Jump to content

[Exploit + guide]Lets hack: Unsanitized input tutorial + Kick from com Channel.


Recommended Posts

Posted

About four years ago i knew absolutelly nothing about l2j and exploits. I was a typical player ( noob ) that was surfing around maxcheaters ( maxbastards then ) for exploits without understanding anything. What i always wondered, was how do exploits work and why there is no serious guide in mxc explaining it. But i made a promise to myself, to get to know everything that there is to it. So with some delay i think i pretty much got there ;) This guide aims to show you how the sanitization of input when not done creates exploits. Since i did the same with race condition exploits in another topic ill do the same here for the shake of illumination :) The guide will be followed by an exploit i just found out that works both in freya and in interlude ( checked in brazil and l2jserver freya ). Unless im wrong it is not re-shared since its not fixed anywhere.

 

Unsanitized input:

 

The client gives you limmited interaction with the server. You cant try attack players that you dont "see" and so on. Packet hacking software ( like phx ) allow you to erase this limmit by giving you full payload crafting ability. The server must check itself everything the client sends. Never to trust the client data. But since developers are humans themselves, they cant check everything. Thats how those exploits exist. But enough with the bla bla. Lets look at an example:

 

Kick parties from their command channels:

 

Look at the following code. It is a packet send from the client to the server.

 

 

        @Override

protected void readImpl()

{

_name = readS(); This is executed first, it reads the character name you give from the client ( or .... the phx ;) )

}

 

 

@Override

protected void runImpl() <-- Then it calles the runImplementation to actually try to do what you told it to.

{

L2PcInstance target = L2World.getInstance().getPlayer(_name); <-- The player i want to kick from my commandChannel.

L2PcInstance activeChar = getClient().getActiveChar(); <-- My character.

 

if (target != null && target.isInParty() && activeChar.isInParty() && activeChar.getParty().isInCommandChannel()

&& target.getParty().isInCommandChannel()

&& activeChar.getParty().getCommandChannel().getChannelLeader().equals(activeChar)) <-- Here is the big deal. This line checks some conditions to dissallow you to do what is considered illegal. So what does it do. It says: if i am in party and if my target is in party, if i have command channel and if he has command channel and if i am the leader of my command channel, procceed with doing what you want to do. Wait a minute !! It didnt check if our command channels are the same did it ? It took the player from the "world" and didnt check if he is in my command channel. In other words, you can kick someones party from his command channel just by filling in his name and being the leader of a command channel yourself.

 

                {

if (activeChar.equals(target))

return;

 

target.getParty().getCommandChannel().removeParty(target.getParty()); <--Here the target's party gets removed from his command channel.

 

SystemMessage sm = SystemMessage.getSystemMessage(SystemMessageId.DISMISSED_FROM_COMMAND_CHANNEL);

target.getParty().broadcastToPartyMembers(sm);

 

// check if CC has not been canceled

if (activeChar.getParty().isInCommandChannel())

{

sm = SystemMessage.getSystemMessage(SystemMessageId.C1_PARTY_DISMISSED_FROM_COMMAND_CHANNEL);

sm.addString(target.getParty().getLeader().getName());

activeChar.getParty().getCommandChannel().broadcastToChannelMembers(sm);

}

}

else

{

activeChar.sendPacket(SystemMessage.getSystemMessage(SystemMessageId.TARGET_CANT_FOUND));

}

}

 

 

As you can see a simple check ( command channels are the same ) missing gives you the ability to mess up an enemy ally command channel when they are sieging or raiding. Simple missing checks like that lead to exploits. To execute the exploit, you simply grab the OustFromCC packet and change the hex representing the name with the name you want. Voila ;)

 

 

Posted

Timestamp:

04/17/11 16:08:41 (less than one hour ago)

Author:

UnAfraid

Message:

BETA: Exploit fix for removing party from channel that's not in yours! (thanks Nik and JIV)

 

 

A dawn, l2j spies everywhere :) You guys are fast :)

Posted

Timestamp:

04/17/11 16:08:41 (less than one hour ago)

Author:

UnAfraid

Message:

BETA: Exploit fix for removing party from channel that's not in yours! (thanks Nik and JIV)

 

 

A dawn, l2j spies everywhere :) You guys are fast :)

fixed y on freya, not but not interlude :)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Posts

    • IAM one of customers of this project. Have anti cheat, have user panel everything is working. Blocking adrenaline trashy plans without any problems.  So just GL for all lin2 project. I get support every time I need it. 
    • Convert package formats from Old to New in one click Create new packages of any format Lineage2Ver121 encryption (included in the package) Safe editing: work in a copy, full undo history (Ctrl+Z / Ctrl+Shift+Z), single "Save" button System integration Open .utx / .ugx files with a single click in Explorer (associations are registered during installation) One example: open a file and add its tab to an existing window Multilingual interface (EN, RU, UK, ES, PT, EL, KO, VI, ZH) — the language is picked up from the system Supported formats Packages: UTX, UGX Textures: RGBA8, DXT1, DXT3, DXT5, G16, P8 Resources: GFX (Scaleform) Requirements Windows. Java is not required—it's included in the build. Installation Run La2Tools-3.0.2.exe—the installer will create shortcuts and register related files. Alternatively, use the portable version. https://la2.tools/files/La2Tools_3.0.3_setup.exe   https://la2.tools/files/La2Tools_3.0.3_portable.zip  - Portable version  
    • WHEN SAYING “YES” IS A MISTAKE Not every project is worth taking on, even if the client is ready to pay. Sometimes refusing isn’t about losing money — it’s about protecting your reputation and time. Over the years, we’ve learned to quickly spot the cases that are almost guaranteed to turn into problems. Here are the most common situations where we turn down work: ▪ The client wants it “like everyone else’s,” but with lots of custom changes and on a minimal budget ▪ There are no proper source materials, yet the deadlines are already burning and everything is needed “yesterday” ▪ Constant changes to requirements after the work has already started ▪ A task with a very low chance of success, but very high expectations ▪ The client isn’t willing to discuss the process and sees us as just an executor - A good result almost always starts when both sides have an honest understanding of the risks and real possibilities of the project. If you’re currently discussing a project and unsure whether to move forward — write to us. We’ll honestly and directly tell you whether it’s worth taking on or if it’s better to look for another solution. › TG: @mustang_service_ms ( https:// t.me/ mustang_service_ms ) › Channel: Mustang Service ( https:// t.me/ +JPpJCETg-xM1NjNl ) #documents #drawing #photoshop #refuse #cases
    • The price reflects the value of the project, not just the source files. This is a complete, production-ready server that has already proven itself over the course of a full year, with a loyal player base and no major issues requiring ongoing development. To put it into perspective, the asking price is approximately what the server generated in one year. You're not buying an unfinished pack that still needs months of work, you're buying a polished, fully tested, revenue-proven project that's ready to go online. Considering that, I believe €35000 is a fair price.
    • How we can explain the amount? Is something special there in?
  • Topics

×
×
  • Create New...

Important Information

This community uses essential cookies to function properly. Non-essential cookies and third-party services are used only with your consent. Read our Privacy Policy and We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue..