SuckOutClassname"

My signature file (it's a local symbol so can't be found using it's name)

Code:

{
    "name"       : "SuckOutClassname",
    "library"    : "engine",
    "arguments"  :
    [
        {
            "type" : "char *"
        },
        {
            "type" : "edict_s *"
        }
    ],
    "identifiers":
    [
        {
            "os"    : "linux",
            "mod"   : "cstrike",
            "value" : [0x81,0xEC,0x20,0x01,0x00,0x00,0x57,0x56,0x53,0x8B,0x9C,0x24,0x30,0x01,0x00,0x00,0xBF,0x20]
        }
    ]
}

And here's my plugin

Code:

public plugin_precache()
{
        OrpheuRegisterHook(OrpheuGetFunction("SuckOutClassname"), "SuckOutClassname")
}

public OrpheuHookReturn:SuckOutClassname(const class[], const edict)
{
        log_amx("SuckOutClassname called")
        return OrpheuIgnored

}

I only get a crash with

Quote:

L 02/09/2012 - 19:43:01: [AMXX] Run time error 3: stack error

Any help will be apreciated