BF1942 Server Crash Exploit FIX - Updated executables HERE
Posted: Sun Sep 18, 2011 12:13 am
This is just a new thread in order to consolidate the results from this thread: BF1942 Demo Server Crashes
All credits and gratitude are due to dierighty, who alone has found the exploit in the code and the correct plug for it for each exec version!
The second CTD exploit has been fixed by tuia, who is creating the new fixes.
All f2 fixes contain the f1 fix!
v1.61 WINDOWS+LINUX f2
Download 1.61 Linux - Mirror - Download 1.61 Linux
Download 1.61 Windows - Mirror - Download 1.61 Windows
v1.6 WINDOWS+LINUX f2
Download 1.6 Linux - Mirror - Download 1.6 Linux
Download 1.6 Windows - Mirror - Download 1.6 Windows
v1.1 DEMO WINDOWS f1
v1.0 DEMO WINDOWS f1
LINUX 1.61 f2
The same instructions are to be applied to static file at beginning address 0x08136d46.
Download 1.61 Linux
LINUX 1.6 f2
It's the same as for 1.61, but the beginning address for dynamic is 0x0813e5e6 and for static is 0x081372c6.
Download 1.6 Linux
WINDOWS 1.61 f2
For BF1942 Windows v1.6 server executable the beginning address to apply the same instructions is at 0x0045aaaf.
Download 1.6 Windows
The BF1942 Windows v1.6 server binary also has a fix for an old public exploit (@ 0x00442370 changed from 7f to 77), which it wasn't immune.
WINDOWS v1.1 DEMO f1
//The file offsets in the .exe are different for demo v1.1 from demo v1.0, however the relative jumps still work, only
//the func call, and push inst needed to be modified.
If somebody can provide me the compiled version of the executables (or even a single one of them), I will add them directly as download links here (hosted on stable and good bfmods server) so everyone can easily retrieve them without possibility for making mistakes, as not everyone is sure-footed in hex editing.
Updated on 24.11.11 - Added the f2 fixed verrsions for 1.61 and 1.6 as well as DL links for them
All credits and gratitude are due to dierighty, who alone has found the exploit in the code and the correct plug for it for each exec version!
The second CTD exploit has been fixed by tuia, who is creating the new fixes.
All f2 fixes contain the f1 fix!
v1.61 WINDOWS+LINUX f2
Download 1.61 Linux - Mirror - Download 1.61 Linux
Download 1.61 Windows - Mirror - Download 1.61 Windows
v1.6 WINDOWS+LINUX f2
Download 1.6 Linux - Mirror - Download 1.6 Linux
Download 1.6 Windows - Mirror - Download 1.6 Windows
v1.1 DEMO WINDOWS f1
v1.0 DEMO WINDOWS f1
LINUX 1.61 f2
Code: Select all
bf1942_lnxded.dynamic (original) v1.61
813ddb6: 31 c0 xor eax,eax
813ddb8: 8a 46 0d mov al,BYTE PTR [esi+0xd]
813ddbb: 8b 1f mov ebx,DWORD PTR [edi]
813ddbd: 50 push eax
813ddbe: 50 push eax
813ddbf: 8b 85 2c fd ff ff mov eax,DWORD PTR [ebp-0x2d4]
813ddc5: 50 push eax
813ddc6: e8 f5 f2 fd ff call 811d0c0
813ddcb: 59 pop ecx
813ddcc: 5e pop esi
813ddcd: 50 push eax
813ddce: 57 push edi
Code: Select all
bf1942_lnxded.dynamic (patched) v1.61
813ddb6: 31 c9 xor ecx,ecx
813ddb8: 8a 4e 0d mov cl,BYTE PTR [esi+0xd]
813ddbb: 8b 1f mov ebx,DWORD PTR [edi]
813ddbd: 51 push ecx
813ddbe: 51 push ecx
813ddbf: 8b 8d 2c fd ff ff mov ecx,DWORD PTR [ebp-0x2d4]
813ddc5: 5e pop esi
813ddc6: 50 push eax
813ddc7: 57 push edi
813ddc8: 4e dec esi
813ddc9: 83 fe 01 cmp esi,1
813ddcc: 77 07 ja 813ddd5
813ddce: 46 inc esi
Download 1.61 Linux
LINUX 1.6 f2
It's the same as for 1.61, but the beginning address for dynamic is 0x0813e5e6 and for static is 0x081372c6.
Download 1.6 Linux
WINDOWS 1.61 f2
WINDOWS v1.6 f2Code: Select all
BF1942_w32ded v1.61 (original) 45aacf: 53 push ebx 45aad0: 8b ce mov ecx,esi 45aad2: e8 89 aa ff ff call 0x455560 45aad7: 8b d8 mov ebx,eax 45aad9: 85 db test ebx,ebx 45aadb: 0f 84 b0 06 00 00 je 0x45b191 45aae1: 8b cb mov ecx,ebx 45aae3: e8 28 ca 23 00 call 0x697510 45aae8: 85 c0 test eax,eax 45aaea: 0f 84 a1 06 00 00 je 0x45b191 45aaf0: 0f b6 57 0d movzx edx,BYTE PTR [edi+0xd] 45aaf4: 8b 2e mov ebp,DWORD PTR [esi] 45aaf6: 52 push edx 45aaf7: 8b cb mov ecx,ebx 45aaf9: e8 12 ca 23 00 call 0x697510 45aafe: 50 push eax 45aaff: 8b ce mov ecx,esi 45ab01: ff 95 40 01 00 00 call DWORD PTR [ebp+0x140] 45ab07: e9 85 06 00 00 jmp 0x45b191
Download 1.61 WindowsCode: Select all
BF1942_w32ded v1.61 (patched) 45aacf: 53 push ebx 45aad0: 8b ce mov ecx,esi 45aad2: e8 89 aa ff ff call 0x455560 45aad7: 85 c0 test eax,eax 45aad9: 74 1e je 0x45aaf9 45aadb: 8b 40 04 mov eax,DWORD PTR [eax+4] 45aade: 85 c0 test eax,eax 45aae0: 74 17 je 0x45aaf9 45aae2: 0f b6 57 0d movzx edx,BYTE PTR [edi+0xd] 45aae6: 4a dec edx 45aae7: 83 fa 01 cmp edx,1 45aaea: 77 0d ja 0x45aaf9 45aaec: 42 inc edx 45aaed: 8b 2e mov ebp,DWORD PTR [esi] 45aaef: 52 push edx 45aaf0: 50 push eax 45aaf1: 8b ce mov ecx,esi 45aaf3: ff 95 40 01 00 00 call DWORD PTR [ebp+0x140] 45aaf9: e9 93 06 00 00 jmp 0x45b191 45aafe: 90 90 90 90 90 90 nop 45aa04: 90 90 90 90 90 90 nop 45ab0a: 90 90 nop
For BF1942 Windows v1.6 server executable the beginning address to apply the same instructions is at 0x0045aaaf.
Download 1.6 Windows
The BF1942 Windows v1.6 server binary also has a fix for an old public exploit (@ 0x00442370 changed from 7f to 77), which it wasn't immune.
WINDOWS v1.1 DEMO f1
WINDOWS v1.0 DEMO f11.Modify before func.0048b4102.Modify after func.0048b410Code: Select all
[offset] [modified bytes] [instruction] 8b403 8b 45 04 mov eax,dword ptr[ebp+0x4] 8b406 83 f8 01 cmp eax,1 8b409 74 05 je 0048b410 8b40b eb 29 jmp 0048b436
3.Modify call to func.0048b410Code: Select all
[offset] [modified bytes] [instruction] 8b436 68 65 47 63 00 push 00634765 ;jump to case 11 to continue without crash 8b43b c2 08 00 retn 8
Code: Select all
[offset] [modified bytes] [instruction] 2340ab e8 53 73 e5 ff call ;modify call to func.0048b410 so it goes to 0048b403 instead
//The file offsets in the .exe are different for demo v1.1 from demo v1.0, however the relative jumps still work, only
//the func call, and push inst needed to be modified.
If somebody can provide me the compiled version of the executables (or even a single one of them), I will add them directly as download links here (hosted on stable and good bfmods server) so everyone can easily retrieve them without possibility for making mistakes, as not everyone is sure-footed in hex editing.
Updated on 24.11.11 - Added the f2 fixed verrsions for 1.61 and 1.6 as well as DL links for them