Page 1 of 1

New crash exploit part IV (17.04.2016)

PostPosted: Sun Apr 17, 2016 1:07 pm
by Grabbi
Hi everyone,

since easter 2016 we face a new troll using an exploit crashing servers.

Each time on maps with SDKFZ222 or subs the troll joins server,
prepares console for crash command [xxx.con]
and starts playing till he gets "kicked/banned" or even liberately executes the command.

Result: Server has encountered a problem and must be ended [Popup Msg in Windows Server over remote desktop, so there s NO "couldn t connect to server console" etc. message]

He changes IP over Socks5 Proxy each time he joins.
He changes KEYHASH each time he joins.

This is going on now for over a month.

Therefore we prepared wireshark and logged gameport 14567 upd

Server Settings: Windows Server 2012 / latest BF1942 Server.exe from Tuia [1.612 /128 slots]

Yesterday we could record the troll crashing the server and we hope this Wireshark logs can help to create a server fix to prevent trolls from crashing the remaining battlefiled servers for fun.


KarolPopiolek 95.211.101.232 2d115a5e168a98c87bfc18963470abb4 [unknown]

IP is server in the Netherlands:
http://anti-hacker-alliance.com/index.php?ip=95.211.101.232

Wireshark Recording Troll crashing server:
http://85.214.226.169/patches/hacker16042016.rar

rar file contains:

Wireshark protocoll [complete server communication], so you might need latest
Wireshark: https://www.wireshark.org/download.html

Troll informations:
KarolPopiolek 95.211.101.232 2d115a5e168a98c87bfc18963470abb4 [unknown]

and Wireshark Filter Protocoll [troll -server communication]


Hope you can help us to find a server fix, because ppl stop playing over time when this continues.


Best regards

Grabbi

PS: Only solution we have atm is to set Server under Password, and just give it to those we know well for years.

Re: New crash exploit part IV (17.04.2016)

PostPosted: Thu Sep 21, 2017 7:39 am
by arivi
Is there any new solution for this exploit?

Re: New crash exploit part IV (17.04.2016)

PostPosted: Sun Oct 29, 2017 8:14 am
by russ
There aren't any weird packets coming from that client, are you sure it isn't a crash caused by something on the query port?