New crash exploit part III (17.11.2012)

billy_madison
Posts: 5
Joined: Wed Sep 28, 2011 11:33 pm

Re: New crash exploit part III (17.11.2012)

Post by billy_madison »

So shortly before he joined till he crashes server
The first UDP packet that uses the hacker's IP (50.117.78.136) is sent from the server to the client. This leads
me to believe that the initial packets from the hacker are not in the log.
Also when I look at UDP packets between my client and a server in wireshark, the client when it connects sends the same 84 bytes as its first packet -- the initial packets sent by the hacker in the log are 13 bytes.
Are there initial packets in your logs that are not in the attached txt file?

Maybe, if we can get the full UDP packet stream that the hacker used, we can transmit
the same packets to a test server and re-create the server stall -- at that point tuia can attach the debugger and determine the instructions that are being use to cause the stall.
wq_Compf
Posts: 12
Joined: Tue Dec 04, 2012 6:59 pm

Re: New crash exploit part III (17.11.2012)

Post by wq_Compf »

Hi,

I confirm we have a big problem. We try to keep bf 1942 up, but some stupid peoples not.

Here is what I find from gdb :


PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1 root 20 0 3536 1828 1244 S 0 0.0 0:00.95 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
top - 19:55:51 up 1:57, 2 users, load average: 0.16, 0.30, 0.36
Tasks: 86 total, 1 running, 84 sleeping, 0 stopped, 1 zombie
Cpu0 : 2.8%us, 0.8%sy, 0.0%ni, 96.2%id, 0.1%wa, 0.0%hi, 0.1%si, 0.0
Cpu1 : 2.0%us, 0.2%sy, 0.0%ni, 97.8%id, 0.1%wa, 0.0%hi, 0.0%si, 0.0
Cpu2 : 20.9%us, 0.7%sy, 0.0%ni, 78.4%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0
Cpu3 : 0.4%us, 0.7%sy, 0.0%ni, 98.9%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0
Mem: 4126068k total, 307244k used, 3818824k free, 18508k buffers
Swap: 2588664k total, 0k used, 2588664k free, 171676k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2634 bf42 20 0 70788 52m 6180 S 15 1.3 0:28.53 bf1942_lnxded
1 root 20 0 3536 1828 1244 S 0 0.0 0:00.96 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:00.53 ksoftirqd/0
5 root 20 0 0 0 0 S 0 0.0 0:00.44 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/1
10 root 20 0 0 0 0 S 0 0.0 0:00.60 ksoftirqd/1
11 root 20 0 0 0 0 S 0 0.0 0:00.23 kworker/0:1
12 root RT 0 0 0 0 S 0 0.0 0:00.01 watchdog/1
13 root RT 0 0 0 0 S 0 0.0 0:00.04 migration/2
15 root 20 0 0 0 0 S 0 0.0 0:04.64 ksoftirqd/2
16 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/2
root@wqsrvibm:~#


Reading symbols from /lib/i386-linux-gnu/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libdl.so.2
Reading symbols from /lib/i386-linux-gnu/libm.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libm.so.6
Reading symbols from /lib/i386-linux-gnu/libncurses.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libncurses.so.5
Reading symbols from /lib/i386-linux-gnu/libpthread.so.0...(no debugging symbols found)...done.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb5790b40 (LWP 1600)]
Loaded symbols for /lib/i386-linux-gnu/libpthread.so.0
Reading symbols from /lib/i386-linux-gnu/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/i386-linux-gnu/libtinfo.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libtinfo.so.5
Reading symbols from /home/bf42/bf1942/pb/pbsv.so...(no debugging symbols found)...done.
Loaded symbols for /home/bf42/bf1942/pb/pbsv.so
Reading symbols from /lib/i386-linux-gnu/libnss_files.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libnss_files.so.2
Reading symbols from /lib/i386-linux-gnu/libnss_dns.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libnss_dns.so.2
Reading symbols from /lib/i386-linux-gnu/libresolv.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libresolv.so.2
0xb76ee424 in __kernel_vsyscall ()
(gdb) c
Continuing.
[Thread 0xb5790b40 (LWP 1600) exited]

