BF1942 Server Crash New Exploit!

[Grabbi]

the unknown person creating these exploits sells generated keys over his youtube channel website link, comming from Sophia Bulgaria making thousands of euros and flooding the game with new keys.
...but thats another story ( we can provide upon request)

[b]NOW he modified his exploid, with same basic procedure !

EDIT Senshi: Moved the detailed explanation to an internal forum, as it far too easily serves as a How-To. No need to spread until we have a fix.

Any new fixes to this (same extended) exploid would be apprechiated from our side.

Greetz

Grabbi

PS: tnx again for the last fix !

[Senshi]

I'll move this to a private forum, no need to spread an extensive How-To-Crash here . tuia has told me he already is trying to find a fix for this as well, we will tell you ASAP once we receive a fix . Thank you for telling us about this new possible exploit.

[Grabbi]

thanks, we really apprechiate your efforts!


Best regards

Grabbi
______________________
grabbi@pixel-fighter.com

[tuia]

Here are the instructions to prevent the new exploit for BF1942 Linux server files:

Code: Select all

bf1942_lnxded.dynamic (original) v1.61
 813ddb6:   31 c0                   xor    eax,eax
 813ddb8:   8a 46 0d                mov    al,BYTE PTR [esi+0xd]
 813ddbb:   8b 1f                   mov    ebx,DWORD PTR [edi]
 813ddbd:   50                      push   eax
 813ddbe:   50                      push   eax
 813ddbf:   8b 85 2c fd ff ff       mov    eax,DWORD PTR [ebp-0x2d4]
 813ddc5:   50                      push   eax
 813ddc6:   e8 f5 f2 fd ff          call   811d0c0
 813ddcb:   59                      pop    ecx
 813ddcc:   5e                      pop    esi
 813ddcd:   50                      push   eax
 813ddce:   57                      push   edi


Code: Select all

bf1942_lnxded.dynamic (patched) v1.61
 813ddb6:   31 c9                   xor    ecx,ecx
 813ddb8:   8a 4e 0d                mov    cl,BYTE PTR [esi+0xd]
 813ddbb:   8b 1f                   mov    ebx,DWORD PTR [edi]
 813ddbd:   51                      push   ecx
 813ddbe:   51                      push   ecx
 813ddbf:   8b 8d 2c fd ff ff       mov    ecx,DWORD PTR [ebp-0x2d4]
 813ddc5:   5e                      pop    esi
 813ddc6:   50                      push   eax
 813ddc7:   57                      push   edi
 813ddc8:   4e                      dec    esi
 813ddc9:   83 fe 01                cmp    esi,1
 813ddcc:   77 07                   ja     813ddd5
 813ddce:   46                      inc    esi


The same instructions are to be applied to static file at beginning address 0x08136d46. For BF1942 Linux v1.6 the beginning address for dynamic is 0x0813e5e6 and for static is 0x081372c6.
I've patched the files and tested them. They already contain the code to prevent the previous exploit:
http://estatistic.planetaclix.pt/download/bf1942_lnxded-1.6-patched.tar.gz
http://estatistic.planetaclix.pt/download/bf1942_lnxded-1.61-patched.tar.gz

[tuia]

Here are the instructions for BF1942 Windows v1.61 server executable:

Code: Select all

BF1942_w32ded v1.61 (original)
  45aacf:   53                      push   ebx
  45aad0:   8b ce                   mov    ecx,esi
  45aad2:   e8 89 aa ff ff          call   0x455560
  45aad7:   8b d8                   mov    ebx,eax
  45aad9:   85 db                   test   ebx,ebx
  45aadb:   0f 84 b0 06 00 00       je     0x45b191
  45aae1:   8b cb                   mov    ecx,ebx
  45aae3:   e8 28 ca 23 00          call   0x697510
  45aae8:   85 c0                   test   eax,eax
  45aaea:   0f 84 a1 06 00 00       je     0x45b191
  45aaf0:   0f b6 57 0d             movzx  edx,BYTE PTR [edi+0xd]
  45aaf4:   8b 2e                   mov    ebp,DWORD PTR [esi]
  45aaf6:   52                      push   edx
  45aaf7:   8b cb                   mov    ecx,ebx
  45aaf9:   e8 12 ca 23 00          call   0x697510
  45aafe:   50                      push   eax
  45aaff:   8b ce                   mov    ecx,esi
  45ab01:   ff 95 40 01 00 00       call   DWORD PTR [ebp+0x140]
  45ab07:   e9 85 06 00 00          jmp    0x45b191


Code: Select all

BF1942_w32ded v1.61 (patched)
  45aacf:   53                      push   ebx
  45aad0:   8b ce                   mov    ecx,esi
  45aad2:   e8 89 aa ff ff          call   0x455560
  45aad7:   85 c0                   test   eax,eax
  45aad9:   74 1e                   je     0x45aaf9
  45aadb:   8b 40 04                mov    eax,DWORD PTR [eax+4]
  45aade:   85 c0                   test   eax,eax
  45aae0:   74 17                   je     0x45aaf9
  45aae2:   0f b6 57 0d             movzx  edx,BYTE PTR [edi+0xd]
  45aae6:   4a                      dec    edx
  45aae7:   83 fa 01                cmp    edx,1
  45aaea:   77 0d                   ja     0x45aaf9
  45aaec:   42                      inc    edx
  45aaed:   8b 2e                   mov    ebp,DWORD PTR [esi]
  45aaef:   52                      push   edx
  45aaf0:   50                      push   eax
  45aaf1:   8b ce                   mov    ecx,esi
  45aaf3:   ff 95 40 01 00 00       call   DWORD PTR [ebp+0x140]
  45aaf9:   e9 93 06 00 00          jmp    0x45b191
  45aafe:   90 90 90 90 90 90       nop
  45aa04:   90 90 90 90 90 90       nop
  45ab0a:   90 90                   nop


