Jump to content

[Exploit + fix]Lets hack: Anti-Target (Unsanitized input exploit ).


Recommended Posts

So there was that issue going around, and apparently anti-target was and is the hot topic around. I talked with some "server admins" most of them had the exploit, could use it, couldnt not fix it ( shouldnt wonder why not ... ) but they didnt reply back cause they didnt probably believe that i can fix it or find it. Some others, which i thank, contacted me in msn ( about 8 guys in total ) , sent me the phx script ( which was so messy coded, whos the noob that created  it ? ). Anyway one thing i didnt like about the contacts was that they didnt prepare the ground for me to fix it, so i had to try the exploit myself, get phx, get interlude , etc. At least flash got most of the parts ready, so after a good 3 hours of testing we managed to get it working. For that mysticism and the behaviour of most admins i wont release a patch that fixes it, i will just share the "idea" and the "solution" behind it so as only good packs get it fixed ( aCis etc ) and the garbages ( l2jfrozen/brazil/teon and so on have it running and rot to the hack-hell they deserve to).

 

 

So the famous anti-target exploit.

 

Where does it work ?

 

Every server that supports freight system atm.

Versions: L2J/L2Jfree's and their forks.

 

How does it work ?

 

The idea behind the exploit, is that with a certain packet crafting, you can force the server to create a new L2PcInstance of you while you are already ingame. There is a section in the code where that can happen. In the same section of the code, few lines lower, the game calls .deleteMe() on that object. The object gets removed, but due to same id with your , the real l2pcinstance that is attacked to the client , it removes you from the L2World since L2World maps the objects based on the id. That makes the player appear missing from L2World as a result, no kicks no targets etc. ( Parodically it gets removed from knownlists too till they get updated ). For more spoiling : RequestPackageSend.java :)

 

How to fix it ?

 

Do not allow L2PcInstance creation if for the requested id, another character exists in the game ( check l2world for it ).

 

Tested on:

 

aCis pack latest revision.

 

Verdict:

I hope that way only the good cheaters will get to do the exploit  ( i did it without the script that goes around so if you cant do it, you are probably a noobish script-kiddo) and only the professional and serious developers making packs will have it fixed in their packs. I may release a patch in the future, but not right now, since both communities ( cheaters and admin-wannabes ) are way too immature to even cooperate with me for their own good. I dive in the mud for 1 week to get the exploit and for another 3 hours to make it working and fix it.

 

Cya :)

 

EDIT: Since im a good guy, here's the fix:

### Eclipse Workspace Patch 1.0
#P gameserver
Index: java/net/sf/l2j/gameserver/network/clientpackets/RequestPackageSend.java
===================================================================
--- java/net/sf/l2j/gameserver/network/clientpackets/RequestPackageSend.java	(revision 70)
+++ java/net/sf/l2j/gameserver/network/clientpackets/RequestPackageSend.java	(working copy)
@@ -24,6 +24,7 @@
import net.sf.l2j.Config;
import net.sf.l2j.gameserver.model.ItemContainer;
import net.sf.l2j.gameserver.model.L2ItemInstance;
+import net.sf.l2j.gameserver.model.L2World;
import net.sf.l2j.gameserver.model.PcFreight;
import net.sf.l2j.gameserver.model.actor.L2Npc;
import net.sf.l2j.gameserver.model.actor.instance.L2PcInstance;
@@ -78,6 +79,9 @@
        if (player == null)
        	return;
        
+        if(L2World.getInstance().getPlayer(_objectID) != null)
+        	return;
+        
		L2PcInstance target = L2PcInstance.load(_objectID);
		PcFreight freight = target.getFreight();
		getClient().getActiveChar().setActiveWarehouse(freight);

 

And here is the exploit:

 

9F + yourCharId+ somerandomitems = RequestPackageSend = Send a freight to yourself, not the other chars ;)

 

yourCharId , get it with phx its a 4 byte number like 4D AA 00 12. So the packet will look like this :

 

9F 4D AA 00 12 01 00 00 00 5D 14 08 32 02 00 00 00

 

Link to comment
Share on other sites

A "tough badass, pantpooping noob-cheaters asswooper", smartass. :) You want exploits, you gonna work for them. Same goes for pack owners for fixes. ;) This is the only way of improvement. You learn when someone gives you the cheating theory and you do the practice. If you get the exploit served in a golden plate you will never learn. And the same goes for those that call themselves l2j interlude developers. You learn by knowing the theory and doing the practice, not by blindly adding a patch in your code.

Link to comment
Share on other sites

A "tough badass, pantpooping noob-cheaters asswooper", smartass. :) You want exploits, you gonna work for them. Same goes for pack owners for fixes. ;) This is the only way of improvement. You learn when someone gives you the cheating theory and you do the practice. If you get the exploit served in a golden plate you will never learn. And the same goes for those that call themselves l2j interlude developers. You learn by knowing the theory and doing the practice, not by blindly adding a patch in your code.

good answer Leluche anyway good job mate keep working ;)
Link to comment
Share on other sites

Speaking of l2inc, l2inc is not unhackable as you may think. I mean, sure they are the most experienced team around atm, but they are humans. There is no possibility they have eliminated every unsanitized input, every single race condition every bla bla.

 

For the records, ill tell you two stories that happened between me, my clan  and l2inc that will backup some things i said previously ( i hope ).

 

Story one : How back2business ruled l2inc.

 

Six months before i open l2relapse, we were playing in l2inc. We kinda ruled the server. Aden , full wins in pvp in a server which was peaking back then at around 4k people. Pretty tough isnt it ? Well how did we do it ? Sure we were great pvpers, but there were many other great clans too. Short answer. We cheated. A lot.  One of the gang members, found accidentaly, an enchant exploit. It was a race condition as far as i remember ( i had no idea what a race condition was back then ) , all i know is that he gave me the exploit, and i coded "The factory of fantasy isle ( or Issle :P)". Basically we produced full +30 items for the whole clan day after day having a script "interacting" with clan members and enchanting their gear. And that kept going for about a month. If im correct nBd attempted to fix it once before he succeeded ( unconfirmed ).  The verdict : Even the most developed and advanced servers will have exploits. Few, rare, but occasionally there may be exploits coming up to surface.

 

Story two: How a noob couldnt fix an underflow for 3 hours.

 

That noob was me, posing as a server admin, with 800 players online. Sure i coded some cool things, but i pointed fingers ( as someone said :) ) a lot. So apparently i took some players from servers i shouldnt and some people got pissed :) And then something cool happened that made me start thinking. Someone hacked us :) He knows, i dont hold any grudge on him anymore :) He may still. There was an unckecked buffer reading in the GamePacketHandler ( cant remeber the packet ) , that was causing an underflow exception. I had no idea about underflows or overflows back then. So i turned to BigBoss. Apparently he didnt either, back then :) So bigboss talked to nBd of l2inc, and i went to his chatroom to contact me. And i still remember what nBd said, "You know i will help you, but i shouldnt, after all that shit you have talked about my server in public." And here is the critical point, where someone becomes a beggar or a lion. I didnt accept the help. Nor did i got ask help from l2jserver.com I said : "Doesnt matter if it takes me 5 mins with you , or 5 hours myself, ill go read the theory and fix it myself buddy." Which i did some hours later that midday.

 

Verdict of those two stories: If you want to evolve, you should get your hands dirty and never rely on others to fix things of you. And only by doing things by yourself and getting only "pushed" by others you will evolve to the next stage.

 

"So if you cant make exploits out of vulnerabilities, do not cheat. If you cant fix known vulnerabilities, dont make a server." - Issle :)

 

Link to comment
Share on other sites

I love your answers xD

but still i need a hax for inc xD

 

 

BTW nBd is a great dev but he got no imagination as I can see from the gameplay, so what's the point of having a "robot" server? :)

 

 

 

(PS. I remember your clan)

Link to comment
Share on other sites

I love your answers xD

but still i need a hax for inc xD

 

 

BTW nBd is a great dev but he got no imagination as I can see from the gameplay, so what's the point of having a "robot" server? :)

 

 

 

(PS. I remember your clan)

 

You know, the reason we opened relapse was just that. nBd was great admin/dev, but when it came to gameplay, boy did he sux :) So, one day after an aden siege someone said in clan chat : "Hey lets open a server ! We go find some pro admin developer and tell him to make us a server." Well, they did never find an experienced admin to do that at the end. They found a player ... :)

 

So anyway since the asshole-self got expired, i go make a patch and release ;)

Link to comment
Share on other sites

It's nice that you use your Java knowledge to find exploits

You can find amazing things

 

But please,don't post the fix in the same damn topic!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.




×
×
  • Create New...