Dlfile Exploit Fix(attempt)

scottlscottl Join Date: 2002-12-20 Member: 11232Members
edited December 2003 in General Server Discussion
<div class="IPBDescription">Not sure if this will work or not.</div> I got tired of having downloads off so I spent about an hour looking into fixing this, I will keep doing experimenting with other stuff, but This is going to **** of those kiddies <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif'><!--endemo-->. This should cause clients that use the exploit to crash, although I haven't tested it any further than my test server, so I dunno if this will affect legit clients or the server.

Its definitely nowhere near complete, but I did want to see if this kinda thing is worth making.

If you only want to protect certain files, and not all the .cfg .dll or .so files, you can just add in your own checks(server.cfg) string comparison. Also this does not stop them from downloading the file, just makes it to where it doesn't write. I am not sure if the data gets written or not, but this fix is far from complete.

I just modified the boffix source that I found on google, so just put into your hlds_run:
<!--c1--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>CODE</b> </td></tr><tr><td id='CODE'><!--ec1-->export LD_PRELOAD=./boffix_i386.so<!--c2--></td></tr></table><span class='postcolor'><!--ec2-->

HAVE NOT TESTED IN A SERVER WITH MORE THAN 2 PPL ! <!--emo&???--><img src='http://www.unknownworlds.com/forums/html/emoticons/confused.gif' border='0' style='vertical-align:middle' alt='confused.gif'><!--endemo--> So! Use @ your own risk. but please if you do use it and hit a bump, would be great to know <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif'><!--endemo-->

NOTE TO A MOD: Can you move this to general server forum <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin.gif' border='0' style='vertical-align:middle' alt='biggrin.gif'><!--endemo-->

Comments

  • scottlscottl Join Date: 2002-12-20 Member: 11232Members
    edited December 2003
    Missed something in the source, updated.
  • TalesinTalesin Our own little well of hate Join Date: 2002-11-08 Member: 7710NS1 Playtester, Forum Moderators
    <span style='color:yellow'>*PHASED*</span> to General Servers.
  • Soylent_greenSoylent_green Join Date: 2002-12-20 Member: 11220Members, Reinforced - Shadow
    <!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->This should cause clients that use the exploit to crash<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->

    MUAHAHAHAHAHA <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin.gif' border='0' style='vertical-align:middle' alt='biggrin.gif'><!--endemo-->. That's great
  • scottlscottl Join Date: 2002-12-20 Member: 11232Members
    edited December 2003
    after about 6 hours of screwing with this, finally got a good version up!

    Okay, This successfully blocks people running, cmd dlfile server.cfg (for now)

    it catches the cmd and changes it to, cmd dlfile looser.txt which forces them to download NOTHING(if it don't exist), or you can make up looser.txt and write a nice message to em if you want <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif'><!--endemo--> . I haven't tested this on a pub, but I plan to later tonight. So give it a run. I will also be working on improving it to catch .so/.dll and any other files you guys reply back with that need to be stopped.! Server.cfg was the main one and so are .dll/.so stealing(if you got custom onez), So if another programmer wants to add to it, be my guest! But this works!

    Test it out and POST WITH RESULTS! <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin.gif' border='0' style='vertical-align:middle' alt='biggrin.gif'><!--endemo-->

    tested on a 3110 linux server, not sure on 3111...
  • eagleceaglec Join Date: 2002-11-25 Member: 9948Members, Constellation
    Sounds great, although making the client crash is going into a grey area a little. Still - you need a windows dll <!--emo&;)--><img src='http://www.unknownworlds.com/forums/html/emoticons/wink.gif' border='0' style='vertical-align:middle' alt='wink.gif'><!--endemo-->

    Good work so far.
  • CheesyPetezaCheesyPeteza Join Date: 2002-11-24 Member: 9784Members, NS1 Playtester, Constellation
    edited December 2003
    What version of boffix is it? Are you using the latest version from unitedadmins forums?

    I posted it to the hlds_l mailing list, but I post here too. Block these:

    *.ini
    *.cfg
    *.log

    Also if its case sensitive then does that mean on windows servers I could download *.SO and it would still work? Anyway gonna do some testing with it.
  • CheesyPetezaCheesyPeteza Join Date: 2002-11-24 Member: 9784Members, NS1 Playtester, Constellation
    Just remembered about the other problem with the exploit allowing you to crash servers if you try to download a big files like valve/pak0.pak. Just block valve as everyone should have those files anyway. Other big files I see on my system are custom.hpk and ns.wad. Dunno what you can do about the wads. :/
  • scottlscottl Join Date: 2002-12-20 Member: 11232Members
    This is where this fix gets kinda flakey, exactly what should be blocked <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin.gif' border='0' style='vertical-align:middle' alt='biggrin.gif'><!--endemo-->

    I will keep going back and forth on the mailing list with updates and post back here later on with a more final version. I will also head on over to UA and see what boffix they got up.
  • PetitMortePetitMorte Join Date: 2002-11-06 Member: 7232Members
    Just an idear, but hows aboot an ini or cfg that tells the bugger what to block?

    <!--c1--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>CODE</b> </td></tr><tr><td id='CODE'><!--ec1-->// block these files
    .cfg
    .dll
    .wad
    .pak
    .log
    .myownfiletype<!--c2--></td></tr></table><span class='postcolor'><!--ec2-->

    thusly?
  • HypergripHypergrip Suspect Germany Join Date: 2002-11-23 Member: 9689Members, NS1 Playtester, Contributor
    Thanks for your efford.
    Please keep us updated.

    Maybe as a little suggestion use a config file where admins can select the extensions of the files that are allowed / not allowed?

    Once you have a final version, I will test it on our Server (3.1.1.1d linux) and PM you feedback
  • scottlscottl Join Date: 2002-12-20 Member: 11232Members
    ya thats what I figured I would setup as a final version.

    Block a few main things that need to be blocked. and then have a dlfile.txt that you guys can load with

    addons/amx/users.ini
    addons/amx/something.cfg
    etc...

    up to like 15 or 20 lines to block things...
  • VadakillVadakill The Almighty BSO Join Date: 2002-04-02 Member: 373Members, NS1 Playtester
    edited December 2003
    How is this fix coming? Does it work currently or is development still continuing on this?
Sign In or Register to comment.