Luigi Auriemma

Hello to all...


Mr. Algui, i have been using your very useful softwares. I came across the very useful data traversal thing you provided....

Now, please help me with it....(i use it in MEDAL OF HONOR ALLIED ASSAULT)

I need to download some files from my friends server....One is the Leanmod script and the other the sharking script.....and some other files as well....here is wat i do....

1-open mohaa
2-open the q3dt (data traversal software)
3-highlight the process mohaa.
4-Set output to "download.cfg"
5-Then click activate exploit.
6-Then maximize mohaa.
7-Join my friend's server.
8-Then i ask him to allow download.
9-then i type in console......download leanmod.cfg (exact filename)
Now here is where the problem starts....the console gives the following msg

Writing to E:\prog\ mohaa (mohaa address) {then it says}
CL_Parsedownload: expected 1 : got 0
CL_Parsedownload: expected 1 : got 0
CL_Parsedownload: expected 1 : got 0 {and the screen becomes black}

and when i check the output file...it exists but its size is "0 bytes"...& is empty..

please tell me where i go wrong...


Please "wizard of software" help me...plz help.......plz..plz..plz...plz....

I shall b very thankful to you

Bye vd peace

Khamaar

uhmmm I don't remember if mohaa was one of the games vulnerable to the directory traversal or if my proof-of-concept was compatible also with it but for sure points 3-5 should be after point 6

THANK 4 the quick reply!!!


Yup....mohaa was on the vulnerable list.....but i dont know y it doesnt work......But could u plz tell me the right way to do it??? my friend showed me a video OF SOME NOOB trying to get server.cfg!!!!! and it seems that it worked 4 him....shud i give the link??? And one other thing,,,,did u create the directory traversal software 4 quake 3???? if there is another one...plz let me know wat it is....

Bye and take care
KHAMAAR

I have read a note I inserted in q3dirtrav and yes it was successfully tested also with mohaa, so it works for sure.
I guess the example command to test the bug (launching q3dirtrav AFTER having joined the server) is: download main/server.cfg

and no, this is the only demonstration proof-of-concept I have created for testing this vulnerability.

HEllO ALuiGi!!

Thanks Mr. Aluigi for the help...it worked!! it had to work!!! when You are the software manufacturer...its impossible it wont work!!!

Aluigi ..there z a problemo....I also own mohaa server....Is it possible for person to get my server's config thru this method ...if my server's config name isnt server.cfg.....

And if he can get it ..How will he do it???



SECOND QUESTION:-

plz dont mind this off-topic question...But you are so good that i have to depend on you aluigi....
I have a computer 8 my office which runs 24/7.....I run mohaa and other servers frm that pc....I want to make a network drive on my home pc so that i can control that office computer frm my home computer.....

I have tried this from Command prompt with this command

net view \\ip address of my office computer

but it gives some error...


Do you have any software to do this thing 4 me aluigi...

PLZ PLZ PLZ PLZ tell me....

!!!!!!!!!! U R THE BEST !!!!!!!!!!

1)
if you refer about how to protect yourself you must disable the downloads (sv_allowdowload 0) and/or apply the work-around I wrote (it should be compatible with mohaa too):
http://aluigi.org/patches/q3dirtravfix.zip

2)
the \\ip solution works only if on your and the remote computer runs windows with netbios enabled (which is by default) or another OS like linux with samba enabled and there are no phisical restrictions like being behind a router/NAT/firewall (99% your case).
netbios allows also to connect to log on the remote computer in "telnet style" with your computer's account.

so exist various solutions to have access to your office pc and in my opinion the usage of a vpn software like hamachi avoids all the troubles of configuring and/or bypassing the router/nat/firewall restrictions moreover if you are not a technician.

when the 2 computers can reach themselves without problems then you can think to what using for accessing the remote resources.
the easiest way is probably running a VNC server on the office PC so that using a software like ultravnc you can access it in real-time graphically (so not a command-prompt but just the screen you see when you are in front of the monitor) and can transfer files without problems using the features of vnc.

so without having major details or knowing your skills, patience in configuring stuff, requirements, situation of the network of the 2 pc and so on I suggest the hamachi+vnc solution