Posted May 6, 200816 yr http://aluigi.altervista.org/adv/webmodz-adv.txt there u go.. all hail almighty luigi
May 6, 200816 yr Okay, I understand the buffer overflow thing, but how does one use this for rcon theft?
May 7, 200816 yr how do i use this? it doesnt say anything about stealing rcons it says it requires rcon and this is for cs1.6 not css right? Edited May 7, 200816 yr by keano
May 9, 200816 yr Okay, I understand the buffer overflow thing, but how does one use this for rcon theft? you use it to install a shell duh ps the directory traversal is rifk
June 11, 200816 yr post a tutorial for us non-software engineers. The text file is pretty descriptive Edited June 11, 200816 yr by Random_guy Quote messing up
August 11, 200816 yr ####################################################################### Luigi Auriemma Application: WebMod http://www.djeyl.net/w.php Versions: <= 0.48 Platforms: Windows and Linux Bugs: A] directory traversal B] Cookie buffer-overflow C] parser.cpp arbitrary memory writing D] scripts source disclosure Exploitation: remote Date: 03 May 2008 Author: Luigi Auriemma e-mail: [email protected] web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== WebMod is an open source MetaMod plugin which acts as a web server for Half-Life running on the equivalent TCP port of the UDP one used by the game. ####################################################################### ======= 2) Bugs ======= ---------------------- A] directory traversal ---------------------- WebMod uses an anti-directory traversal check which searchs for any "../" pattern in the HTTP request of the client. So it's enough to use a "..\" pattern to bypass the check and being able to download any file from the disk where Half-Life is running included the configuration files of the game server (like ..\..\..\..\platform\config\server.vdf or ..\..\..\server.cfg). Note that this bug works only on Windows servers. From server.cpp: void clientHandle(int connfd, httpquery_t *query, int tid) ... if(strstr(str,"../")) // hack attempt, display index page { str[0]='\0'; } ------------------------- B] Cookie buffer-overflow ------------------------- A cookie parameter longer than MYSOCK_BUFLEN (8192) bytes leads to a stack based buffer-overflow. From server.cpp: void connectHandle(void *data) { char *input; char buf[MYSOCK_BUFLEN+1]; ... for(j=0;input&&input!=';'&&input!='\n';j++,i++) buf[j]=input; -------------------------------------- C] parser.cpp arbitrary memory writing -------------------------------------- The functions in parser.cpp are affected by some memory corruption vulnerabilities with different effects depending by the type of variable/script used. In short a value longer than MAX_FILE_SIZE (16384) bytes can lead to the writing of custom data in a custom memory address through strcat (auth.w?mode) or a NULL pointer (auth.w?redir) or an invalid memory access (the rconpass parameter of auth.w) and so on. ---------------------------- D] scripts source disclosure ---------------------------- Adding a dot at the end of the requested URI allows the viewing of the script source code instead of executing it. This bug (which should work only on FAT/NTFS filesystems) can be considered a security vulnerability ONLY if the server runs custom scripts. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/webmodz.zip nc SERVER PORT -v -v < webmodz1.txt nc SERVER PORT -v -v < webmodz2.txt nc SERVER PORT -v -v < webmodz3.txt nc SERVER PORT -v -v < webmodz4.txt ####################################################################### ====== 4) Fix ====== No fix #######################################################################
September 30, 200816 yr not sure why this is so hard for me. I've been messing with it and I got it up and running, though each time i run it i just get back: "rconpass" over and over on every server. Any tips or hints or a shove in the right direction would be greatly appreciated. - Edit for update. Figured out everything but "stealing rcon." Edited October 1, 200816 yr by vboom
