Page 4 of 5

Re: New crash exploit part III (17.11.2012)

Posted: Mon Dec 10, 2012 4:13 pm
by Viral
s[sk] wrote:
Viral wrote:I would test this as well on my server I just need to know how to patch the Linux server files. I am using the 1.62 patched version. I don't need a guide just give me a kick in the right direction and a link to the needed tools :P
i suggest using vbindiff for hexediting in linux
just be sure you are not editing a binary that's in use (running)
Thanks I will play around with that over the next few days!

Re: New crash exploit part III (17.11.2012)

Posted: Wed Dec 12, 2012 5:48 pm
by wq_Compf
Hi,

I saw that you love bf 1942, many thanks to s[sk] and Tuia, but peoples with no life find another glitch. They crash server with unknow command again, In my log I find :
Fatal error: Control object not found!!! id 0

Omg, this is very stupid.

I will try to show you what's happen soon, Now no time, sorry for this !
I'm happy server not stay on 99% , it crash, remote admin restart. For now I wait to have time for it.

Cya soon bf1942 lovers !

Re: New crash exploit part III (17.11.2012)

Posted: Wed Dec 12, 2012 7:56 pm
by wq_Compf
Hi again,

I put debug but is useles. stack not found. How about this ?

Cheers !

Re: New crash exploit part III (17.11.2012)

Posted: Thu Dec 13, 2012 9:25 am
by s[sk]
wq_Compf wrote:Hi again,

I put debug but is useles. stack not found. How about this ?

Cheers !
can you please be more specific what's the problem you're trying to solve?

is this some new bug that has something to do with that "Fatal error: Control object not found!!! id 0" from your previous post?

if so, can you give us more detail?
what happens? server crashes? server hangs with high cpu usage?
where do you see this error? how often does it happen?

Re: New crash exploit part III (17.11.2012)

Posted: Thu Dec 13, 2012 2:35 pm
by wq_Compf
Hi,

I make a new shoot with gdb.

top - 14:50:14 up 3:08, 1 user, load average: 0.40, 0.29, 0.25
Tasks: 82 total, 1 running, 81 sleeping, 0 stopped, 0 zombie
Cpu(s): 6.3%us, 0.5%sy, 0.0%ni, 93.1%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 4126068k total, 238044k used, 3888024k free, 27040k buffers
Swap: 2588664k total, 0k used, 2588664k free, 105856k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
976 bf42 20 0 93556 67m 6612 S 26 1.7 8:07.51 bf1942_lnxded
1 root 20 0 3532 1844 1244 S 0 0.0 0:00.94 init
2 root 20 0 0 0 0 S 0 0.0 0:00.00 kthreadd
3 root 20 0 0 0 0 S 0 0.0 0:00.51 ksoftirqd/0
5 root 20 0 0 0 0 S 0 0.0 0:00.44 kworker/u:0
6 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/0
7 root RT 0 0 0 0 S 0 0.0 0:00.04 watchdog/0
8 root RT 0 0 0 0 S 0 0.0 0:00.05 migration/1
10 root 20 0 0 0 0 S 0 0.0 0:01.22 ksoftirqd/1
12 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/1
13 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/2
15 root 20 0 0 0 0 S 0 0.0 0:08.73 ksoftirqd/2
16 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/2
17 root RT 0 0 0 0 S 0 0.0 0:00.00 migration/3
19 root 20 0 0 0 0 S 0 0.0 0:00.05 ksoftirqd/3
20 root RT 0 0 0 0 S 0 0.0 0:00.02 watchdog/3
21 root 0 -20 0 0 0 S 0 0.0 0:00.00 cpuset
root@wqsrvibm:~# gdb program 976
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
program: No such file or directory.
Attaching to process 976
Reading symbols from /home/bf42/bf1942/bf1942_lnxded.static...done.
Reading symbols from /lib/i386-linux-gnu/libdl.so.2...(no debugging symbols foun
d)...done.
Loaded symbols for /lib/i386-linux-gnu/libdl.so.2
Reading symbols from /lib/i386-linux-gnu/libm.so.6...(no debugging symbols found
)...done.
Loaded symbols for /lib/i386-linux-gnu/libm.so.6
Reading symbols from /lib/i386-linux-gnu/libncurses.so.5...(no debugging symbols
found)...done.
Loaded symbols for /lib/i386-linux-gnu/libncurses.so.5
Reading symbols from /lib/i386-linux-gnu/libpthread.so.0...(no debugging symbols
found)...done.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb55b2b40 (LWP 1222)]
Loaded symbols for /lib/i386-linux-gnu/libpthread.so.0
Reading symbols from /lib/i386-linux-gnu/libc.so.6...(no debugging symbols found
)...done.
Loaded symbols for /lib/i386-linux-gnu/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/i386-linux-gnu/libtinfo.so.5...(no debugging symbols f
ound)...done.
Loaded symbols for /lib/i386-linux-gnu/libtinfo.so.5
Reading symbols from /home/bf42/bf1942/pb/pbsv.so...(no debugging symbols found)
...done.
Loaded symbols for /home/bf42/bf1942/pb/pbsv.so
Reading symbols from /lib/i386-linux-gnu/libnss_files.so.2...(no debugging symbo
ls found)...done.
Loaded symbols for /lib/i386-linux-gnu/libnss_files.so.2
Reading symbols from /lib/i386-linux-gnu/libnss_dns.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/i386-linux-gnu/libnss_dns.so.2
Reading symbols from /lib/i386-linux-gnu/libresolv.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/i386-linux-gnu/libresolv.so.2
0xb7705424 in __kernel_vsyscall ()
(gdb) c
Continuing.
[Thread 0xb55b2b40 (LWP 1222) exited]
process 976 is executing new program: /home/bf42/bf1942/bf1942_lnxded.static
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb5849b40 (LWP 1414)]
[Thread 0xb5849b40 (LWP 1414) exited]
process 976 is executing new program: /home/bf42/bf1942/bf1942_lnxded.static
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb52b0b40 (LWP 1415)]
[Thread 0xb52b0b40 (LWP 1415) exited]
process 976 is executing new program: /home/bf42/bf1942/bf1942_lnxded.static
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xb57ffb40 (LWP 1419)]

Program received signal SIGSEGV, Segmentation fault.
0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitSt
ream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateM
ask*, int, bool) ()
(gdb) bt
#0 0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitStream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateMask*, int, bool) ()
#1 0x08141e84 in dice::bf::GhostManager::writeData(dice::ref2::io::BitStream&, dice::bf::GhostAction, dice::bf::GhostObject*, bool) ()
#2 0x081469d3 in dice::bf::GhostManager::sendData(dice::ref2::io::BitStream&, dice::bf::GhostAction, dice::bf::GhostObject*, bool) ()
#3 0x081431cd in dice::bf::GhostManager::transmit(dice::ref2::io::BitStream*, dice::bf::PacketStatus&, unsigned int) ()
#4 0x081156b3 in dice::bf::ClientConnection::transmitMsgs() ()
#5 0x081394e1 in dice::bf::GameServer::processGameStateAndSendPackets(float)
()
#6 0x081329f9 in dice::bf::GameServer::update(int, float) ()
#7 0x080bc366 in dice::bf::Setup::mainLoop() ()
#8 0x080bb71c in dice::bf::Setup::start(std::string const&) ()
#9 0x08050775 in main ()
(gdb)

I dont close gdb, if any sugestion !

Re: New crash exploit part III (17.11.2012)

Posted: Thu Dec 13, 2012 2:59 pm
by s[sk]
wq_Compf wrote: (gdb) bt
#0 0x0843145a in dice::ref2::io::NetworkManager::getNetUpdate(dice::ref2::io::BitStream&, dice::ref2::io::NetworkableDescriptor*, dice::ref2::io::NetworkableStateMask*, int, bool) ()
this is not an exploit, this is a known problem with bf1942 server caused by buggy code
it crashes because it's processing bogus data (probably already freed and overwritten)

how often it crashes there is dependent on players count (the more, the more likely it'll crash) and probably how often people disconnect/get kicked

there is a workaround patch being tested for this and similar bug (in world::ObjectManager::checkMessages())

Re: New crash exploit part III (17.11.2012)

Posted: Thu Dec 13, 2012 3:05 pm
by wq_Compf
Hi,

Thanks for fast respone, where I find this patch ?

Re: New crash exploit part III (17.11.2012)

Posted: Thu Dec 13, 2012 3:21 pm
by s[sk]
wq_Compf wrote:Hi,

Thanks for fast respone, where I find this patch ?
it's not yet public, i'm waiting for feedback from testing, it's a set of sanity checks that need to be tweaked to catch all possible bad data

Re: New crash exploit part III (17.11.2012)

Posted: Thu Dec 13, 2012 3:31 pm
by wq_Compf
Hi,

Thanks man, you are great .

Re: New crash exploit part III (17.11.2012)

Posted: Wed Jan 30, 2013 11:46 pm
by Malbert
Any news or fix?