Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 12:22

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 35 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: q3dirtrav
PostPosted: 27 May 2010 19:43 

Joined: 27 May 2010 19:08
Posts: 23
People have tried to screw with my server, I saw it in my logs. I want to try this now myself on my own server.

I saw a number of topics about this tool on this forum.
But I still don't know what I am doing wrong.

I start q3dirtrav.exe
Then I start Call of Duty 4 Multiplayer.
I connect to a server, it automatically downloads the mod files.
Then I alt tab and I refresh the processes then fill in the output filename.
Afther that I click the iw3mp.exe and I click activate exploint.
This is the respond of the tool:
Quote:
- perfect, now all you need to do is opening the console from your game client
and type /download followed by the name of the file you want to download
usually the console can be opened with the ~ (tilde) key or shift + ~
the following are some examples of download commands:
/download base/server.cfg
/download baseq3/server.cfg
/download baseq3/q3key
/download main/server.cfg
/download mainta/server.cfg
/download maintt/server.cfg
/download uo/server.cfg
/download rocmod/server.cfg
/download etmain/server.cfg
/download osp\server.cfg
/download pb\svlogs\00000001.log
/download ..\..\..\..\windows\win.ini
/download ../../../../../etc/passwd
some games like Medal of honor don't need the slash before the command

- if everything was correct in your game folder you will find the output
file you choosed containing the data downloaded from the server

- if you want you can refresh the processes and exploit the same process again
or another one, for example if you want to download another file and so on


Then I go back to Call of Duty 4 Multiplayer and place this in console:
/download main/server.cfg

But nothing happens, no error, nothing. Also the server log file doesn't show anything.


Top
 Profile  
 
 
 Post subject: Re: q3dirtrav
PostPosted: 28 May 2010 09:50 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
in the CoD series you need to use also another tool called forfopen:
post3479.html#p3479

in any case when you launch the /download command the game should restart the map, if it doesn't then means there is something incorrect like the server (or the client, you) with downloads disabled


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 28 May 2010 12:31 

Joined: 27 May 2010 19:08
Posts: 23
K Thanxs.
When I fill in /download just_a_map/file_that_does_not_excist.cfg
I get this error in my cod4 console: Error: CL_ParseServerMessage: Illegible server message 69
When I fill in the correct path to the cfg I do not get an error.

But I can't find the tmp.txt file.
I also tried this: post9740.html#p9740
But this map does not excist on my pc: C:\Users\User\AppData\Local\VirtualStore\Program Files\Activision\Call of Duty 4 - Modern Warfare\

I can go to: C:\Users\User\AppData\Local\VirtualStore\Program Files\
But there is no Activision map in there.

I have Windows 7 x64 and Call of Duty 4 installed in D:\Call of Duty 4 - Modern Warfare\
The files also inst in there.

Is there something I am doing wrong?


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 28 May 2010 17:11 

Joined: 28 Oct 2008 00:45
Posts: 11
Put your files in the Moden warfare root folder,
Boot them from there.

btw, you should get a sort of vid_restart when doing the /download command


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 29 May 2010 09:25 

Joined: 27 May 2010 19:08
Posts: 23
It works on my other compter with xp :)
Thanxs


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 31 May 2010 11:30 

Joined: 08 May 2010 17:58
Posts: 55
Location: In vast nothingness of space...
it works on ayn windows, this is how i do it on cod4
open foropen, type in "temp.txt" press enter (foropen must be in root cod4 folder, where iw3mp is located, but this is not the case for cod2 where you put it in main folder [you dont even need fopen sometimes])
open q3dirtrav
get in my (dont use this on others servers without admins permission!) cod4 server, /cl_wwwdownload 0
alt+tab, type in q3dirtrav "temp.txt" select iw3mp.exe in process list (button may not be enabled, but just click on the textbox, and it will be enabled)
get in game,and type in console: /download main/server.cfg (or whatever is the path/name of cfg, also, im working on a brute-forcer for this, which will try to find irregular paths and names of config file, be sure that il post it here when im finished :D)
if you did all as described, your client will reconnect you (or disconnect you in case that server is patched or something) and foropen will say sometihn like press ctrl+c to close (aluigi's fopen is a bit different then mine) and in cod4 root folder there will be temp.txt holding the config of the server

hope this helps!


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 31 May 2010 15:41 

Joined: 27 May 2010 19:08
Posts: 23
Thanxs :D

Good luch with your tool. I can try it on my server. I don't have a server.cfg so :)


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 31 May 2010 19:29 

Joined: 08 May 2010 17:58
Posts: 55
Location: In vast nothingness of space...
well, you have some kind of configuration on your server (most likely)
but q3dirtrav isn't limited to configuration files, so for instance, you could do the following:
/download main/iw_00.iwd

or if server has pb webtool:

/download pb/pbsv.cfg

and read the pb webtool port (you obviously know the ip...) and password
there you go, you have pbwebtool, and you can do whatever you want with server

anyways, possiblities are endless (not really, lol, but you are bound to files below game's root folder :D)


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 31 May 2010 19:59 

Joined: 27 May 2010 19:08
Posts: 23
Yes I know you can download everything out of the root folder :)

Yes ofcourse the pb web tool I forgot that ... Thanxs for saying it.
Going to secure that.


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 31 May 2010 20:22 

Joined: 08 May 2010 17:58
Posts: 55
Location: In vast nothingness of space...
no problem :D
best way to secure it is to patch the servers exe with http://aluigi.altervista.org/patches/q3dirtravfix.zip


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 31 May 2010 20:44 

Joined: 27 May 2010 19:08
Posts: 23
We have linux files running on the server.


