Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 12:13

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 79 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: Source Engine seg fault crash exploit
PostPosted: 29 Jul 2009 17:21 

Joined: 29 Jul 2009 17:15
Posts: 16
This has been around forever, I thought I might share the concept.

Very easy really... While connecting to a source engine game, as soon as you've got 2 loading bars it seems to work.
You send a command to the server that requires your entity to be present.
Any command that would require the creation of a TraceRay for example.
The server tries to create a trace from your entity(null pointer), which doesn't exist yet, and dies.

I was wondering if you could code something that would create a connection long enough to send a command that would cause this. It could be done much faster than you would be kicked for having an invalid steamID.


Last edited by Nowayz on 31 Jul 2009 21:16, edited 1 time in total.

Top
 Profile  
 
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 29 Jul 2009 18:30 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
if the problem is only making the connection longer you could test something for delaying the outgoing packets (a sendto hooker or a customized udp proxy and so on), only an idea


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 30 Jul 2009 18:59 

Joined: 29 Jul 2009 17:15
Posts: 16
My question mainly was, have you ever tried to write a fake players application for source engine games. If it worked well or not, it would connect long enough to send the command that would create the seg fault probably.


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 30 Jul 2009 20:26 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
personally I have never touched a source-based game so I don't know if it's enough to add one or more custom parameters to hlfill or what.
have you already check if hlfill is compatible with the source dedicated server?
do you have a sniffed session containing the first packets exchanged by your real client (for example hl2) with a server?


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 31 Jul 2009 01:49 

Joined: 16 Aug 2007 06:25
Posts: 367
Here is a pcap file of the first 10 packets while connecting to a counter-strike source server (69.90.135.112:27015).


Attachments:
first10.zip [6.71 KiB]
Downloaded 656 times
Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 31 Jul 2009 11:28 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
thx soma, it looks like the protocol has been redesigned completely.

the second packet of the client uses an unknown compression, then I see the usage of bzip2 in one of the server's packet but it's not much clear.
seems that I'm forced to download the dedicated server (which is free) for understanding something more... mah.

anyway would be interesting to check if that q0000000 packet is only a query or something more (maybe used for occupying a resource or a slot), in the meantime I download the server if someone wants to make a quick test which his own server: udpsz -l 10 -C ffffffff71303030303030303030303030303000 127.0.0.1 27015 -1


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 31 Jul 2009 16:21 

Joined: 08 Jun 2008 07:17
Posts: 92
I tested it on a server, It DOES NOT crash it but it stops people from joining , it makes the server say <server not repsonding> but inside the game the game server is running fine.


So I guess it is like a invisible DoS. As it only stops people from joining.(at least in my test)


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 31 Jul 2009 16:23 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
here I have downloaded the dedicated server but it has no effect, it only stops the packets from the same IP address.
you can test it using your ethernet interface for the test (like 192.168.0.1) and then joining on 127.0.0.1.

anyway in the previous post I forgot the -S option (different source ports) which is useful in these types of tests (although probably useless in this case).


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 31 Jul 2009 17:22 

Joined: 16 Aug 2007 06:25
Posts: 367
Yea if you send too much traffic from one IP the server will temporarily block it out (for maybe 15 seconds). I always notice this when I try to join a game server that is full, but I keep hitting "join game" anyway to try and get the next available slot. It will eventually stop refreshing the player count, scores, etc.. and just say "not responding" for about 15 seconds. And this is probably just to block DoS attempts and/or fake players in general.

I have attached some additional pcaps if they could be of any use. They are for Team Fortress 2 this time, which also uses the source engine. One is a query packet, the other is just the connection to a server (first 20 packets). I will also do some testing with spoofing to see if the first packet reserves a player slot or not.

edit: tested with random spoofed ip/source addresses, but it still doesn't reserve a slot. it appears the slot is reserved further along in the connection. also, i know the actual spoofing was working because i tested it on bf2 right before that, and it worked.


Attachments:
tf2pcaps.zip [13.94 KiB]
Downloaded 394 times
Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 31 Jul 2009 19:57 

Joined: 29 Jul 2009 17:15
Posts: 16
Okay, I've captured the packets that are sent when I used source's threaded scripting to connect & send the console command that causes the server crash.

At the end of this log the server was no longer responding and I had stopped trying to connect to the server by hitting the cancel button.

Here's a log of what the server's console said when I connected.
Code:
L 07/31/2009 - 15:01:11: "Nowayz<2><STEAM_ID_PENDING><>" connected, address "69.92.144.218:33641"
Client "Nowayz" connected (69.92.144.218:33641).
./srcds_run: line 344: 21553 Segmentation fault      $HL_CMD
Add "-debug" to the ./srcds_run command line to generate a debug.log to help with solving this problem
Fri Jul 31 15:01:11 EDT 2009: Server restart in 10 seconds


Attachments:
csscrash.zip [1.99 KiB]
Downloaded 699 times
Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 31 Jul 2009 20:23 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
very good, it works and I have figured the format of the join packet and that of the other packet (it uses bitstrings).
now I'm building some code to learn better the protocol and maybe testing this vulnerability.

tested source server version:
Code:
Protocol version 7
Exe version 1.0.0.12 (hl2dm)
Exe build: 13:31:33 Dec 22 2008 (3698)
P.S.: do you know who is the original author who found this bug?


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 31 Jul 2009 20:41 

Joined: 29 Jul 2009 17:15
Posts: 16
An exploit similar to this originated in Garry's Mod using it's client sided lua scripting. I think I may be the first person to adapt it to other source engine games, by using a not very well known method of scripting in source.

By the way, I forgot to mention that those packets I sniffed were from a server running Counter-Strike Source.

P.S. : I'll try and find the old thread on facepunch(Garrysmod forums)


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 31 Jul 2009 20:50 

Joined: 29 Jul 2009 17:15
Posts: 16
Okay, it looks like the first record of it was a player in Garry's Mod named, Chrisaster; who went around mass crashing servers.
Although the exploit was soon figured out and patched, it still remains using other methods. I don't know of ANY instances of this even occurring outside of Garry's Mod besides what I've discovered myself.


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 31 Jul 2009 22:55 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
in attachment there is a plugin for proxocket which substituites the first packet of the source client with a custom one built at runtime containing the npc_speakall command which causes the problem.
there are two notes:
- I have not tested it (I don't have the client)
- I have written it on the fly during the writing of a test code for the bug (so with also the reversing of the protocol done on the fly exactly in this moment)

how to test:
- download proxocket: http://aluigi.org/mytoolz.htm#proxocket
- put the ws2_32.dll file located in the zip inside the folder of hl2 or css (where is located the main executable of the game)
- put the myproxocket.dll file attached to this post in the same folder
- join your test server

if it works I'm sure that some people could find it useful because it can be easily modified to send any custom command and because allows to set any desired cvar.
well, hope it helps.


Attachments:
source_sendcmd.zip [3.84 KiB]
Downloaded 727 times
Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 31 Jul 2009 23:14 

Joined: 29 Jul 2009 17:15
Posts: 16
Wow, it works perfectly. I'll try it with some other source games.

Works in CS:S. Doesn't look like it wants to work in TF2.
I don't have hl2mp/hl2dm


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 01 Aug 2009 00:29 

Joined: 16 Aug 2007 06:25
Posts: 367
My results were similar: works in CS:S and HL2:DM, but not TF2. I don't know much about the source engine, and different 'versions' it has, but I do know that TF2 uses or does something that is at least slightly different from CS:S and HL2:DM. Dont get me wrong, they all are source games, but there are many things in TF2 that don't exist in earlier games (like the server console command sv_allow_voice_from_file), or things that are done slightly different.

I'm not sure how to explain it because I don't know what's actually different, but it's like they added stuff to the game/engine ...but it only exists in TF2. Maybe a slight tweak would be needed to get it working in TF2.


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 01 Aug 2009 01:21 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
hmm very interesting, so far i haven't heard about any other exploit that actually crashes source server.

is it safe to use proxocket (.dll) ? as far as i know, you will get VAC banned even for using fraps or custom crosshair..etc. ofc you can turn VAC off when testing (in your test server), but somehow i doubt that it actually prevents VAC from scanning.


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 01 Aug 2009 01:52 

Joined: 29 Jul 2009 17:15
Posts: 16
That's why I was wondering if this could be created to run outside of the game environment.

EDIT:

Sethioz wrote:
hmm very interesting, so far i haven't heard about any other exploit that actually crashes source server.

is it safe to use proxocket (.dll) ? as far as i know, you will get VAC banned even for using fraps or custom crosshair..etc. ofc you can turn VAC off when testing (in your test server), but somehow i doubt that it actually prevents VAC from scanning.

Now that I think about it, the server crashes far before you even submit your STEAM_ID it's very unlikely that VAC is even aware that you attempted to connect.


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 01 Aug 2009 14:11 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
I don't want to go offtopic here, but im pretty sure that steam (VAC) fucked me up when i was using "hack" tools while outside of game, steam was running silently and i forgot it was in systray. i think VAC is lieing, it scans even if you are not in game.

ofc steam denys all this and there is no way i can prove it, but i know what i was doing.
anyways i won't 'steal' the topic and go offtopic, instead ill just refer to the topics where my VAC ban was discussed:
> on Luigi's forum > VAC (steam)
> on my forum, longer > VAC - false positives ( STEAM )

so just in case, i wont touch that from account that has not been VAC banned, instead I think i will make a test using already VAC banned account, it should be just enought to send it, because it sends it before steam id.


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 01 Aug 2009 16:54 

Joined: 16 Aug 2007 06:25
Posts: 367
Yea I would definitely think an out of game PoC is possible. After watching the loading bars, it's merely 2-3 bars in before it stops responding (pretty much right away). Even if a valid steam account was required it would still be possible, but would just require further reverse engineering.


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 01 Aug 2009 17:10 

Joined: 29 Jul 2009 17:15
Posts: 16
I'm sure it's possible, but It's not something that I could do on my own. :P


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 01 Aug 2009 17:28 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the only obstacle at the moment is the sending of a valid steam key which is something checked only on the server (so without packets sent to steam).

I guess I will take a look at it now at least to understand how this mechanism works although I guess it's similar to what happens with demonware where each server has a special unique key that the client retrieves when connects to the steam network or similar (it's only a hypotheis, I repeat that I have not verified this thing yet).

but isn't possible to disable VAC on the client during the test of the bug?
because are involved only 3 packets:
- the request of joining the server
- the packet with nickname, key and cookie
- the packet built by my code
so no VAC stuff involved


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 01 Aug 2009 17:33 

Joined: 29 Jul 2009 17:15
Posts: 16
You're asking if you can disable VAC on your source server? That's easy, I would add -insecure to the command line of your srcds.


Last edited by Nowayz on 01 Aug 2009 18:23, edited 2 times in total.

Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 01 Aug 2009 17:37 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
no no, I mean if you can disable it on the client.
something like cl_pb_disable for disabling punkbuster on the clients of the games which use it


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 01 Aug 2009 17:40 

Joined: 29 Jul 2009 17:15
Posts: 16
I don't think you can disable VAC on the game client unfortunately.


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 01 Aug 2009 18:09 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
well, if the hooking solution could be a problem for the tests due to VAC, the following solution will avoid any problem at all.

it's a plugin for sudppipe so the client connects to the proxy which modifies the packet and so sudppipe can be launched on the same machine or on a virtual machine or even another pc.

how to use:
- download sudppipe: http://aluigi.org/mytoolz.htm#sudppipe
- get the attached dll and put it in the same folder of sudppipe
- launch: sudppipe -l source_sendcmd_sudp.dll SERVER 27015 1234
- connect your client to 127.0.0.1:1234 (or if sudppipe is on the virtual machine specify its IP address)


Attachments:
source_sendcmd_sudp.zip [4.65 KiB]
Downloaded 523 times
Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 01 Aug 2009 18:25 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
oh, the reasons why the PoC doesn't work with TF2 are that:
- the first packet of this game is fdffffff and not 1
- it's compressed apparently with a lzss algorithm (although none of the lzss implementations I have here has given a good output).

anyway now I do a quick test to verify if it's simply enough to add 0xfffffffd in the original PoC for forcing the substituition of the compressed packet with the rebuilt one used in the PoC.
you can test it by yourself recompiling the code or placing a 0xfd at offset 0x863 of myproxocket.dll


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 01 Aug 2009 19:21 

Joined: 16 Aug 2007 06:25
Posts: 367
Just tried placing 0xFD at offset 0x863 but TF2 still connects just fine.


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 01 Aug 2009 19:26 

Joined: 29 Jul 2009 17:15
Posts: 16
The command that we're using might not work for TF2, although there are many others.


Top
 Profile  
 
 Post subject: Re: Source Engine seg fault crash exploit
PostPosted: 03 Aug 2009 19:56 

Joined: 21 Aug 2007 17:12
Posts: 28
This one is one of the easier ones to patch. All you have to do is hook all commands and check if the person is in game (i.e., entity is created).

In SourceMod this is a simple two line code.

Code:
if (!IsClientInGame(client))
return Plugin_Stop;

http://forums.alliedmods.net/showthread.php?t=72354


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 79 posts ]  Go to page 1, 2, 3  Next

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: