ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Sun Oct 25, 2020 10:29 am

All times are UTC




Post new topic  Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Wed Sep 02, 2020 5:51 am 

Joined: Sun Aug 20, 2017 4:07 am
Posts: 5
Hello! Long time follower of aluigi's work as a security researcher.
This is in reference to an old topic on the old zenhax forum.
http://old.zenhax.com/call-of-duty-fs-h ... -t296.html

I have been hosting cod servers for a long time, but never actually hosted a CoD1 server until a friend of a friend reached out because they knew I had experience in it, and their server kept going down and they didn't know why.
I immediately went to alugis website and just browsed over his patches, saw one in particular that fit the description of the problem (player joins while they are joining, server goes down)
Started up a Linux 1.5b version of the server, copied over there mods etc, got it running, and finally began to investigate what was going on.
A player joins - I get the error fs handle for file.
Also what can happen is you can see a bunch of downloads being requested by the same user and the server crashes with no error.

So I have absolutely narrowed down the exploit they are using, and it appears CoD1 is running rampage with this exploit. Upon talking to multiple people with servers they have server crashes 2-3 times a day and have been told about this "exploit". I am doing what I can (banning those players GUID), but soon after another one comes and does it again. I'm assuming there is a GUID spoofer out there.
I have attempted to do the research that my little security knowledge is letting me do which is basically this - I tried to sniff packets while performing the exploit myself to find some kind of "string" or some type of reoccurring packet being sent by the client to effectively block those request packets from being received through some iptables rules, I have found none and my knowledge of how call of duty in general at the packet by packet-level works is small. Best I can assume is that's is way more complicated than sending a packet with a string containing "download main/.....pk3 fill" etc.
I wished there was a command that completely disabled server downloading and didn't give the option, that forced players to go to the redirect, but to no avail.

So I've come here for some help, hopefully you guys have some type of idea or can lead me in the right direction on how to mitigate or disable this exploit. My only current failed idea was to try to identify the packets being sent by the client, and apply a rate limiter or filter that upon detection would block that IP address. Which in and of itself would be a hard thing to apply even if i was able to identify a similar packet.

I look forward to hearing from some of you if you have any ideas! I am a current cyber security student and absolutely love learning new things.

Thanks
-Airi


Top
   
PostPosted: Wed Sep 02, 2020 2:53 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 11688
Wow, that thing is so old that I didn't even remember a bit about it.

As far as I can see I didn't make any patch, I saw some mentions of custom patches for other games on some forums but nothing.

Quote:
I wished there was a command that completely disabled server downloading and didn't give the option, that forced players to go to the redirect, but to no avail.

Could you please explain it better?
Have you tried to play with the following variable for finding a possible feasible alternative?
sv_wwwDownload
sv_wwwBaseURL
sv_wwwDlDisconnected


Top
   
PostPosted: Wed Sep 02, 2020 4:43 pm 

Joined: Sun Aug 20, 2017 4:07 am
Posts: 5
Hi Aluigi, thanks for the response!

sv_allowDownload - if its set to 0 downloads are completely disabled, players wont even get redirected to the redirect to download. I was hoping that if you had sv_wwwDownload set to 1, and had the baseUrl set, but had sv_allowDownload set to 0, it would eliminate direct server downloads and force players to go to the redirect download server for the download.

Quote:
Could you please explain it better?


Well as you know, there's two means of downloading modifications on cod games. One directly from the server (slow) and that's where the exploit lies, the other one is where players get redirected to the HTTP download server.
The exploit lies within setting your client command cl_wwwDownload to 0, which forces the client to download directly from the server, not the redirect, then obviously requesting a bunch of them to overflow the buffer.

What I meant there, was I wish there was a command that disabled the direct server (slow) download, and forced players to only go to the redirect, if there was some command or way to disable the server from ever handling downloads, forcing players to either be redirected, or not download at all.
I'm not sure if that has any feasibility.

The only other thing I'm still trying to figure is a way to identify download request packets, and limiting them by the second, or even detecting and banning after 32 or so of those packets.


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 3 posts ] 

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited