New crash exploit part III (17.11.2012)

Re: New crash exploit part III (17.11.2012)

Postby Viral » Mon Dec 10, 2012 4:13 pm

s[sk] wrote:
Viral wrote:I would test this as well on my server I just need to know how to patch the Linux server files. I am using the 1.62 patched version. I don't need a guide just give me a kick in the right direction and a link to the needed tools :P

i suggest using vbindiff for hexediting in linux
just be sure you are not editing a binary that's in use (running)


Thanks I will play around with that over the next few days!
Viral
 
Posts: 24
Joined: Sat Nov 24, 2012 7:07 pm

Re: New crash exploit part III (17.11.2012)

Postby wq_Compf » Wed Dec 12, 2012 5:48 pm

Hi,

I saw that you love bf 1942, many thanks to s[sk] and Tuia, but peoples with no life find another glitch. They crash server with unknow command again, In my log I find :
Fatal error: Control object not found!!! id 0

Omg, this is very stupid.

I will try to show you what's happen soon, Now no time, sorry for this !
I'm happy server not stay on 99% , it crash, remote admin restart. For now I wait to have time for it.

Cya soon bf1942 lovers !
wq_Compf
 
Posts: 12
Joined: Tue Dec 04, 2012 6:59 pm

Re: New crash exploit part III (17.11.2012)

Postby wq_Compf » Wed Dec 12, 2012 7:56 pm

Hi again,

I put debug but is useles. stack not found. How about this ?

Cheers !
wq_Compf
 
Posts: 12
Joined: Tue Dec 04, 2012 6:59 pm

Re: New crash exploit part III (17.11.2012)

Postby s[sk] » Thu Dec 13, 2012 9:25 am

wq_Compf wrote:Hi again,

I put debug but is useles. stack not found. How about this ?

Cheers !

can you please be more specific what's the problem you're trying to solve?

is this some new bug that has something to do with that "Fatal error: Control object not found!!! id 0" from your previous post?

if so, can you give us more detail?
what happens? server crashes? server hangs with high cpu usage?
where do you see this error? how often does it happen?
s[sk]
 
Posts: 23
Joined: Tue Nov 13, 2012 3:15 pm

Re: New crash exploit part III (17.11.2012)

Postby wq_Compf » Thu Dec 13, 2012 2:35 pm

Hi,

I make a new shoot with gdb.

top - 14:50:14 up 3:08, 1 user, load average: 0.40, 0.29, 0.25
Tasks: 82 total, 1 running, 81 sleeping, 0 stopped, 0 zombie
Cpu(s): 6.3%us, 0.5%sy, 0.0%ni, 93.1%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 4126068k total, 238044k used, 3888024k free, 27040k buffers
Swap: 2588664k total, 0k used, 2588664k free, 105856k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
976 bf42 20 0 93556 67m 6612 S 26 1.7 8:07.51 bf1942_lnxded
1 root 20 0 3532 1844 1244 S 0 0.0 0:00.94 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:00.51 ksoftirqd/0
5 root 20 0 0 0 0 S 0 0.0 0:00.44 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.04 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.05 migration/1
10 root 20 0 0 0 0 S 0 0.0 0:01.22 ksoftirqd/1
12 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/1
13 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/2
15 root 20 0 0 0 0 S 0 0.0 0:08.73 ksoftirqd/2
16 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/2
17 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/3
19 root 20 0 0 0 0 S 0 0.0 0:00.05 ksoftirqd/3
20 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/3
21 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
root@wqsrvibm:~# gdb program 976
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
program: No such file or directory.
Attaching to process 976
Reading symbols from /home/bf42/bf1942/bf1942_lnxded.static...done.
Reading symbols from /lib/i386-linux-gnu/libdl.so.2...(no debugging symbols foun
d)...done.
Loaded symbols for /lib/i386-linux-gnu/libdl.so.2
Reading symbols from /lib/i386-linux-gnu/libm.so.6...(no debugging symbols found
)...done.
Loaded symbols for /lib/i386-linux-gnu/libm.so.6
Reading symbols from /lib/i386-linux-gnu/libncurses.so.5...(no debugging symbols
found)...done.
Loaded symbols for /lib/i386-linux-gnu/libncurses.so.5
Reading symbols from /lib/i386-linux-gnu/libpthread.so.0...(no debugging symbols
found)...done.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb55b2b40 (LWP 1222)]
Loaded symbols for /lib/i386-linux-gnu/libpthread.so.0
Reading symbols from /lib/i386-linux-gnu/libc.so.6...(no debugging symbols found
)...done.
Loaded symbols for /lib/i386-linux-gnu/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/i386-linux-gnu/libtinfo.so.5...(no debugging symbols f
ound)...done.
Loaded symbols for /lib/i386-linux-gnu/libtinfo.so.5
Reading symbols from /home/bf42/bf1942/pb/pbsv.so...(no debugging symbols found)
...done.
Loaded symbols for /home/bf42/bf1942/pb/pbsv.so
Reading symbols from /lib/i386-linux-gnu/libnss_files.so.2...(no debugging symbo
ls found)...done.
Loaded symbols for /lib/i386-linux-gnu/libnss_files.so.2
Reading symbols from /lib/i386-linux-gnu/libnss_dns.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/i386-linux-gnu/libnss_dns.so.2
Reading symbols from /lib/i386-linux-gnu/libresolv.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/i386-linux-gnu/libresolv.so.2
0xb7705424 in __kernel_vsyscall ()
(gdb) c
Continuing.
[Thread 0xb55b2b40 (LWP 1222) exited]
process 976 is executing new program: /home/bf42/bf1942/bf1942_lnxded.static
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb5849b40 (LWP 1414)]
[Thread 0xb5849b40 (LWP 1414) exited]
process 976 is executing new program: /home/bf42/bf1942/bf1942_lnxded.static
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb52b0b40 (LWP 1415)]
[Thread 0xb52b0b40 (LWP 1415) exited]
process 976 is executing new program: /home/bf42/bf1942/bf1942_lnxded.static
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb57ffb40 (LWP 1419)]

Program received signal SIGSEGV, Segmentation fault.
0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitSt
ream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateM
ask*, int, bool) ()
(gdb) bt
#0 0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitStream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateMask*, int, bool) ()
#1 0x08141e84 in dice::bf::GhostManager::writeData(dice::ref2::io::BitStream&, dice::bf::GhostAction, dice::bf::GhostObject*, bool) ()
#2 0x081469d3 in dice::bf::GhostManager::sendData(dice::ref2::io::BitStream&, dice::bf::GhostAction, dice::bf::GhostObject*, bool) ()
#3 0x081431cd in dice::bf::GhostManager::transmit(dice::ref2::io::BitStream*, dice::bf::PacketStatus&, unsigned int) ()
#4 0x081156b3 in dice::bf::ClientConnection::transmitMsgs() ()
#5 0x081394e1 in dice::bf::GameServer::processGameStateAndSendPackets(float)
()
#6 0x081329f9 in dice::bf::GameServer::update(int, float) ()
#7 0x080bc366 in dice::bf::Setup::mainLoop() ()
#8 0x080bb71c in dice::bf::Setup::start(std::string const&) ()
#9 0x08050775 in main ()
(gdb)

I dont close gdb, if any sugestion !
wq_Compf
 
Posts: 12
Joined: Tue Dec 04, 2012 6:59 pm

Re: New crash exploit part III (17.11.2012)

Postby s[sk] » Thu Dec 13, 2012 2:59 pm

wq_Compf wrote:(gdb) bt
#0 0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitStream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateMask*, int, bool) ()


this is not an exploit, this is a known problem with bf1942 server caused by buggy code
it crashes because it's processing bogus data (probably already freed and overwritten)

how often it crashes there is dependent on players count (the more, the more likely it'll crash) and probably how often people disconnect/get kicked

there is a workaround patch being tested for this and similar bug (in world::ObjectManager::checkMessages())
s[sk]
 
Posts: 23
Joined: Tue Nov 13, 2012 3:15 pm

Re: New crash exploit part III (17.11.2012)

Postby wq_Compf » Thu Dec 13, 2012 3:05 pm

Hi,

Thanks for fast respone, where I find this patch ?
wq_Compf
 
Posts: 12
Joined: Tue Dec 04, 2012 6:59 pm

Re: New crash exploit part III (17.11.2012)

Postby s[sk] » Thu Dec 13, 2012 3:21 pm

wq_Compf wrote:Hi,

Thanks for fast respone, where I find this patch ?

it's not yet public, i'm waiting for feedback from testing, it's a set of sanity checks that need to be tweaked to catch all possible bad data
s[sk]
 
Posts: 23
Joined: Tue Nov 13, 2012 3:15 pm

Re: New crash exploit part III (17.11.2012)

Postby wq_Compf » Thu Dec 13, 2012 3:31 pm

Hi,

Thanks man, you are great .
Last edited by wq_Compf on Mon Feb 11, 2013 7:47 pm, edited 1 time in total.
wq_Compf
 
Posts: 12
Joined: Tue Dec 04, 2012 6:59 pm

Re: New crash exploit part III (17.11.2012)

Postby Malbert » Wed Jan 30, 2013 11:46 pm

Any news or fix?
Malbert
 
Posts: 8
Joined: Sat Aug 06, 2011 5:19 am

PreviousNext

Return to Battlefield server and client

Who is online

Users browsing this forum: No registered users and 2 guests