Program terminated with signal SIGKILL, Killed.
The program no longer exists.
(gdb) ^CQuit
(gdb) quit
root@wqsrvibm:~# gdb program 1678
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
program: No such file or directory.
Attaching to process 1678
Reading symbols from /home/bf42/bf1942/bf1942_lnxded.static...done.
Reading symbols from /lib/i386-linux-gnu/libdl.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libdl.so.2
Reading symbols from /lib/i386-linux-gnu/libm.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libm.so.6
Reading symbols from /lib/i386-linux-gnu/libncurses.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib/i386-linux-gnu/libncurses.so.5
Reading symbols from /lib/i386-linux-gnu/libpthread.so.0...(no debugging s
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb5789b40 (LWP 1690)]
Loaded symbols for /lib/i386-linux-gnu/libpthread.so.0
Reading symbols from /lib/i386-linux-gnu/libc.so.6...(no debugging symbols
Loaded symbols for /lib/i386-linux-gnu/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...d
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/i386-linux-gnu/libtinfo.so.5...(no debugging sym
Loaded symbols for /lib/i386-linux-gnu/libtinfo.so.5
Reading symbols from /home/bf42/bf1942/pb/pbsv.so...(no debugging symbols
Loaded symbols for /home/bf42/bf1942/pb/pbsv.so
Reading symbols from /lib/i386-linux-gnu/libnss_files.so.2...(no debugging
Loaded symbols for /lib/i386-linux-gnu/libnss_files.so.2
Reading symbols from /lib/i386-linux-gnu/libnss_dns.so.2...(no debugging s
Loaded symbols for /lib/i386-linux-gnu/libnss_dns.so.2
Reading symbols from /lib/i386-linux-gnu/libresolv.so.2...(no debugging sy
Loaded symbols for /lib/i386-linux-gnu/libresolv.so.2
0xb7708424 in __kernel_vsyscall ()
(gdb) c
Continuing.
[Thread 0xb5789b40 (LWP 1690) exited]
process 1678 is executing new program: /home/bf42/bf1942/bf1942_lnxded.sta
tic
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb57ceb40 (LWP 1925)]
[Thread 0xb57ceb40 (LWP 1925) exited]
process 1678 is executing new program: /home/bf42/bf1942/bf1942_lnxded.sta
tic
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb57ecb40 (LWP 2515)]
^C
Program received signal SIGINT, Interrupt.
0x0843c12b in dice::ref2::io::SWConnection::getPacketFromRecvQueue(unsigne
d char*, unsigned int*) ()
(gdb) bt
#0 0x0843c12b in dice::ref2::io::SWConnection::getPacketFromRecvQueue(uns
igned char*, unsigned int*) ()
#1 0x0843867a in dice::ref2::io::NetServer::getRecvdPacket(int*, unsigned
char*, unsigned int*) ()
#2 0x08137913 in dice::bf::GameServer::receive(int*) ()
#3 0x08137be2 in dice::bf::GameServer::processReceivedPackets() ()
#4 0x08132995 in dice::bf::GameServer::update(int, float) ()
#5 0x080bc366 in dice::bf::Setup::mainLoop() ()
#6 0x080bb71c in dice::bf::Setup::start(std::string const&) ()
#7 0x08050775 in main ()
(gdb) backtrace full
#0 0x0843c12b in dice::ref2::io::SWConnection::getPacketFromRecvQueue(unsigned char*, unsigned int*) ()
No symbol table info available.
#1 0x0843867a in dice::ref2::io::NetServer::getRecvdPacket(int*, unsigned char*, unsigned int*) ()
No symbol table info available.
#2 0x08137913 in dice::bf::GameServer::receive(int*) ()
No symbol table info available.
#3 0x08137be2 in dice::bf::GameServer::processReceivedPackets() ()
No symbol table info available.
#4 0x08132995 in dice::bf::GameServer::update(int, float) ()
No symbol table info available.
#5 0x080bc366 in dice::bf::Setup::mainLoop() ()
No symbol table info available.
#6 0x080bb71c in dice::bf::Setup::start(std::string const&) ()
No symbol table info available.
#7 0x08050775 in main ()
No symbol table info available.
(gdb) info registers
eax 0xb25c4000 -1302577152
ecx 0xbfb8e68c -1078401396
edx 0xb25c4000 -1302577152
ebx 0x8f32b00 150153984
esp 0xbfb8e3f0 0xbfb8e3f0
ebp 0xbfb8e418 0xbfb8e418
esi 0x8f33460 150156384
edi 0xb2fd3dc8 -1292026424
eip 0x843c12b 0x843c12b <dice::ref2::io::SWConnection::getPacketFromRecvQueue(unsigned char*,

unsigned int*)+43>
eflags 0x202 [ IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) x/16i $pc
=> 0x843c12b <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+43>: add $0x10,%esp
0x843c12e <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+46>: mov %eax,%esi
0x843c130 <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+48>: test %eax,%eax
0x843c132 <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+50>:
je 0x843c115 <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+21>
0x843c134 <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+52>: mov 0xc(%eax),%ebx
0x843c137 <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+55>: test %ebx,%ebx
0x843c139 <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+57>:
jne 0x843c195 <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+149>
0x843c13b <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+59>: mov (%eax),%eax
0x843c13d <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+61>: test %eax,%eax
0x843c13f <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+63>:
je 0x843c195 <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+149>
0x843c141 <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+65>: mov 0x14(%esi),%edx
0x843c144 <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+68>: mov 0x4(%esi),%eax
0x843c147 <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+71>: mov (%eax,%edx,1),%ax
0x843c14b <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+75>: test %ax,%ax
0x843c14e <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+78>:
jne 0x843c157 <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+87>
0x843c150 <_ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj+80>: mov $0x9,%eax
(gdb) thread apply all backtrace

Thread 4 (Thread 0xb57ecb40 (LWP 2515)):
#0 0xb773f424 in ?? ()
#1 0x08438821 in dice::ref2::io::NetServerThread::run() ()
#2 0x084548bf in dice::ref2::(anonymous namespace)::pthreads_thread_trampoline(void*) ()
#3 0xb76d0d4c in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
#4 0xb760ed3e in clone () from /lib/i386-linux-gnu/libc.so.6

Thread 1 (Thread 0xb74c86c0 (LWP 1678)):
#0 0x0843c12b in dice::ref2::io::SWConnection::getPacketFromRecvQueue(unsigned char*, unsigned int*) ()
#1 0x0843867a in dice::ref2::io::NetServer::getRecvdPacket(int*, unsigned char*, unsigned int*) ()
#2 0x08137913 in dice::bf::GameServer::receive(int*) ()
#3 0x08137be2 in dice::bf::GameServer::processReceivedPackets() ()
#4 0x08132995 in dice::bf::GameServer::update(int, float) ()
#5 0x080bc366 in dice::bf::Setup::mainLoop() ()
#6 0x080bb71c in dice::bf::Setup::start(std::string const&) ()
#7 0x08050775 in main ()
(gdb) step
Single stepping until exit from function _ZN4dice4ref22io12SWConnection22getPacketFromRecvQueueEPhPj,
which has no line number information.
0x0843867a in dice::ref2::io::NetServer::getRecvdPacket(int*, unsigned char*, unsigned int*) ()
(gdb) c
Continuing.
^C
Program received signal SIGINT, Interrupt.
0xb76d2ced in pthread_mutex_lock () from /lib/i386-linux-gnu/libpthread.so.0
(gdb) step
Single stepping until exit from function pthread_mutex_lock,
which has no line number information.
0x0843864b in dice::ref2::io::NetServer::getRecvdPacket(int*, unsigned char*, unsigned int*) ()
(gdb) c
Continuing.
^C
Program received signal SIGINT, Interrupt.
0x08137be5 in dice::bf::GameServer::processReceivedPackets() ()
(gdb) step
Single stepping until exit from function _ZN4dice2bf10GameServer22processReceivedPacketsEv,
which has no line number information.
step
c
step
^CCouldn't get registers: No such process.
(gdb) step
Single stepping until exit from function _ZN4dice2bf10GameServer22processReceivedPacketsEv,
which has no line number information.
Couldn't get registers: No such process.
(gdb) step
Single stepping until exit from function _ZN4dice2bf10GameServer22processReceivedPacketsEv,
which has no line number information.
Couldn't get registers: No such process.
(gdb) c
Continuing.
^C
Program received signal SIGINT, Interrupt.
0xb76d2cb3 in pthread_mutex_lock () from /lib/i386-linux-gnu/libpthread.so.0
(gdb) quit
A debugging session is active.

Inferior 1 [process 1678] will be detached.

Quit anyway? (y or n)
s[sk]
Posts: 23
Joined: Tue Nov 13, 2012 3:15 pm

Re: New crash exploit part III (17.11.2012)

Post by s[sk] »

hi wq_compf,

this is interesting
wq_Compf wrote: #0 0x0843c12b in dice::ref2::io::SWConnection::getPacketFromRecvQueue(uns
igned char*, unsigned int*) ()
#1 0x0843867a in dice::ref2::io::NetServer::getRecvdPacket(int*, unsigned
char*, unsigned int*) ()
#2 0x08137913 in dice::bf::GameServer::receive(int*) ()
#3 0x08137be2 in dice::bf::GameServer::processReceivedPackets() ()
#4 0x08132995 in dice::bf::GameServer::update(int, float) ()
#5 0x080bc366 in dice::bf::Setup::mainLoop() ()
#6 0x080bb71c in dice::bf::Setup::start(std::string const&) ()
#7 0x08050775 in main ()
i've seen you've got to dice::bf::GameServer::processReceivedPackets(), can you do

tbreak *0x08137be2
tbreak *0x08132995
tbreak *0x080bc366

and hit continue until it doesn't stop and tell me what was the last breakpoint it stopped on?
wq_Compf
Posts: 12
Joined: Tue Dec 04, 2012 6:59 pm

Re: New crash exploit part III (17.11.2012)

Post by wq_Compf »

Hi again,

The problem is : server not stop, go away to 100% CPU.
I will do, now is only launched with dbg.