Sorry for the delay, I was having some problems debugging Windows binaries and I was also doing a stupid mistake when patching (not looking to the stack). As a bonus, I've optimized this branch of code, allowing to save 14 bytes, in the end.
For BF1942 Windows v1.6 server executable the beginning address to apply the same instructions is at 0x0045aaaf.
Patched server executables which already include the code to prevent the previous exploit:
http://estatistic.planetaclix.pt/download/BF1942_w32ded-1.6-patched.zip
http://estatistic.planetaclix.pt/download/BF1942_w32ded-1.61-patched.zip
The BF1942 Windows v1.6 server binary also has a fix for an old public exploit (@ 0x00442370 changed from 7f to 77), which it wasn't immune.

[Grabbi]

Thank you very much Tuia for your efforts and solving the problem !

All PFC servers are running your fix patch now and once again a BIG THANK YOU from the whole PFC-Crew and Community for the hard work you did within these few days !

YOU!... made the difference!


Greetz

Grabbi

[44mag]

Thank you so much Tuia although i dont know you, you have my respect and gratitude for helping us keep bf42 alive and kickin. It takes alot of dedication and hard work to chase down these new fixes, something your not lacking in. However something we are all not lacking in is the resolve to push these petty hackers aside and keep enjoying bf42 forever! Rock on!

[tuia]

I'm glad to help. About this fix, I can't give too much details now, as this exploit has been used and is being used against vulnerable servers. Basically, I just put a check for valid arguments before the function, which causes the crash, is called. Thanks to Grabbi for pointing out the error message and describing the procedure to apply the exploit. Much respect and thanks to dierighty and all who assisted him, for devising a solution to the first exploit. It was a great work and much harder to plan.

[LoonyLau]

Also I wanted to give a big thanks to you here Tuia,
somehow this hacker is targeting our community for whatever reason
and we all love this older game so much.
Thanks to you we can fight on these WWII battlefields again and enjoy our gameplay!
Tuia, many many thanks for your fast and hard work!!
We all (within the -=PFC=- crew & our whole community) appreciate this very much!

Greetings,
LoonyLau

[tuia]

Instructions to fix the new exploit for Battlefield Vietnam Linux server files version 1.21:

Code: Select all

bfv_linded.dynamic v1.21 (original)
 8756b31:   89 c7                   mov    edi,eax
 8756b33:   0f 84 21 f0 ff ff       je     8755b5a
 8756b39:   89 04 24                mov    DWORD PTR [esp],eax
 8756b3c:   e8 df c6 fd ff          call   8733220
 8756b41:   85 c0                   test   eax,eax
 8756b43:   0f 84 11 f0 ff ff       je     8755b5a
 8756b49:   89 3c 24                mov    DWORD PTR [esp],edi
 8756b4c:   e8 cf c6 fd ff          call   8733220
 8756b51:   8b 75 10                mov    esi,DWORD PTR [ebp+0x10]
 8756b54:   8b 0b                   mov    ecx,DWORD PTR [ebx]
 8756b56:   c7 44 24 0c 01 00 00    mov    DWORD PTR [esp+0xc],1
 8756b5d:   00
 8756b5e:   0f b6 56 0d             movzx  edx,BYTE PTR [esi+0xd]
 8756b62:   89 1c 24                mov    DWORD PTR [esp],ebx
 8756b65:   89 44 24 04             mov    DWORD PTR [esp+4],eax
 8756b69:   89 54 24 08             mov    DWORD PTR [esp+8],edx
 8756b6d:   ff 91 88 01 00 00       call   DWORD PTR [ecx+0x188]
 8756b73:   e9 e2 ef ff ff          jmp    8755b5a


Code: Select all

bfv_linded.dynamic v1.21 (patched)
 8756b31:   74 2f                   je     8756b62
 8756b33:   8b 40 04                mov    eax,DWORD PTR [eax+4]
 8756b36:   85 c0                   test   eax,eax
 8756b38:   74 28                   je     8756b62
 8756b3a:   8b 75 10                mov    esi,DWORD PTR [ebp+0x10]
 8756b3d:   0f b6 56 0d             movzx  edx,BYTE PTR [esi+0xd]
 8756b41:   4a                      dec    edx
 8756b42:   83 fa 01                cmp    edx,1
 8756b45:   77 1b                   ja     8756b62
 8756b47:   42                      inc    edx
 8756b48:   31 c9                   xor    ecx,ecx
 8756b4a:   41                      inc    ecx
 8756b4b:   89 1c 24                mov    DWORD PTR [esp],ebx
 8756b4e:   89 44 24 04             mov    DWORD PTR [esp+4],eax
 8756b52:   89 54 24 08             mov    DWORD PTR [esp+8],edx
 8756b56:   89 4c 24 0c             mov    DWORD PTR [esp+0xc],ecx
 8756b5a:   8b 0b                   mov    ecx,DWORD PTR [ebx]
 8756b5c:   ff 91 88 01 00 00       call   DWORD PTR [ecx+0x188]
 8756b62:   e9 f3 ef ff ff          jmp    8755b5a
 8756b67:   90 90 90 90 90 90 90    nop
 8756b6e:   90 90 90 90 90 90 90    nop
 8756b75:   90 90 90                nop


Same instructions to be applied for the static binary, the beginning address is 0x08753e51.
Download the patched files from here, which, as usual, contain the fix for the previous exploit:
http://estatistic.planetaclix.pt/download/bfv_linded-v1.21-patched.tar.gz