[cod] Cfg download hacking

Geoff Goas gitman at gmail.com
Wed Sep 15 18:46:37 EDT 2010 

hexedit the binary to rename the log file (has to be the same length)

On Wed, Sep 15, 2010 at 5:59 PM, Miha Lepej <lepko.san at gmail.com> wrote:

> You also need to be aware that if the server has console logging
> enabled and produces a console_mp.log or console_mp_server.log in the
> main folder that can also be downloaded and contains a lot of
> information of set variables including rcon_password (tested cod2).
>
> As far as I know the file can't be renamed and includes the password
> even if it is set trough command line. I believe this is the command
> to disable the console log:
>
> set logfile 0
>
> (not 100%, can someone confirm?)
>
> --Miha
>
> On Wed, Sep 15, 2010 at 19:49, Morpheus <morpheus at clantoc.org> wrote:
> >  If you have full control on the server (startup, environment--say, host
> it
> > on a dedicated server), you should do that by passing a set rcon_password
> to
> > the server console from the startup script (after the server is up). So
> no
> > need to manually set it each time.
> >
> > But it can be tricky to do that, depending on how you start the server
> (and
> > what OS you run on). Under linux, with server started with SCREEN, it can
> > easily be done (as you can send commands into the screen taht hosts the
> > console). But with other methods, I don't know...
> >
> > Le 15/09/2010 18:11, Marco Padovan a écrit :
> >>
> >> this works... but is a pain in the ass... as you have to issue the set
> >> rcon command EVERYTIME you start it :(
> >>
> >> On Wed, Sep 15, 2010 at 10:29 AM, Mavrick<mavrick.master at gmail.com>
> >>  wrote:
> >>>
> >>> Probably a silly question but can u set the rcon password in the
> console
> >>> query string?
> >>>
> >>> If so, why not database the password then just parse it when the server
> >>> loads? This way anyone can use the exploit if they want but wont get
> the
> >>> password?
> >>>
> >>> On 15/09/2010 5:45 PM, Nosjp Nosjp wrote:
> >>>
> >>> If you set sv_allowdownload "0" - disable all downloads :  built-in
> >>> download
> >>> + HTTP redirect download ( it doesn't matter value of sv_wwwDownload)
> >>>
> >>> Another solutions: disable console (set sv_disableClientConsole "1") +
> >>> random .cfg name
> >>> in case of rcon stealer a player must be connected to server, then
> player
> >>> trying to download manually within game console:
> >>>  /download server.cfg   or /download main/server.cfg  guessing server
> >>> config
> >>>
> >>> Take a look here for more details/solutions:
> >>>
> >>>
> http://game-violations.ggl.com/index.php?page=Thread&postID=99870#post99870
> >>>
> >>> On Tue, Sep 14, 2010 at 9:48 PM, Morpheus<morpheus at clantoc.org>
>  wrote:
> >>>>
> >>>> I have one question : I have these dvar in my server cfg
> >>>>
> >>>> set sv_allowdownload "1"
> >>>> seta sv_wwwDownload "1"
> >>>> seta sv_wwwBaseURL "http://whaterver_you_wnat.com/cod"
> >>>> seta sv_wwwDlDisconnected "1"
> >>>>
> >>>> If you put the allowdownload to 0, does it disable the www capability
> ?
> >>>> if
> >>>> we could restrict the download part to http downloading, things could
> be
> >>>> easier to cope with.
> >>>>
> >>>> Le 14/09/2010 20:44, Nosjp Nosjp a écrit :
> >>>>
> >>>> @Marco:
> >>>>
> >>>> If you have a server
> >>>> - without custom maps/mods/pam ->  disable downloads:  seta
> >>>> sv_allowDownload "0"
> >>>> - with custom maps/mods/pam ->   disable game console (set
> >>>> sv_disableClientConsole "1")  + random .cfg name
> >>>>
> >>>>
> >>>>
> >>>> On Tue, Sep 14, 2010 at 9:37 PM, Sheepa<sheepa at sheepa.org>  wrote:
> >>>>>
> >>>>> Is there even any working POC for this?
> >>>>>
> >>>>> --------------------------------------------------
> >>>>> From: "Marco Padovan"<evolutioncrazy at gmail.com>
> >>>>> Sent: Tuesday, September 14, 2010 8:14 PM
> >>>>> To: "Call of Duty server admin list."<cod at icculus.org>
> >>>>> Subject: Re: [cod] Cfg download hacking
> >>>>>
> >>>>>> I see...
> >>>>>>
> >>>>>> will take the "random cfg filename" path as all other workarounds
> are
> >>>>>> not acceptable for my use :(
> >>>>>>
> >>>>>> On Tue, Sep 14, 2010 at 8:01 PM, Morpheus<morpheus at clantoc.org>
> >>>>>>  wrote:
> >>>>>>>
> >>>>>>>  I think iptables is too low-level to deal with such specific hack
> >>>>>>> attempts.
> >>>>>>> At least you can use it to ban IP addresses you catch... It's sad
> it
> >>>>>>> has not
> >>>>>>> been fixed since discovery, with all the games that are using the
> >>>>>>> codebase...
> >>>>>>>
> >>>>>>> Le 14/09/2010 19:32, Marco Padovan a écrit :
> >>>>>>>>
> >>>>>>>> I'm aware of the exploits... was looking for some suggestion on
> how
> >>>>>>>> to