I hope to find solution for you.

Cya soon.
s[sk]
Posts: 23
Joined: Tue Nov 13, 2012 3:15 pm

Re: New crash exploit part III (17.11.2012)

Post by s[sk] »

wq_Compf wrote:Hi again,

The problem is : server not stop, go away to 100% CPU.
I will do, now is only launched with dbg.

I hope to find solution for you.

Cya soon.
if it goes to 100%, set up those tbreaks to find out where's the loop that doesn't finish
wq_Compf
Posts: 12
Joined: Tue Dec 04, 2012 6:59 pm

Re: New crash exploit part III (17.11.2012)

Post by wq_Compf »

Re,

Now, server stoped.

Program received signal SIGSEGV, Segmentation fault.
0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitStream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateMask*, int, bool) ()
(gdb) bt
#0 0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitStream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateMask*, int, bool) ()
#1 0x08141e84 in dice::bf::GhostManager::writeData(dice::ref2::io::BitStream&, dice::bf::GhostAction, dice::bf::GhostObject*, bool) ()
#2 0x081469d3 in dice::bf::GhostManager::sendData(dice::ref2::io::BitStream&, dice::bf::GhostAction, dice::bf::GhostObject*, bool) ()
#3 0x081431cd in dice::bf::GhostManager::transmit(dice::ref2::io::BitStream*, dice::bf::PacketStatus&, unsigned int) ()
#4 0x081156b3 in dice::bf::ClientConnection::transmitMsgs() ()
#5 0x081394e1 in dice::bf::GameServer::processGameStateAndSendPackets(float) ()
#6 0x081329f9 in dice::bf::GameServer::update(int, float) ()
#7 0x080bc366 in dice::bf::Setup::mainLoop() ()
#8 0x080bb71c in dice::bf::Setup::start(std::string const&) ()
#9 0x08050775 in main ()
(gdb) tbreak *0x08137be2
Temporary breakpoint 1 at 0x8137be2
(gdb) bt
#0 0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitStream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateMask*, int, bool) ()
#1 0x08141e84 in dice::bf::GhostManager::writeData(dice::ref2::io::BitStream&, dice::bf::GhostAction, dice::bf::GhostObject*, bool) ()
#2 0x081469d3 in dice::bf::GhostManager::sendData(dice::ref2::io::BitStream&, dice::bf::GhostAction, dice::bf::GhostObject*, bool) ()
#3 0x081431cd in dice::bf::GhostManager::transmit(dice::ref2::io::BitStream*, dice::bf::PacketStatus&, unsigned int) ()
#4 0x081156b3 in dice::bf::ClientConnection::transmitMsgs() ()
#5 0x081394e1 in dice::bf::GameServer::processGameStateAndSendPackets(float) ()
#6 0x081329f9 in dice::bf::GameServer::update(int, float) ()
#7 0x080bc366 in dice::bf::Setup::mainLoop() ()
#8 0x080bb71c in dice::bf::Setup::start(std::string const&) ()
#9 0x08050775 in main ()
(gdb) c
Continuing.
[Thread 0xb5833b40 (LWP 3818) exited]

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.

LOL, me wrong with address, I will wait again, an new crash.
s[sk]
Posts: 23
Joined: Tue Nov 13, 2012 3:15 pm

Re: New crash exploit part III (17.11.2012)

Post by s[sk] »

wq_Compf wrote:Re,

Now, server stoped.

Program received signal SIGSEGV, Segmentation fault.
0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitStream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateMask*, int, bool) ()
you can ignore that, that's the usual crash due to buggy server code, it's 99% not something anyone is doing on purpose
wq_Compf
Posts: 12
Joined: Tue Dec 04, 2012 6:59 pm

Re: New crash exploit part III (17.11.2012)

Post by wq_Compf »

Not good,

I will make server on windows to see result.

Cya soon bf42 lovers.

Cheers.

Is not normal behavior for linux server, I'm not happy cos no time to install now windows.

I hope some one with more skill to help us.
wq_Compf
Posts: 12
Joined: Tue Dec 04, 2012 6:59 pm

Re: New crash exploit part III (17.11.2012)

Post by wq_Compf »

Hi s[sk] , only way to thank you and Tuia is an message on my server with both. I have an question for you (s[sk]) :with your last modification players can join with demo or v.1.6 on dedicated server ?

Thanks man, you are great.

Cya soon bf42 lovers !
wq_Compf
Posts: 12
Joined: Tue Dec 04, 2012 6:59 pm

Re: New crash exploit part III (17.11.2012)

Post by wq_Compf »

Hi all,

Because client game accept include command and commands who command server I will declare bf 1942 is a dead game, BF3 maybe too. Fuck off with programmers from EA Games who don't have a life !

This is my last post.


Have fun or not bf42 lovers !
Post Reply