Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 12:09

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 19 posts ] 
Author Message
 Post subject: Urgent: Jedi Academy 1.00
PostPosted: 14 Nov 2009 05:48 

Joined: 14 Nov 2009 05:45
Posts: 4
Hi, I host a 1.00 server and a kid seems to aquire my rcon password.
I have changed and changed and changed it. I have sv_AllowDownload 0, and g_CallVote 0.
How can I protect myself from this?

He says he did it through the msgboom crash, do I need to patch my server? I don't know how to do this with the msgboom.. Can someone help?
He also seems to get complete access of the server directory. It can't be a trojan because this is a paid server and he also commented in my games log that he has done this to 4 other servers.

I don't know what to do, I am considering contacting his ISP and letting them see the transcript of the games.log.
In the games.log he states he gains full control of the computer.


Top
 Profile  
 
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 14 Nov 2009 07:21 

Joined: 14 Nov 2009 05:45
Posts: 4
He uploaded a file to the server: cdf32OLE.exe.

I have reason to believe that he is a member of this forum.


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 14 Nov 2009 16:04 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
well that doesn't really seem possible unless he is a server admin playing a prank on another server admin
if ur renting the server, i suggest u change ur login password for the server so no one but u knows it so only u can upload and change stuff

i don't think he acquired ur rcon or uploaded anything through 'msgboom crash' because that is just a simple cmd overflow

really the only thing is just change ur login for the server, u might have given it out to the wrong person and they might be doing this or have given it out... so do that and tell me what happens :)


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 14 Nov 2009 20:07 

Joined: 14 Nov 2009 05:45
Posts: 4
He indeed uploaded it.
Apparently he did the same to 3 other servers.

In my server path was his executable, it was also inside System32. As well as a batch file that disabled firewall and created an ftp / ran telnet.

So he did indeed use a massive exploit through the quake 3 engine.

I should add that no one else has the server password, or the rconpassword.


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 14 Nov 2009 20:41 

Joined: 14 Nov 2009 05:45
Posts: 4
Taken from his source code:
Code:
   printf("This program makes a script that can be executed\n");
   printf("from the client game console that will give the server\n");
   printf("a too big string throug the /say command and the local buffer \n");
   printf("overflows, and the return adress is overwritten to point at a place \n");
   printf("in the local buffer we just overflowed, witch has been filled with \n");
   printf("user specified shellcode in raw binary format.\n\n");


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 15 Nov 2009 04:31 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
again, how about this, remove the rcon from the server so there is no password, just leave it blank... change it in the .cfg from rconpassword "blahblah" to just ""
and again, just change ur server password and login to something else and see if that works, because this method ur describing seems too improbable
u are renting the server, right? and from who?


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 15 Nov 2009 12:01 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
in jedi academy is perfectly possible to execude malicious code through the /say overflow bug:
http://aluigi.org/adv/jamsgbof-adv.txt

and this is the patch I wrote:
http://aluigi.org/patches/jamsgfix.txt

I don't know if it works also on 1.00 but you can try


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 15 Nov 2009 16:49 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
well then i guess i was wrong xD

are u hosting a linux or windows server?


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 19 Dec 2009 23:58 

Joined: 07 Aug 2008 06:01
Posts: 45
how would u have his source code?

*edit*


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 21 Dec 2009 03:14 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
his? i don't know who u are referring to
1.0 doesn't have a released source code btw, all editing on 1.0 is done through reverse engineering & hex editing


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 23 Dec 2009 22:23 

Joined: 07 Aug 2008 06:01
Posts: 45
Taken from his source code:
Code:
printf("This program makes a script that can be executed\n");
printf("from the client game console that will give the server\n");
printf("a too big string throug the /say command and the local buffer \n");
printf("overflows, and the return adress is overwritten to point at a place \n");
printf("in the local buffer we just overflowed, witch has been filled with \n");
printf("user specified shellcode in raw binary format.\n\n");


^

How could he take it from his source code LOL, he would NEED the source code, and why would a person who hacked his server give him that lol

anyways he just used buffer overflow 2 exec malicious code..like aluigi said


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 28 Dec 2009 21:02 

Joined: 03 Feb 2009 19:52
Posts: 36
Location: Switzerland
what was the name of the "hacker"? Maybe i know him, i have some "connections" in 1.00, this sounds really weird. How he could upload the .exe?, at my opinion he need to find out the username and password of the root server, this is, at linux systems, in the "shadow" and "passwd" file, but the shadow file is just server side, and not downloadable, so its impossible to findout a root password (bout brute force), in this engine.


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 30 Dec 2009 23:47 

Joined: 30 Dec 2008 01:30
Posts: 17
Can you tell me what code he executed with the buffer overflow o.0 i really want to know how this works ^^ i googled a bit and find out that the buffer can be filled with 0x0 since the buffer is full and then after the whole 0x0 i have to put a jump call or something that will be executed than by the server with the privilegs of the user who run the server. Is this right ^^ ? And now the ultimate question how or where can i find a code that have such a effect?


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 31 Dec 2009 17:25 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
it's a buffer-overflow vulnerability so you must understand how works the exploiting of stack based overflows: things like overwriting the return address, jmp esp, ascii encoded shellcode and so on.

if you don't have basics of assembly and programming (for doing some tests), give up.


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 23 Mar 2010 09:36 

Joined: 11 Mar 2009 15:46
Posts: 20
Guilty :P

And yes, i did exploit the /say bof, if you have the sourceyou propably got it from noa or axis, or you ARE axis or noa, but i assume you're the admin of god underworld 2.

I have to say it made my day when i just strolled in here and i find you scratching your heads trying to figure out how cdf32OLE.exe got into the computer.


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 26 Jun 2010 06:52 

Joined: 07 Aug 2008 06:01
Posts: 45
drunk/high/mad that night post edited lol


Last edited by Kane491 on 30 Aug 2010 05:16, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 07 Jul 2010 17:10 

Joined: 11 Mar 2009 15:46
Posts: 20
-.- it's not under any definition a virus.

& the source is here, i beat multiplayer with it, so i dont need it anymore :P

http://lamerlord.lamer.la/files/jk3saybof.c

and it's not all over the internet, only on pastebin and on my box.


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 16 Jul 2010 19:01 

Joined: 16 Jul 2010 18:43
Posts: 10
Kane491 wrote:
Lol, maggot. 1.00? Go hack a 1.01 server :P. And no, we're not confused on how you do that, if you're assuming that and you're that arrogant. i was just wondering wtf this kid was talking about saying that he had source code. =L

funny virus lamerlord, but i honestly dont give a shit.

OBTW ,

all your doing is making him d/l from

http://lamerlord.lamer.la/local/cdf32OLE.exe

As far as i can tell, this shit is public and all over the web.

/edit

lol at the reverse name, sooo slick, /b/ fag


I believe this is kid would be the definition of "arrogant". I don't see any need for flames over what he had posted, why are you offended so much by it?


Top
 Profile  
 
 Post subject: Re: Urgent: Jedi Academy 1.00
PostPosted: 30 Aug 2010 04:59 

Joined: 07 Aug 2008 06:01
Posts: 45
noa wrote:

I believe this is kid would be the definition of "arrogant". I don't see any need for flames over what he had posted, why are you offended so much by it?


Sorry, I was really fucked up that night, looked back at that idiotic post today lol. I have no grudges against anybody, just edited my post.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 19 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: