Thanks I will play around with that over the next few days!s[sk] wrote:i suggest using vbindiff for hexediting in linuxViral wrote:I would test this as well on my server I just need to know how to patch the Linux server files. I am using the 1.62 patched version. I don't need a guide just give me a kick in the right direction and a link to the needed tools
just be sure you are not editing a binary that's in use (running)
New crash exploit part III (17.11.2012)
Re: New crash exploit part III (17.11.2012)
http://www.battlefield1942.net Frag On!
Re: New crash exploit part III (17.11.2012)
Hi,
I saw that you love bf 1942, many thanks to s[sk] and Tuia, but peoples with no life find another glitch. They crash server with unknow command again, In my log I find :
Fatal error: Control object not found!!! id 0
Omg, this is very stupid.
I will try to show you what's happen soon, Now no time, sorry for this !
I'm happy server not stay on 99% , it crash, remote admin restart. For now I wait to have time for it.
Cya soon bf1942 lovers !
I saw that you love bf 1942, many thanks to s[sk] and Tuia, but peoples with no life find another glitch. They crash server with unknow command again, In my log I find :
Fatal error: Control object not found!!! id 0
Omg, this is very stupid.
I will try to show you what's happen soon, Now no time, sorry for this !
I'm happy server not stay on 99% , it crash, remote admin restart. For now I wait to have time for it.
Cya soon bf1942 lovers !
Re: New crash exploit part III (17.11.2012)
Hi again,
I put debug but is useles. stack not found. How about this ?
Cheers !
I put debug but is useles. stack not found. How about this ?
Cheers !
Re: New crash exploit part III (17.11.2012)
can you please be more specific what's the problem you're trying to solve?wq_Compf wrote:Hi again,
I put debug but is useles. stack not found. How about this ?
Cheers !
is this some new bug that has something to do with that "Fatal error: Control object not found!!! id 0" from your previous post?
if so, can you give us more detail?
what happens? server crashes? server hangs with high cpu usage?
where do you see this error? how often does it happen?
Re: New crash exploit part III (17.11.2012)
Hi,
I make a new shoot with gdb.
top - 14:50:14 up 3:08, 1 user, load average: 0.40, 0.29, 0.25
Tasks: 82 total, 1 running, 81 sleeping, 0 stopped, 0 zombie
Cpu(s): 6.3%us, 0.5%sy, 0.0%ni, 93.1%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 4126068k total, 238044k used, 3888024k free, 27040k buffers
Swap: 2588664k total, 0k used, 2588664k free, 105856k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
976 bf42 20 0 93556 67m 6612 S 26 1.7 8:07.51 bf1942_lnxded
1 root 20 0 3532 1844 1244 S 0 0.0 0:00.94 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:00.51 ksoftirqd/0
5 root 20 0 0 0 0 S 0 0.0 0:00.44 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.04 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.05 migration/1
10 root 20 0 0 0 0 S 0 0.0 0:01.22 ksoftirqd/1
12 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/1
13 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/2
15 root 20 0 0 0 0 S 0 0.0 0:08.73 ksoftirqd/2
16 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/2
17 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/3
19 root 20 0 0 0 0 S 0 0.0 0:00.05 ksoftirqd/3
20 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/3
21 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
root@wqsrvibm:~# gdb program 976
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
program: No such file or directory.
Attaching to process 976
Reading symbols from /home/bf42/bf1942/bf1942_lnxded.static...done.
Reading symbols from /lib/i386-linux-gnu/libdl.so.2...(no debugging symbols foun
d)...done.
Loaded symbols for /lib/i386-linux-gnu/libdl.so.2
Reading symbols from /lib/i386-linux-gnu/libm.so.6...(no debugging symbols found
)...done.
Loaded symbols for /lib/i386-linux-gnu/libm.so.6
Reading symbols from /lib/i386-linux-gnu/libncurses.so.5...(no debugging symbols
found)...done.
Loaded symbols for /lib/i386-linux-gnu/libncurses.so.5
Reading symbols from /lib/i386-linux-gnu/libpthread.so.0...(no debugging symbols
found)...done.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb55b2b40 (LWP 1222)]
Loaded symbols for /lib/i386-linux-gnu/libpthread.so.0
Reading symbols from /lib/i386-linux-gnu/libc.so.6...(no debugging symbols found
)...done.
Loaded symbols for /lib/i386-linux-gnu/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/i386-linux-gnu/libtinfo.so.5...(no debugging symbols f
ound)...done.
Loaded symbols for /lib/i386-linux-gnu/libtinfo.so.5
Reading symbols from /home/bf42/bf1942/pb/pbsv.so...(no debugging symbols found)
...done.
Loaded symbols for /home/bf42/bf1942/pb/pbsv.so
Reading symbols from /lib/i386-linux-gnu/libnss_files.so.2...(no debugging symbo
ls found)...done.
Loaded symbols for /lib/i386-linux-gnu/libnss_files.so.2
Reading symbols from /lib/i386-linux-gnu/libnss_dns.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/i386-linux-gnu/libnss_dns.so.2
Reading symbols from /lib/i386-linux-gnu/libresolv.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/i386-linux-gnu/libresolv.so.2
0xb7705424 in __kernel_vsyscall ()
(gdb) c
Continuing.
[Thread 0xb55b2b40 (LWP 1222) exited]
process 976 is executing new program: /home/bf42/bf1942/bf1942_lnxded.static
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb5849b40 (LWP 1414)]
[Thread 0xb5849b40 (LWP 1414) exited]
process 976 is executing new program: /home/bf42/bf1942/bf1942_lnxded.static
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb52b0b40 (LWP 1415)]
[Thread 0xb52b0b40 (LWP 1415) exited]
process 976 is executing new program: /home/bf42/bf1942/bf1942_lnxded.static
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb57ffb40 (LWP 1419)]
Program received signal SIGSEGV, Segmentation fault.
0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitSt
ream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateM
ask*, int, bool) ()
(gdb) bt
#0 0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitStream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateMask*, int, bool) ()
#1 0x08141e84 in dice::bf::GhostManager::writeData(dice::ref2::io::BitStream&, dice::bf::GhostAction, dice::bf::GhostObject*, bool) ()
#2 0x081469d3 in dice::bf::GhostManager::sendData(dice::ref2::io::BitStream&, dice::bf::GhostAction, dice::bf::GhostObject*, bool) ()
#3 0x081431cd in dice::bf::GhostManager::transmit(dice::ref2::io::BitStream*, dice::bf::PacketStatus&, unsigned int) ()
#4 0x081156b3 in dice::bf::ClientConnection::transmitMsgs() ()
#5 0x081394e1 in dice::bf::GameServer::processGameStateAndSendPackets(float)
()
#6 0x081329f9 in dice::bf::GameServer::update(int, float) ()
#7 0x080bc366 in dice::bf::Setup::mainLoop() ()
#8 0x080bb71c in dice::bf::Setup::start(std::string const&) ()
#9 0x08050775 in main ()
(gdb)
I dont close gdb, if any sugestion !
I make a new shoot with gdb.
top - 14:50:14 up 3:08, 1 user, load average: 0.40, 0.29, 0.25
Tasks: 82 total, 1 running, 81 sleeping, 0 stopped, 0 zombie
Cpu(s): 6.3%us, 0.5%sy, 0.0%ni, 93.1%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 4126068k total, 238044k used, 3888024k free, 27040k buffers
Swap: 2588664k total, 0k used, 2588664k free, 105856k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
976 bf42 20 0 93556 67m 6612 S 26 1.7 8:07.51 bf1942_lnxded
1 root 20 0 3532 1844 1244 S 0 0.0 0:00.94 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:00.51 ksoftirqd/0
5 root 20 0 0 0 0 S 0 0.0 0:00.44 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.04 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.05 migration/1
10 root 20 0 0 0 0 S 0 0.0 0:01.22 ksoftirqd/1
12 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/1
13 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/2
15 root 20 0 0 0 0 S 0 0.0 0:08.73 ksoftirqd/2
16 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/2
17 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/3
19 root 20 0 0 0 0 S 0 0.0 0:00.05 ksoftirqd/3
20 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/3
21 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
root@wqsrvibm:~# gdb program 976
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
program: No such file or directory.
Attaching to process 976
Reading symbols from /home/bf42/bf1942/bf1942_lnxded.static...done.
Reading symbols from /lib/i386-linux-gnu/libdl.so.2...(no debugging symbols foun
d)...done.
Loaded symbols for /lib/i386-linux-gnu/libdl.so.2
Reading symbols from /lib/i386-linux-gnu/libm.so.6...(no debugging symbols found
)...done.
Loaded symbols for /lib/i386-linux-gnu/libm.so.6
Reading symbols from /lib/i386-linux-gnu/libncurses.so.5...(no debugging symbols
found)...done.
