关于防范HLDS Exploits Hl boom 炸服的想法
本帖最后由 neverneverdead 于 2013-1-4 19:27 编辑既然大家已经知道Hl boom 是一个CS的漏洞,而且很多服务器深受其害,那么为什么那些能够阻止这一切发生的人要在这时候销声匿迹呢?
想法说到这,我对编程一窍不通,但是,我在国外网站上看到了有关Hlboom漏洞的一些小道消息,希望能给善良的人以提示。
Hlboom漏洞:
Half-life uses a header in the splitted packets which is 9 bytes big.
When a splitted packet is found (the first 4 bytes are "fe ff ff ff")
the game performs a memcpy() on the data after this header.
If the packet if compsed by a total of 8 bytes (instead of at least 9)
the game will try to copy "packet_size - header_size" bytes, so "8 - 9"
which means 0xffffffff.
Exists also another problem which happens during the handling of the
data in the splitted packets.
This bug is not 100% clear anyway seems related to the position of the
splits and the resulted size.
On Windows for example is possible to force the reading of the data in
an arbitrary offset of the memory.
No other debugging has been made on this bug.
希望明白编程的人看到后,能够做成品来,发到我的邮箱里,谢谢了。
邮箱:1033859886@qq.com
HL boom 防炸补丁 防范代码如下:====================================================================================
#
TITLE
Half-Life x.1.1.1e (Windows and Linux) hlboom fix 0.1
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
INTRO
This patch is referred to the following advisory and corrects both the bugs:
.
. http://aluigi.org/adv/hlboom-adv.txt
.
Remember to test your server with the proof-of-concept provided in the advisory
.
Note that the patch about the so called new hlboom crash should be considered
experimental and it could give problems to the clients which use too much
splitted packets since my solution drops all the splits major than 1/?? (which
lead to the crash of the unpatched server), anyway in my tests everything
worked perfectly.
.
This patch has been created only for the latest known patches for the dedicated
server 4.1.1.1e/3.1.1.1e of both Windows (swds.dll) and Linux (engine* amd,
i486 and i686), older versions will be NOT supported by me so don't ask
FILE
swds.dll;engine*.so
;####################################;
# old HLBOOM crash #
;####################################;
; Windows
BYTES_ORIGINAL
90 90 90 90 90 ; nops for the patch
90 90 90 90
*5a ; bytes to skip
8B 4D 0C ; mov ecx, dword ptr
8B 04 BD ?? ?? ?? ?? ; mov eax, dword ptr
83 E9 09 ; sub ecx, 00000009
3B C6 ; cmp eax, esi
89 4D 0C ; mov dword ptr , ecx
0F 84 ?? 00 00 00 ; je 00D4834F
BYTES_PATCH
83 E9 09 ; sub ecx, 00000009
7F 02 ; jg +2
33 C9 ; xor ecx, ecx
EB 67 ; jmp old code
*5a ; ...skip...
8B 4D 0C ; mov ecx, dword ptr
8B 04 BD ?? ?? ?? ?? ; mov eax, dword ptr
EB 91 ; jmp patch
90
3B C6 ; cmp eax, esi
89 4D 0C ; mov dword ptr , ecx
0F 84 ?? 00 00 00 ; je 00D4834F
; Linux AMD
BYTES_ORIGINAL
8d 83 ?? ?? ?? ?? ; lea eax,
8d 14 88 ; lea edx,
83 44 24 34 f7 ; add DWORD PTR ,0xfffffff7
89 44 24 18 ; mov DWORD PTR ,eax
39 3a ; cmp DWORD PTR ,edi
0f 84 ?? 00 00 00 ; je a3320
*1ed ; ...skip...
90 90 90 90 90 ; nops for the patch
90 90 90 90 90
BYTES_PATCH
8d 83 ?? ?? ?? ?? ; lea eax,
8d 14 88 ; lea edx,
e8 |1f9 ; call patch
89 44 24 18 ; mov DWORD PTR ,eax
39 3a ; cmp DWORD PTR ,edi
0f 84 ?? 00 00 00 ; je a3320
*1ed ; ...skip...
83 44 24 38 f7 ; add DWORD PTR ,0xfffffff7// +4!!!
7F 02 ; jg +2
89 3a ; mov DWORD PTR ,edi // forces give up
C3 ; ret
; Linux i486
BYTES_ORIGINAL
83 45 0c f7 ; add DWORD PTR ,0xfffffff7
8d 83 34 22 ff ff ; lea eax,
8d 0c b5 00 00 00 00 ; lea ecx,
89 45 f0 ; mov DWORD PTR ,eax
8b 55 f8 ; mov edx,DWORD PTR
39 14 01 ; cmp DWORD PTR ,edx
0f 84 ?? 00 00 00 ; je a5ac0
*6ae ; ...skip...
90 90 90 90 90 ; nops for the patch
90 90 90 90 90
BYTES_PATCH
8d 83 34 22 ff ff ; lea eax,
89 f1 ; mov ecx,esi
c1 e1 02 ; shl ecx,0x2
90
e8 |6bd ; call patch
89 45 f0 ; mov DWORD PTR ,eax
8b 55 f8 ; mov edx,DWORD PTR
39 14 01 ; cmp DWORD PTR ,edx
0f 84 ?? 00 00 00 ; je a5ac0
*6ae ; ...skip...
83 45 0c f7 ; add DWORD PTR ,0xfffffff7
7F 03 ; jg +3
89 14 01 ; mov DWORD PTR ,edx // forces give up
C3 ; ret
; Linux i686
BYTES_ORIGINAL
83 44 24 34 f7 ; add DWORD PTR ,0xfffffff7
8d 83 c8 9a fe ff ; lea eax,
8d 14 88 ; lea edx,
89 44 24 18 ; mov DWORD PTR ,eax
39 3a ; cmp DWORD PTR ,edi
0f 84 ?? 00 00 00 ; je a3bb0
*39b ; ...skip...
90 90 90 90 90 ; nops for the patch
90 90 90 90 90
BYTES_PATCH
8d 83 c8 9a fe ff ; lea eax,
8d 14 88 ; lea edx,
e8 |3a7 ; call patch
89 44 24 18 ; mov DWORD PTR ,eax
39 3a ; cmp DWORD PTR ,edi
0f 84 ?? 00 00 00 ; je a3bb0
*39b ; ...skip...
83 44 24 38 f7 ; add DWORD PTR ,0xfffffff7// +4!!!
7F 02 ; jg +2
89 3a ; mov DWORD PTR ,edi // forces give up
C3 ; ret
;####################################;
# new HLBOOM crash #
;####################################;
; Windows
BYTES_ORIGINAL
8B 70 04 ; mov esi, dword
8A 40 08 ; mov al, byte
88 45 FC ; mov byte, al
8B 45 FC ; mov eax, dword
25 FF 00 00 00 ; and eax, 000000FF
BYTES_PATCH
8B 70 04 ; mov esi, dword
0F B6 40 08 ; movzx eax, byte
A8 F0 ; test al, F0
74 02 ; jz +2
32 C0 ; xor al, al
88 45 FC ; mov byte, al
90
; Linux AMD
BYTES_ORIGINAL
90 90 90 90 90 90 ; nops for the patch
90 90 90 90 90 90 ; nops for the patch
*637 ; ...skip...
8b 44 24 30 ; mov eax,DWORD PTR
bd 0f 00 00 00 ; mov ebp,0xf
8b 78 04 ; mov edi,DWORD PTR
8a 50 08 ; mov dl,BYTE PTR
88 d0 ; mov al,dl
c0 e8 04 ; shr al,0x4
BYTES_PATCH
88 d0 ; mov al,dl
c0 e8 04 ; shr al,0x4
84 c0 ; test al,al
74 02 ; jz +2
30 c0 ; xor al,al
c3 ; ret
*637 ; ...skip...
8b 44 24 30 ; mov eax,DWORD PTR
bd 0f 00 00 00 ; mov ebp,0xf
8b 78 04 ; mov edi,DWORD PTR
8a 50 08 ; mov dl,BYTE PTR
e8 |-657 ; call patch
; Linux i486
BYTES_ORIGINAL
90 90 90 90 90 90 ; nops for the patch
90 90 90 90 90 90 ; nops for the patch
*f86 ; ...skip...
8b 45 08 ; mov eax,DWORD PTR
8b 4d 08 ; mov ecx,DWORD PTR
8b 40 04 ; mov eax,DWORD PTR
89 45 f8 ; mov DWORD PTR ,eax
8a 51 08 ; mov dl,BYTE PTR
88 d0 ; mov al,dl
c0 e8 04 ; shr al,0x4
BYTES_PATCH
88 d0 ; mov al,dl
c0 e8 04 ; shr al,0x4
84 c0 ; test al,al
74 02 ; jz +2
30 c0 ; xor al,al
c3 ; ret
*f86 ; ...skip...
8b 45 08 ; mov eax,DWORD PTR
8b 4d 08 ; mov ecx,DWORD PTR
8b 40 04 ; mov eax,DWORD PTR
89 45 f8 ; mov DWORD PTR ,eax
8a 51 08 ; mov dl,BYTE PTR
e8 |-fa6 ; call patch
; Linux i686
BYTES_ORIGINAL
90 90 90 90 90 90 ; nops for the patch
90 90 90 90 90 90 ; nops for the patch
*3c7 ; ...skip...
8b 44 24 30 ; mov eax,DWORD PTR
8b 78 04 ; mov edi,DWORD PTR
8a 50 08 ; mov dl,BYTE PTR
88 d0 ; mov al,dl
c0 e8 04 ; shr al,0x4
BYTES_PATCH
88 d0 ; mov al,dl
c0 e8 04 ; shr al,0x4
84 c0 ; test al,al
74 02 ; jz +2
30 c0 ; xor al,al
c3 ; ret
*3c7 ; ...skip...
8b 44 24 30 ; mov eax,DWORD PTR
8b 78 04 ; mov edi,DWORD PTR
8a 50 08 ; mov dl,BYTE PTR
e8 |-3e2 ; call patch
你的防炸能给我用用吗,能的话加我qq627251996,谢谢 neverneverdead 发表于 2012-12-15 15:40 static/image/common/back.gif
防范代码如下:
求炸中 一直 中 css 发表于 2013-1-1 19:08 static/image/common/back.gif
求炸中 一直 中
那个炸服的东西里炸服的方法太多了。。。哎。。。
现在就能防住Hl boom,然后加密码,才能防炸~ 这是针对CS1.5的? cboby 发表于 2013-1-3 13:45 static/image/common/back.gif
这是针对CS1.5的?
1.5 1.6都有这问题 已经做好,你去看下吧
http://www.dt-club.net/forum.php?mod=viewthread&tid=63950&extra=page%3D1 朋友,hlds fake炸服,能解决吗
页:
[1]
2