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 01 Jun 2010 15:06 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
consider also the possibility of just disabling downloads and voting, you can't imagine how much troubles you will kill doing it


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 01 Jun 2010 17:55 

Joined: 27 May 2010 19:08
Posts: 23
We have a mod on the server. So we have download enabled.

But voting is disabled.


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 01 Jun 2010 18:07 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
but you are using a CoD server so you can allow only the www downloads, disabling the non-www ones.
in that case you are safe


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 06 Jun 2010 15:32 

Joined: 27 May 2010 19:08
Posts: 23
Yea that is true.

And how do I run q3infoboom?
I saw this: http://aluigi.org/adv/q3infoboom-adv.txt
And I downloaded the file.
But I don't know what I have to do now.

And when I use it on my server. What will happen? Only the cod4 server crashes or the whole hardware server?


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 06 Jun 2010 15:35 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
q3infoboom is a command-line tool so launch it from cmd.exe and BE SURE to launch it also with the -q getstatus option, so:
q3infoboom SERVER PORT
q3infoboom -q getstatus SERVER PORT

the tool could be a bit slow because it scans any possible lenght of the infostring for being sure that the server is vulnerable or not.

if you are vulnerable the effect is the termination of the cod4 server's process (termination or crash, NOT the server hardware ih ih ih)


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 06 Jun 2010 16:12 

Joined: 27 May 2010 19:08
Posts: 23
I placed the 2 files in C:
I open cmd there I type: cd\
Then I type: q3infoboom -q getstatus 28960
I get this error:
q3infoboom is not recognized as an internal
or external command, program or batch file


Last edited by Henk on 06 Jun 2010 16:17, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 06 Jun 2010 16:17 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
for doubts about the usage of the command-line refer to google or http://aluigi.org/about.htm#howuse
then remember to specify also the IP or hostname of your server before the port


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 06 Jun 2010 16:30 

Joined: 27 May 2010 19:08
Posts: 23
I already tried typing: q3infoboom -q getstatus 12.34.56.78:28960
But I still get the same error.

I already saw the how to use. But it says this: - now type the name of the executable
But that file isn't an executable.

Do I first have to compile them to an exe?


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 06 Jun 2010 16:33 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
q3infoboom.zip already contains q3infoboom.exe


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 06 Jun 2010 16:40 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
..try unpacking the file first doh.


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 06 Jun 2010 18:11 

Joined: 27 May 2010 19:08
Posts: 23
Yea I know.

Only my virus scanner removed the file every time.

But now I get this error:
- getstatus crash/shutdown scan:

packet length: 1200

- last packet sent was 1200 bytes (size of data = 1186)
- check server:

Server doesn't seem vulnerable



I think it is good that the server isn't vulnerable :)
Or did I do something wrong?


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 08 Jun 2010 00:25 

Joined: 07 Aug 2008 06:01
Posts: 45
Henk wrote:
Yea I know.

Only my virus scanner removed the file every time.

But now I get this error:
- getstatus crash/shutdown scan:

packet length: 1200

- last packet sent was 1200 bytes (size of data = 1186)
- check server:

Server doesn't seem vulnerable



I think it is good that the server isn't vulnerable :)
Or did I do something wrong?



Try using a different packet such as getstatus or getchallenge, as servers tend to be vulnerable to different types. Also make sure you are starting off from size 0 going to 2048

q3infoboom.exe -f 0 -t 2048 -q getstatus IP:Port would be an example of this. Hypothetically speaking, ofc.


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 28 Jun 2010 15:39 

Joined: 28 Jun 2010 15:35
Posts: 7
Is that possible to programm or to edit in hex to make the command for downloading to be not /download but to be, for example, /wqas or to make us to can choose the command we want to use for downloading.


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 28 Jun 2010 16:51 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
why hex edit ? this is Luigi's tool, which means it is open source, download the source code (included in the package) and recompile with your own / directory. i have never used this tool, but im more than sure that Luigi have added an option to change it.


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 28 Jun 2010 18:18 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
yes you can do it with a hex editor, the string is "download" with a 00 byte before and after it, example:
Code:
75 73 65 72 69 6e 66 6f 00 64 69 73 63 6f 6e 6e   userinfo.disconn
65 63 74 00 63 70 00 76 64 72 00 64 6f 77 6e 6c   ect.cp.vdr.downl
6f 61 64 00 6e 65 78 74 64 6c 00 73 74 6f 70 64   oad.nextdl.stopd
6c 00 64 6f 6e 65 64 6c 00 76 6f 69 70 00 67 5f   l.donedl.voip.g_
to:
Code:
75 73 65 72 69 6e 66 6f 00 64 69 73 63 6f 6e 6e   userinfo.disconn
65 63 74 00 63 70 00 76 64 72 00 77 71 61 73 00   ect.cp.vdr.wqas.
00 00 00 00 6e 65 78 74 64 6c 00 73 74 6f 70 64   ....nextdl.stopd
6c 00 64 6f 6e 65 64 6c 00 76 6f 69 70 00 67 5f   l.donedl.voip.g_


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 29 Jun 2010 11:50 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
usually beginners mess it up if they try to hex edit, this is why i asked why hex edit, if its open source.


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 29 Jun 2010 14:46 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
he wasn't referring to my tool, he referred to the game server.
yeah he was totally off-topic :)


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 09 Jul 2010 20:06 

Joined: 11 Jan 2010 12:43
Posts: 15
Can anyone tell me if "q3dirtrav" works on CS and CSS??? Please let me know, thanks :)


Top
 Profile  
 
 Post subject: Re: q3dirtrav
PostPosted: 10 Jul 2010 11:10 

Joined: 24 Jun 2010 10:04
Posts: 70
Location: aluigi not @ home
no, q3dirtrav is a proof-of-concept for a bug in the Quake 3 engine NOT the source/half-life one


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 35 posts ]  Go to page 1, 2  Next

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: