[Exploit + guide]Lets hack: Unsanitized input tutorial + Kick from com Channel.

[Xanderॐ]

About four years ago i knew absolutelly nothing about l2j and exploits. I was a typical player ( noob ) that was surfing around maxcheaters ( maxbastards then ) for exploits without understanding anything. What i always wondered, was how do exploits work and why there is no serious guide in mxc explaining it. But i made a promise to myself, to get to know everything that there is to it. So with some delay i think i pretty much got there ;) This guide aims to show you how the sanitization of input when not done creates exploits. Since i did the same with race condition exploits in another topic ill do the same here for the shake of illumination :) The guide will be followed by an exploit i just found out that works both in freya and in interlude ( checked in brazil and l2jserver freya ). Unless im wrong it is not re-shared since its not fixed anywhere.

 

Unsanitized input:

 

The client gives you limmited interaction with the server. You cant try attack players that you dont "see" and so on. Packet hacking software ( like phx ) allow you to erase this limmit by giving you full payload crafting ability. The server must check itself everything the client sends. Never to trust the client data. But since developers are humans themselves, they cant check everything. Thats how those exploits exist. But enough with the bla bla. Lets look at an example:

 

Kick parties from their command channels:

 

Look at the following code. It is a packet send from the client to the server.

 

 

        @Override

protected void readImpl()

{

_name = readS(); This is executed first, it reads the character name you give from the client ( or .... the phx ;) )

}

 

 

@Override

protected void runImpl() <-- Then it calles the runImplementation to actually try to do what you told it to.

{

L2PcInstance target = L2World.getInstance().getPlayer(_name); <-- The player i want to kick from my commandChannel.

L2PcInstance activeChar = getClient().getActiveChar(); <-- My character.

 

if (target != null && target.isInParty() && activeChar.isInParty() && activeChar.getParty().isInCommandChannel()

&& target.getParty().isInCommandChannel()

&& activeChar.getParty().getCommandChannel().getChannelLeader().equals(activeChar)) <-- Here is the big deal. This line checks some conditions to dissallow you to do what is considered illegal. So what does it do. It says: if i am in party and if my target is in party, if i have command channel and if he has command channel and if i am the leader of my command channel, procceed with doing what you want to do. Wait a minute !! It didnt check if our command channels are the same did it ? It took the player from the "world" and didnt check if he is in my command channel. In other words, you can kick someones party from his command channel just by filling in his name and being the leader of a command channel yourself.

 

                {

if (activeChar.equals(target))

return;

 

target.getParty().getCommandChannel().removeParty(target.getParty()); <--Here the target's party gets removed from his command channel.

 

SystemMessage sm = SystemMessage.getSystemMessage(SystemMessageId.DISMISSED_FROM_COMMAND_CHANNEL);

target.getParty().broadcastToPartyMembers(sm);

 

// check if CC has not been canceled

if (activeChar.getParty().isInCommandChannel())

{

sm = SystemMessage.getSystemMessage(SystemMessageId.C1_PARTY_DISMISSED_FROM_COMMAND_CHANNEL);

sm.addString(target.getParty().getLeader().getName());

activeChar.getParty().getCommandChannel().broadcastToChannelMembers(sm);

}

}

else

{

activeChar.sendPacket(SystemMessage.getSystemMessage(SystemMessageId.TARGET_CANT_FOUND));

}

}

 

 

As you can see a simple check ( command channels are the same ) missing gives you the ability to mess up an enemy ally command channel when they are sieging or raiding. Simple missing checks like that lead to exploits. To execute the exploit, you simply grab the OustFromCC packet and change the hex representing the name with the name you want. Voila ;)

 

 

[Azumaril$]

a smart guy in this forum, nice explanation and guide man!!!! GL

[Nik]

Thanks for finding this mistake, unfortunately it wont live for long :)

[Xanderॐ]

Thanks for finding this mistake, unfortunately it wont live for long :)

 

I think i have seen your nickname somewhere ... wait arent you from l2jserver.com ?

[Nik]

Ye... btw, its fixed now :)

[Xanderॐ]

Timestamp:

04/17/11 16:08:41 (less than one hour ago)

Author:

UnAfraid

Message:

BETA: Exploit fix for removing party from channel that's not in yours! (thanks Nik and JIV)

 

 

A dawn, l2j spies everywhere :) You guys are fast :)

[Azumaril$]

Timestamp:

04/17/11 16:08:41 (less than one hour ago)

Author:

UnAfraid

Message:

BETA: Exploit fix for removing party from channel that's not in yours! (thanks Nik and JIV)

 

 

A dawn, l2j spies everywhere :) You guys are fast :)

fixed y on freya, not but not interlude :)