Jump to content

[1.298] CUser::PartyBBSRequest() + CUser::PartyBBSReject() + CUser::PartyBBSInsert() input crashes


  • You cannot reply to this topic
6 replies to this topic

#1
twostars

twostars

    KO Guru

  • GateKeeper
  • Others:Donator, Snoxd server contributor
  • 5,730 posts
More missing checks. They're everywhere...

004C7FA7  ^ EB A6           JMP SHORT 004C7F4F

004C7F4F    83F9 15         CMP ECX,15 ; ensure string length is <= 20
004C7F52    0F83 0E010000   JNB 004C8066 ; test as unsigned -- no such thing as a negative number here.
004C7F58    51              PUSH ECX
004C7F59    50              PUSH EAX
004C7F5A    EB 4D           JMP SHORT 004C7FA9

004C80E6  ^\EB B3             JMP SHORT 004C809B

004C809B    83C4 18           ADD ESP,18
004C809E    83F9 15           CMP ECX,15
004C80A1    0F83 CC000000     JNB 004C8173
004C80A7    51                PUSH ECX
004C80A8    50                PUSH EAX
004C80A9    EB 3D             JMP SHORT 004C80E8

004C80FE    83C4 0C           ADD ESP,14

004C81EF  ^\EB A7             JMP SHORT 004C8198

004C8198    83C4 18           ADD ESP,18
004C819B    83F9 15         CMP ECX,15
004C819E    0F83 B7010000   JNB 004C835B
004C81A4    51              PUSH ECX
004C81A5    50              PUSH EAX
004C81A6    EB 49           JMP SHORT 004C81F1

004C8207    83C4 0C           ADD ESP,14

No need to patch 1.310 - the checks exist there (again).

Edited by twostars, 18 February 2012 - 03:40 PM.


#2
osmanx

osmanx

    Member

  • Members
  • PipPip
  • 34 posts
004C80E6 ^\EB BB JMP SHORT 004C80A3 leads wrong code-cave offset should be
004C80E6 ^EB B6 JMP SHORT 004C809E
PS: Nice catch for finding possible holes.

Edited by osmanx, 11 February 2012 - 10:05 AM.


#3
twostars

twostars

    KO Guru

  • GateKeeper
  • Others:Donator, Snoxd server contributor
  • 5,730 posts
Bah, I did it again - thanks. :)

Been traipsing over all of the various packet handlers eliminating them as potential threats... there's a lot, not all of them would fit into simple hardpatches like these unfortunately. Not specifically looking for issues as simple as this, but bad behaviour (i.e. lack of server-side checks on things), which tend not to be as simple to provide public patches for. :(

#4
twostars

twostars

    KO Guru

  • GateKeeper
  • Others:Donator, Snoxd server contributor
  • 5,730 posts
Updated the latter two patches to include stack cleanup (sorry). You'll want to repatch those two (really just changing the jmp, adding the extra instruction to the start of the codecave and patching in the final stack cleanup line).

#5
Serdaryavru

Serdaryavru

    Advanced Member

  • Banned
  • 105 posts
Thank You :rolleyes:

#6
spykids

spykids

    Member

  • Members
  • PipPip
  • 86 posts
Good Share Tnx

Edited by spykids, 19 February 2012 - 05:24 AM.


#7
Russian

Russian

    Advanced Member

  • Snoxd server contributor
  • Others:Members
  • PipPipPip
  • 243 posts
Would like to note this doesn't match what is in the latest bytepatcher. Might be what caused ebe to crash with integer issue which seemed to be fixed once party bbs system was disabled.

CUser::PartyBBSInsert() input crash
Spoiler


CUser::PartyBBSReject() input crash
Spoiler


CUser::PartyBBSRequest() input crash
Spoiler