Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 11:44

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 13 posts ] 
Author Message
 Post subject: our server MOH:SH crashed daily, please help me to fix it
PostPosted: 08 Dec 2010 22:36 

Joined: 08 Dec 2010 21:52
Posts: 7
Hello Luigi and all other,

I'm from germany and please excuse me for my english.

This is the end of the logfile
Code:
SV packet 84.19.165.214:-1265 : getstatus
SV packet 79.221.210.13:7130 : getstatus
SV packet 84.19.165.214:-1265 : getinfo
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
SV packet 92.75.15.253:20730 : getstatus
SV packet 84.19.165.214:-1265 : getinfo
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
Info string length exceeded
SV packet 84.19.165.214:-1265 : getinfo
Info string length exceeded
Cvar_Set2: com_errorMessage Info_SetValueForKey: oversize infostring
********************
ERROR: Info_SetValueForKey: oversize infostring
********************
----- Server Shutdown -----
==== ShutdownGame ====
Cvar_Set2: session 3
Cvar_Set2: g_scoreboardpicover
Cvar_Set2: bosshealth 0
------ Unloading fgameded.so ------
Cvar_Set2: g_scoreboardpicover
Cvar_Set2: sv_running 0
---------------------------


I think it's q3infoboom but I can not test it.
I downloaded the scanner http://aluigi.altervista.org/poc/q3infoboom.zip and start it with this command line

c:\q3info\q3infoboom.exe -f 0 -t 2048 -q getstatus 127.1.0.0 12203 (This is not my Server IP)
c:\q3info\q3infoboom.exe -q getstatus 127.1.0.0 12203
c:\q3info\q3infoboom.exe 127.1.0.0 12203

All these experiments show the same error message Error: socket timeout, no reply received but I am sure that the IP is correct and that the server is online.

Is this scanner not suitable for MOH Spearhead Servers?
and is my suspicion correct that the q3infoboom is?

Our server has been attacked before with Buffer-overflow but we were able to successfully fixed with this patch http://icculus.org/betas/mohaa/spearhead-lnxded-08292004.tar.bz2

but here you write the q3infoboom is fixed in this patch or i understand this wrong?
/search.php?st=0&sk=t&sd=d&sr=posts&keywords=%2Bq3infoboom++

Our Server:
Medal of Honor Spearhead 2.15 linux-i386 Aug 29 2004
v2.15 (Linux, Protocol 17)


I hope you can help me
thx wor


Top
 Profile  
 
 
 Post subject: Re: our server MOH:SH crashed daily, please help me to fix i
PostPosted: 09 Dec 2010 14:41 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
for linux you must use the official fixes:
http://icculus.org/betas/mohaa/?M=A


Top
 Profile  
 
 Post subject: Re: our server MOH:SH crashed daily, please help me to fix i
PostPosted: 09 Dec 2010 15:28 

Joined: 08 Dec 2010 21:52
Posts: 7
Hey Luigi thank you for your fast Answer,

aluigi wrote:
for linux you must use the official fixes:
http://icculus.org/betas/mohaa/?M=A


but I think I have this patch already look my Post, we has been attacked a few months ago with bufferoverfow because i made this patch (spearhead-lnxded-08292004)

wor wrote:
Our server has been attacked before with Buffer-overflow but we were able to successfully fixed with this patch http://icculus.org/betas/mohaa/spearhead-lnxded-08292004.tar.bz2


this patch spearhead-lnxded-08292004 is on it but the server is still crashed anyway, and as the error is in the logfile suggest that it q3infoboom is ;(
ERROR: Info_SetValueForKey: oversize infostring

I hope you have an idea that I can do, and maybe a tool with which to test it

if you need more info then ask and if you still need the IP from the server no problem
thanks wor


Top
 Profile  
 
 Post subject: Re: our server MOH:SH crashed daily, please help me to fix i
PostPosted: 09 Dec 2010 20:57 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
uhmmm maybe you can try with my q3infofix_linux work-around but I doubt it changes the situation:
http://aluigi.org/patches/q3infofix_linux.lpatch


Top
 Profile  
 
 Post subject: Re: our server MOH:SH crashed daily, please help me to fix i
PostPosted: 09 Dec 2010 21:18 

Joined: 08 Dec 2010 21:52
Posts: 7
and which file I need to patch the spearhead_lnxded ?

and what patch? Q3 111 or Q3 116n?

The server is already there for a few hours under continuous attack :(

There are also 5 servers which are well attended in the attack all are down and our to

Our Server IP is 85.131.243.95:12203 maybe you can test whether your q3infoboom works


Top
 Profile  
 
 Post subject: Re: our server MOH:SH crashed daily, please help me to fix i
PostPosted: 09 Dec 2010 21:23 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the patch is just the file you are reading.
if you use windows at home is more convenient if you patch the linux executable there since the process is more simple because you must only click on lpatch.exe, select q3infofix_linux.lpatch, select the executable and you should receive a success message (if the executable is supported by the patch).
then you can upload the patched exe on the server.


Top
 Profile  
 
 Post subject: Re: our server MOH:SH crashed daily, please help me to fix i
PostPosted: 09 Dec 2010 21:42 

Joined: 08 Dec 2010 21:52
Posts: 7
ok I'll try it I hope it works


Top
 Profile  
 
 Post subject: Re: our server MOH:SH crashed daily, please help me to fix i
PostPosted: 11 Dec 2010 01:23 

Joined: 08 Dec 2010 21:52
Posts: 7
Hey Luigi,

I did the following:

1. Download the Lame Patcher 0.4.4a (lpatch) and unzip it.
http://aluigi.altervista.org/mytoolz/lpatch.zip

2. Download the the Patch File
http://aluigi.org/patches/q3infofix_linux.lpatch

3. Download the spearhead_lnxded from my Server (FTP)

4. click on lpatch.exe, select q3infofix_linux.lpatch, select the executable --> spearhead_lnxded

And that is the Message :(

Image

was what I did right?

Is this a new exploit, and if so can you fix it?

thx W.??.R


Top
 Profile  
 
 Post subject: Re: our server MOH:SH crashed daily, please help me to fix i
PostPosted: 12 Dec 2010 19:55 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
when you receive that message means that the patch doesn't contain the pattern for that specific game, so no patch


Top
 Profile  
 
 Post subject: Re: our server MOH:SH crashed daily, please help me to fix i
PostPosted: 12 Dec 2010 23:54 

Joined: 08 Dec 2010 21:52
Posts: 7
Yes I've also thought: ( what can I do to now ?

Can you try it for myself whether our server is against the q3infoboom safe? our Server is 85.131.243.95:12203

I tried it but it does not work by me..... Error: socket timeout, no reply received


I would be very grateful if you could make a patch for that problem please

Thx w.o.r


Top
 Profile  
 
 Post subject: Re: our server MOH:SH crashed daily, please help me to fix i
PostPosted: 13 Dec 2010 12:07 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
you get that error with q3infoboom because the protocol used in moh uses an an additional byte after the initial yyyy bytes

while for the patch I can't help


Top
 Profile  
 
 Post subject: Re: our server MOH:SH crashed daily, please help me to fix i
PostPosted: 13 Dec 2010 18:24 

Joined: 08 Dec 2010 21:52
Posts: 7
Hi Luigi,
I know im annoying you but you are the only one who can help us and other MOH Server owners.

You Say
Quote:
you get that error with q3infoboom because the protocol used in moh uses an an additional byte after the initial yyyy bytes


this means it is not possible to crash moh with q3infoboom ? or you mean it is possible if the attacker changes the code of q3infoboom scanner ?

Quote:
while for the patch I can't help

This is a pity :( our hope was alone with you, i know no one else who could still make it.

Maybe you have another suggestion.

For example --> Auto IP ban when a code/packet of q3infoboom is sent to the server.

thanks for the patience with me :) W.O.R


Top
 Profile  
 
 Post subject: Re: our server MOH:SH crashed daily, please help me to fix i
PostPosted: 14 Dec 2010 00:54 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
that means that it's enough to add the missing byte (\x02) in the query packet of q3infoboom to test also moh.

that thing of the auto banning is possible and I posted an example on an old thread of the forum.
the following are the iptables commands for moh:
Code:
iptables -A INPUT -p udp --dport 27015 -m string --string "\xff\xff\xff\xff\x02getinfo" -m length --length 64:inf -j DROP
iptables -A INPUT -p udp --dport 27015 -m string --string "\xff\xff\xff\xff\x02getstatus" -m length --length 64:inf -j DROP


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 13 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: