New Cheat/Hack for Enemy Territory

superdug · 2004-02-01 19:20:02 UTC

Hello, I am an admin for one of the more popular et servers and recently we were experiencing a little bit of a problem with every user disconnecting with the server message of “Illegible Message 0”

I hate cheaters/wanna be hackers as much as the next guy, but I am almost 100% sure that what we were experiencing at our server.

The hack involves using a bufferoverflow in the sound system.

I believe after looking at the ET source code this may be the offending section.


===============
CG_SoundLoadSoundFiles
===============
*/
extern char bigTextBuffer[100000];    // we got it anyway, might as well use it

This is from \WET_Source\src\cgame\cg_sound.c

To be a little more indepth with how this stupid hack works.

A bind for a vsay is made, this vsay howerever seems to be larger than the buffer will allow and causing an immediate disconnect from all users connected to the server.

I’d like to not actually post the actual exploit here in the forums.

I have a few ideas on a fix …

1.) Have an error checking call in the code making sure that either the call is not too large for the buffer OR ensure that the vsay call is for a valid call.

2.) Censor out and Vsay’s that are part of the actual allowed vsays.

Anyone else experieincing this problem or have an idea to make it stop?

SuperDuG

Deprave · 2004-02-01 20:21:01 UTC

Hey mang thats pretty interesting i think we should investigate further mang for sure mang how bout a patch gimme a patch

Deprave · 2004-02-01 20:24:04 UTC

my balls itch

bubba_g · 2004-02-01 20:49:55 UTC

Hi there,

I posted a topic earlier today ‘Server Exploit’ sometning or other, for this exact problem. And yes, it was ‘Rebel Train’ causing the problem. Look at his name closely, you will notice some very ‘odd’ things about it. I have emailed another server to try and get his IP, as I intend to contact his ISP and see what they think.

If you could provide his IP it would be most helpful!

P.S. Look out for this guy - full name ‘Rebel Train (FH’

And I think the other name is just an alias he uses…

Abnix · 2004-02-01 21:30:43 UTC

Bubba G, here’s the information you requested:

1254:44ConnectInfo: 39: 89274264721075E9360C6EC8307BF667: ^1Rebel ^2Train ^7^8(^5FH^9^8): 3: 0: 24.207.213.161:27960

Abnix · 2004-02-01 21:31:49 UTC

ack, hate smilies

bubba_g · 2004-02-01 21:34:21 UTC

Thanks abnix!

bubba_g · 2004-02-01 21:36:11 UTC

Question though - is that his IP at the end or the IP of your server???

superdug · 2004-02-01 22:04:56 UTC

Bubba - that’s HIS Ip not the IP of the server. Abnix is the owner of the server that I admin on, so that is definantelly valid information.

Sauron_EFG · 2004-02-01 22:08:58 UTC

ARIN whois search results

bubba_g · 2004-02-01 22:09:12 UTC

Thanks guys, I will track down his ISP and see what they think of his activities

Sambie · 2004-02-02 00:44:08 UTC

Bubba, Have you found his ISP yet? please give us some updates.

bubba_g · 2004-02-02 01:16:14 UTC

Charter Communications - an American ISP - I am having difficluty contacting them though as you need to enter a zip code to contact

bubba_g · 2004-02-02 01:25:12 UTC

It’s done - reported - waiting for a reply

bubba_g · 2004-02-02 01:26:52 UTC

Hmmm, just thought - wonder who Sambie is? I was telling the guy earlier (came on again and crashed the server) I was going to report him, he didn’t believe me, and I told him to look here…

SCDS_reyalP · 2004-02-02 02:31:20 UTC

abuse@whateverisp.com

is usually a good place to start. The complaint should come from the server operator / owner, with logs and ips.

Performing DOS attacks (such as causing the server to boot everyone) is a violation of almost all ISPs TOS. Also, if the server is hosted by a for-profit hosting company, the hosting company could reasonably claim that DOSing their computers causes them damage, thus subjecting the perpitrator to http://www4.law.cornell.edu/uscode/18/1030.html as well as various state laws. See also
http://www.cybercrime.gov/cclaws.html
and
http://www.ncsl.org/programs/lis/cip/computercrimes.htm

Returning to a server after you are banned is ‘unauthorized access’ which is all that is required under many ‘hacking’ laws.

While law enforcement isn’t likely to be interested in such a small issue, it should encourage the ISP to shut the trouble maker down.

FWIW, I seem to remember a bug like this being mentioned in the change list for the latest ETPro. If the server isn’t running etpro, it might be time to switch. If the exploit does work in etpro, I’m sure bani would want to hear about it.

Sambie · 2004-02-02 08:03:57 UTC

bubba g, Im not anybody special. Im just a player that plays on Abnix and Superdugs server. I was also experiencing the problem that has been found, as the newest hack/cheat that Superdug had mention about.

PS, if you visit Abnix website and join his server you can learn more about me, and how i play

turk2000 · 2004-02-02 08:14:56 UTC

yes, on Nexus server is happened that a lot of time.
Hackers always lie in wait… :suspicious:

bubba_g · 2004-02-02 10:36:31 UTC

Hi Sambie,

Sorry about that, just seemed a coincedence.

SCDS_reyalP & Sauron|EFG thanks for the useful information - has helped greatly.

And turk2000, this is the guy causing the problem on at least one of the nexus severs - were I play most of the time.

superdug · 2004-02-02 16:48:24 UTC

Getting the guy is not anywhere near fixing the BIG problem. Would anyone from Splash care to comment on a fix for this bug or do we have to fix it ourselves?