Luigi Auriemma

Hi my names ^Zodiac My Q3 games are Jedi Academy and i have jedi outcast (but i dont rly play it) i found about this sort of thing from ppl who hacked my server

My question is does anyone know or can help me with the sv_download hack i know that sv_download is on 1 is a way for downloading the server.cfg and getting rcon etc i tried /download japlus/server.cfg and it came up with [code]Server Sending Download,No Download[/code] was Requested anyone know a way around this

^Zodiac

P.S: i think you should make a general section where u can talk about anything

Hey Zodiac,

the directory traversal bug about you refer is this one:
http://www.securityfocus.com/archive/1/ ... 0/threaded

If you need to fix it you must simple set sv_allowdownload to 0 on your server, while if you want to test the bug I think you must modify the game executable or it's probably enough to play with some cvars... sincerely I tested in deep the Quake 3 engine many time ago and my memory sux to much for remember a way for requesting arbitrary files ih ih ih

About the section, uhmmm probably the correct one for your thread was Proof-of-concepts, since the general section is just this one (...anything else...)

my almost universal proof-of-concept is online:

http://aluigi.altervista.org/poc.htm

thanx a lot to bobbafett for the idea about how to realize it!
for finding the download structure I have used a very simple method, I search when "%s.tmp" is used and then take the address of the destination buffer which is just 4 bytes above the beginning of the data to modify

I have updated the proof-of-concept, now it has a simple GUI to use and the process to modify can be selected from a list

Just a note about this PoC.
Sometimes people contact me asking why server.cfg is not available on the server.

First of all read the informations written in the message window in case you have doubts about how using the PoC (incredibly this happens...).

While, returning to the previous thing, the answer is very simple: it's just not available or not at that location or with that name.

This is perfectly normal in some servers since this file is not required for running them, for example the server could have been launched through a .bat or .lnk file with the rcon password passed there.

For example is also possible to try with the following downloads:
/download baseq3/server.cfg
/download baseq3/q3config.cfg
/download baseq3/games.log
/download pb/svlogs/00000001.log (or 2,3,4 and so on since they are sequentials in hexadecimal format)

where "baseq3" or "base" is the default game content folder, so if you use RoCmod it's rocmod or osp for OSP and so on.
And then q3config.cfg (which is the client's configuration, sometime useful) changes name from game to game, for example on JA it's jampconfig.cfg

Another thing, if you don't know the structure of the files used by your game, probably you don't need to use this PoC, give up.
traduced: the PoC is universal but you must "know" the game.

Then remember that this is a directory traversal bug so your "downloads" are not only limited to the game folder but to ANY file on that disk (..\..\..\) included system files with read access, configurations and so on.
In case you don't know what is a "directory traversal" vulnerability check on Internet for more informations since it's really a very critical bug and having a similar problem on a server is very bad and must be fixed or removed as soon as possible!

At the moment the only way for stopping this problem is setting sv_allowdownload to 0 on the server, anyway a real patch is possible although I need to find a way for making it "universal" as usual.
The idea is basically the following: placing a stristr(cl->downloadName, ".pk3") check in SV_BeginDownload_f

A video of q3dirtrav in action is available here:

http://aluigi.org/video.htm
http://www.youtube.com/watch?v=x0BCrjTb3aw

I tried this on one of my call of duty servers. It took a few guesses to get the right directory and name of the config file. At first it would disconnect and say that there wasn't a file available for autodownload by that name. Finally I found the right path and filename and it didn't disconnect me or give me the message. However, it didn't generate a txt file either with the config. Is there a possibility I'm doing it wrong?

no, you have made nothing wrong.
The problem seems to be the structure used by CoD which probably differs a bit to that of all the other games.
In short, you download the file successfully (your client after having dowloaded the file will automatically reconnect, which means it was a success) but can't write on the disk.
I think I'm going to fix it now.

[quote="aluigi"]
In short, you download the file successfully (your client after having dowloaded the file will automatically reconnect, which means it was a success) but can't write on the disk.
[/quote]

Then I may not have successfully done it. I never disconnected and reconnected. I simply thought it went through since it didn't disconnect me and give me the file not found error.

I'll try again in a few minutes.

Ok, I tried again. This time I got disconnected to download the file and the txt file was created. But, it had nothing in it. Its 0Kb.

q3dirtrav 0.2.1 is out

in short CoD has the structure which points 256 bytes before where my tool finds it.
So my previous PoC worked perfectly, in fact the temporary file was created successfully but then CoD performed the renaming of the temporary file using the output filename which was not covered by my structure, something like FS_SV_Rename ("tmp.txt", "") which delted the downloaded file and wasn't able to create the new one because invalid.

Version 0.2.1 checks the name of the process is contains "cod" and "mp" and enables the work-around of "structure - 256"

Wow. I wish I could just program like that. I'll give ver 0.2.1 a try when I get a few minutes.