> >>>>>>>> fix them... even via iptables eventually...
> >>>>>>>>
> >>>>>>>> On Tue, Sep 14, 2010 at 6:56 PM, James Landi<jim at landi.net>
> >>>>>>>>  wrote:
> >>>>>>>>>
> >>>>>>>>>  The exploit I just posted about could be an older version or not
> >>>>>>>>> the
> >>>>>>>>> same
> >>>>>>>>> as described in this mail list thread.
> >>>>>>>>>
> >>>>>>>>> using the second link should give you a good list of quake based
> >>>>>>>>> exploits
> >>>>>>>>> you may want to watch for.
> >>>>>>>>>
> >>>>>>>>> Sorry for the wrong ling
> >>>>>>>>>
> >>>>>>>>> Jim Landi
> >>>>>>>>> Rudedog
> >>>>>>>>> FPSadmin.com
> >>>>>>>>> Microsoft MVP, Games for Windows | Twitter@ therealrudedog
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> On 9/14/10 12:25 PM, Morpheus wrote:
> >>>>>>>>>>
> >>>>>>>>>> We're talking about the built-in download system, not the http
> >>>>>>>>>> redirect
> >>>>>>>>>> one, which you can control with symlinks and htaccess features.
> >>>>>>>>>> It's
> >>>>>>>>>> about a
> >>>>>>>>>> security hole that virtually exists in all q3-based games (at
> >>>>>>>>>> least
> >>>>>>>>>> for
> >>>>>>>>>> the
> >>>>>>>>>> net code).
> >>>>>>>>>>
> >>>>>>>>>> Le 14/09/2010 18:21, Mavrick a écrit :
> >>>>>>>>>>>
> >>>>>>>>>>> Anyone tried symbolic links?
> >>>>>>>>>>>
> >>>>>>>>>>> On 14/09/2010 3:11 AM, Nosjp Nosjp wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> The only one solution:  set sv_allowDownload "0"
> >>>>>>>>>>>>
> >>>>>>>>>>>> On Mon, Sep 13, 2010 at 7:45 PM, Marco
> >>>>>>>>>>>> Padovan<evolutioncrazy at gmail.com
> >>>>>>>>>>>> <mailto:evolutioncrazy at gmail.com>>    wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>>   We are having major hack attempts that consist in people
> >>>>>>>>>>>>   downloading the cfg files....  currently we had to use
> random
> >>>>>>>>>>>>   file names...
> >>>>>>>>>>>>
> >>>>>>>>>>>>   is there any solid work around?
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>   _______________________________________________
> >>>>>>>>>>>>   cod mailing list
> >>>>>>>>>>>>   cod at icculus.org<mailto:cod at icculus.org>
> >>>>>>>>>>>>   http://icculus.org/mailman/listinfo/cod
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> _______________________________________________
> >>>>>>>>>>>> cod mailing list
> >>>>>>>>>>>> cod at icculus.org
> >>>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
> >>>>>>>>>>>
> >>>>>>>>>>> _______________________________________________
> >>>>>>>>>>> cod mailing list
> >>>>>>>>>>> cod at icculus.org
> >>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
> >>>>>>>>>>
> >>>>>>>>>> _______________________________________________
> >>>>>>>>>> cod mailing list
> >>>>>>>>>> cod at icculus.org
> >>>>>>>>>> http://icculus.org/mailman/listinfo/cod
> >>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> cod mailing list
> >>>>>>>>> cod at icculus.org
> >>>>>>>>> http://icculus.org/mailman/listinfo/cod
> >>>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> cod mailing list
> >>>>>>>> cod at icculus.org
> >>>>>>>> http://icculus.org/mailman/listinfo/cod
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> cod mailing list
> >>>>>>> cod at icculus.org
> >>>>>>> http://icculus.org/mailman/listinfo/cod
> >>>>>>>
> >>>>>> _______________________________________________
> >>>>>> cod mailing list
> >>>>>> cod at icculus.org
> >>>>>> http://icculus.org/mailman/listinfo/cod
> >>>>>
> >>>>> _______________________________________________
> >>>>> cod mailing list
> >>>>> cod at icculus.org
> >>>>> http://icculus.org/mailman/listinfo/cod
> >>>>
> >>>> _______________________________________________
> >>>> cod mailing list
> >>>> cod at icculus.org
> >>>> http://icculus.org/mailman/listinfo/cod
> >>>>
> >>>> _______________________________________________
> >>>> cod mailing list
> >>>> cod at icculus.org
> >>>> http://icculus.org/mailman/listinfo/cod
> >>>>
> >>>
> >>> _______________________________________________
> >>> cod mailing list
> >>> cod at icculus.org
> >>> http://icculus.org/mailman/listinfo/cod
> >>>
> >>>
> >>> _______________________________________________
> >>> cod mailing list
> >>> cod at icculus.org
> >>> http://icculus.org/mailman/listinfo/cod
> >>>
> >>>
> >> _______________________________________________
> >> cod mailing list
> >> cod at icculus.org
> >> http://icculus.org/mailman/listinfo/cod
> >
> > _______________________________________________
> > cod mailing list
> > cod at icculus.org
> > http://icculus.org/mailman/listinfo/cod
> >
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>



-- 
*Geoff Goas
Systems Engineer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20100915/9058c408/attachment-0001.htm>

More information about the cod mailing list