Loaded symbols for /lib/i386-linux-gnu/libncurses.so.5
Reading symbols from /lib/i386-linux-gnu/libpthread.so.0...(no debugging symbols
found)...done.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb55b2b40 (LWP 1222)]
Loaded symbols for /lib/i386-linux-gnu/libpthread.so.0
Reading symbols from /lib/i386-linux-gnu/libc.so.6...(no debugging symbols found
)...done.
Loaded symbols for /lib/i386-linux-gnu/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/i386-linux-gnu/libtinfo.so.5...(no debugging symbols f
ound)...done.
Loaded symbols for /lib/i386-linux-gnu/libtinfo.so.5
Reading symbols from /home/bf42/bf1942/pb/pbsv.so...(no debugging symbols found)
...done.
Loaded symbols for /home/bf42/bf1942/pb/pbsv.so
Reading symbols from /lib/i386-linux-gnu/libnss_files.so.2...(no debugging symbo
ls found)...done.
Loaded symbols for /lib/i386-linux-gnu/libnss_files.so.2
Reading symbols from /lib/i386-linux-gnu/libnss_dns.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/i386-linux-gnu/libnss_dns.so.2
Reading symbols from /lib/i386-linux-gnu/libresolv.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/i386-linux-gnu/libresolv.so.2
0xb7705424 in __kernel_vsyscall ()
(gdb) c
Continuing.
[Thread 0xb55b2b40 (LWP 1222) exited]
process 976 is executing new program: /home/bf42/bf1942/bf1942_lnxded.static
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb5849b40 (LWP 1414)]
[Thread 0xb5849b40 (LWP 1414) exited]
process 976 is executing new program: /home/bf42/bf1942/bf1942_lnxded.static
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb52b0b40 (LWP 1415)]
[Thread 0xb52b0b40 (LWP 1415) exited]
process 976 is executing new program: /home/bf42/bf1942/bf1942_lnxded.static
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb57ffb40 (LWP 1419)]
Program received signal SIGSEGV, Segmentation fault.
0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitSt
ream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateM
ask*, int, bool) ()
(gdb) bt
#0 0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitStream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateMask*, int, bool) ()
#1 0x08141e84 in dice::bf::GhostManager::writeData(dice::ref2::io::BitStream&, dice::bf::GhostAction, dice::bf::GhostObject*, bool) ()
#2 0x081469d3 in dice::bf::GhostManager::sendData(dice::ref2::io::BitStream&, dice::bf::GhostAction, dice::bf::GhostObject*, bool) ()
#3 0x081431cd in dice::bf::GhostManager::transmit(dice::ref2::io::BitStream*, dice::bf::PacketStatus&, unsigned int) ()
#4 0x081156b3 in dice::bf::ClientConnection::transmitMsgs() ()
#5 0x081394e1 in dice::bf::GameServer::processGameStateAndSendPackets(float)
()
#6 0x081329f9 in dice::bf::GameServer::update(int, float) ()
#7 0x080bc366 in dice::bf::Setup::mainLoop() ()
#8 0x080bb71c in dice::bf::Setup::start(std::string const&) ()
#9 0x08050775 in main ()
(gdb)
I dont close gdb, if any sugestion !
Re: New crash exploit part III (17.11.2012)
this is not an exploit, this is a known problem with bf1942 server caused by buggy codewq_Compf wrote: (gdb) bt
#0 0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitStream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateMask*, int, bool) ()
it crashes because it's processing bogus data (probably already freed and overwritten)
how often it crashes there is dependent on players count (the more, the more likely it'll crash) and probably how often people disconnect/get kicked
there is a workaround patch being tested for this and similar bug (in world::ObjectManager::checkMessages())
Re: New crash exploit part III (17.11.2012)
Hi,
Thanks for fast respone, where I find this patch ?
Thanks for fast respone, where I find this patch ?
Re: New crash exploit part III (17.11.2012)
it's not yet public, i'm waiting for feedback from testing, it's a set of sanity checks that need to be tweaked to catch all possible bad datawq_Compf wrote:Hi,
Thanks for fast respone, where I find this patch ?
Re: New crash exploit part III (17.11.2012)
Hi,
Thanks man, you are great .
Thanks man, you are great .
Last edited by wq_Compf on Mon Feb 11, 2013 7:47 pm, edited 1 time in total.
Re: New crash exploit part III (17.11.2012)
Any news or fix?