关于防范HLDS Exploits Hl boom 炸服的想法

neverneverdead · 发表于 2012-12-15 15:36:28

本帖最后由 neverneverdead 于 2013-1-4 19:27 编辑

既然大家已经知道Hl boom 是一个CS的漏洞，而且很多服务器深受其害，那么为什么那些能够阻止这一切发生的人要在这时候销声匿迹呢？

想法说到这，我对编程一窍不通，但是，我在国外网站上看到了有关Hlboom漏洞的一些小道消息，希望能给善良的人以提示。
Hlboom漏洞：
Half-life uses a header in the splitted packets which is 9 bytes big.
When a splitted packet is found (the first 4 bytes are "fe ff ff ff")
the game performs a memcpy() on the data after this header.
If the packet if compsed by a total of 8 bytes (instead of at least 9)
the game will try to copy "packet_size - header_size" bytes, so "8 - 9"
which means 0xffffffff.
Exists also another problem which happens during the handling of the
data in the splitted packets.
This bug is not 100% clear anyway seems related to the position of the
splits and the resulted size.
On Windows for example is possible to force the reading of the data in
an arbitrary offset of the memory.
No other debugging has been made on this bug.

希望明白编程的人看到后，能够做成品来，发到我的邮箱里，谢谢了。
邮箱：1033859886@qq.com

HL boom 防炸补丁

neverneverdead · 发表于 2012-12-15 15:40:19

防范代码如下：

====================================================================================
#
TITLE
Half-Life x.1.1.1e (Windows and Linux) hlboom fix 0.1
by Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
INTRO
This patch is referred to the following advisory and corrects both the bugs:
.
. http://aluigi.org/adv/hlboom-adv.txt
.
Remember to test your server with the proof-of-concept provided in the advisory
.
Note that the patch about the so called new hlboom crash should be considered
experimental and it could give problems to the clients which use too much
splitted packets since my solution drops all the splits major than 1/?? (which
lead to the crash of the unpatched server), anyway in my tests everything
worked perfectly.
.
This patch has been created only for the latest known patches for the dedicated
server 4.1.1.1e/3.1.1.1e of both Windows (swds.dll) and Linux (engine* amd,
i486 and i686), older versions will be NOT supported by me so don't ask
FILE
swds.dll;engine*.so
;####################################;
# old HLBOOM crash #
;####################################;
; Windows
BYTES_ORIGINAL
90 90 90 90 90 ; nops for the patch
90 90 90 90
*5a ; bytes to skip
8B 4D 0C ; mov ecx, dword ptr [ebp+0C]
8B 04 BD ?? ?? ?? ?? ; mov eax, dword ptr [4*edi+00DF0F44]
83 E9 09 ; sub ecx, 00000009
3B C6 ; cmp eax, esi
89 4D 0C ; mov dword ptr [ebp+0C], ecx
0F 84 ?? 00 00 00 ; je 00D4834F
BYTES_PATCH
83 E9 09 ; sub ecx, 00000009
7F 02 ; jg +2
33 C9 ; xor ecx, ecx
EB 67 ; jmp old code
*5a ; ...skip...
8B 4D 0C ; mov ecx, dword ptr [ebp+0C]
8B 04 BD ?? ?? ?? ?? ; mov eax, dword ptr [4*edi+00DF0F44]
EB 91 ; jmp patch
90
3B C6 ; cmp eax, esi
89 4D 0C ; mov dword ptr [ebp+0C], ecx
0F 84 ?? 00 00 00 ; je 00D4834F
; Linux AMD
BYTES_ORIGINAL
8d 83 ?? ?? ?? ?? ; lea eax,[ebx-0x161e8]
8d 14 88 ; lea edx,[eax+ecx*4]
83 44 24 34 f7 ; add DWORD PTR [esp+52],0xfffffff7
89 44 24 18 ; mov DWORD PTR [esp+24],eax
39 3a ; cmp DWORD PTR [edx],edi
0f 84 ?? 00 00 00 ; je a3320
*1ed ; ...skip...
90 90 90 90 90 ; nops for the patch
90 90 90 90 90
BYTES_PATCH
8d 83 ?? ?? ?? ?? ; lea eax,[ebx-0x161e8]
8d 14 88 ; lea edx,[eax+ecx*4]
e8 |1f9 ; call patch
89 44 24 18 ; mov DWORD PTR [esp+24],eax
39 3a ; cmp DWORD PTR [edx],edi
0f 84 ?? 00 00 00 ; je a3320
*1ed ; ...skip...
83 44 24 38 f7 ; add DWORD PTR [esp+56],0xfffffff7 // +4!!!
7F 02 ; jg +2
89 3a ; mov DWORD PTR [edx],edi // forces give up
C3 ; ret
; Linux i486
BYTES_ORIGINAL
83 45 0c f7 ; add DWORD PTR [ebp+12],0xfffffff7
8d 83 34 22 ff ff ; lea eax,[ebx-0xddcc]
8d 0c b5 00 00 00 00 ; lea ecx,[esi*4]
89 45 f0 ; mov DWORD PTR [ebp-16],eax
8b 55 f8 ; mov edx,DWORD PTR [ebp-8]
39 14 01 ; cmp DWORD PTR [ecx+eax],edx
0f 84 ?? 00 00 00 ; je a5ac0
*6ae ; ...skip...
90 90 90 90 90 ; nops for the patch
90 90 90 90 90
BYTES_PATCH
8d 83 34 22 ff ff ; lea eax,[ebx-0xddcc]
89 f1 ; mov ecx,esi
c1 e1 02 ; shl ecx,0x2
90
e8 |6bd ; call patch
89 45 f0 ; mov DWORD PTR [ebp-16],eax
8b 55 f8 ; mov edx,DWORD PTR [ebp-8]
39 14 01 ; cmp DWORD PTR [ecx+eax],edx
0f 84 ?? 00 00 00 ; je a5ac0
*6ae ; ...skip...
83 45 0c f7 ; add DWORD PTR [ebp+12],0xfffffff7
7F 03 ; jg +3
89 14 01 ; mov DWORD PTR [ecx+eax],edx // forces give up
C3 ; ret
; Linux i686
BYTES_ORIGINAL
83 44 24 34 f7 ; add DWORD PTR [esp+52],0xfffffff7
8d 83 c8 9a fe ff ; lea eax,[ebx-0x16538]
8d 14 88 ; lea edx,[eax+ecx*4]
89 44 24 18 ; mov DWORD PTR [esp+24],eax
39 3a ; cmp DWORD PTR [edx],edi
0f 84 ?? 00 00 00 ; je a3bb0
*39b ; ...skip...
90 90 90 90 90 ; nops for the patch
90 90 90 90 90
BYTES_PATCH
8d 83 c8 9a fe ff ; lea eax,[ebx-0x16538]
8d 14 88 ; lea edx,[eax+ecx*4]
e8 |3a7 ; call patch
89 44 24 18 ; mov DWORD PTR [esp+24],eax
39 3a ; cmp DWORD PTR [edx],edi
0f 84 ?? 00 00 00 ; je a3bb0
*39b ; ...skip...
83 44 24 38 f7 ; add DWORD PTR [esp+56],0xfffffff7 // +4!!!
7F 02 ; jg +2
89 3a ; mov DWORD PTR [edx],edi // forces give up
C3 ; ret
;####################################;
# new HLBOOM crash #
;####################################;
; Windows
BYTES_ORIGINAL
8B 70 04 ; mov esi, dword[eax+04]
8A 40 08 ; mov al, byte[eax+08]
88 45 FC ; mov byte[ebp-04], al
8B 45 FC ; mov eax, dword[ebp-04]
25 FF 00 00 00 ; and eax, 000000FF
BYTES_PATCH
8B 70 04 ; mov esi, dword[eax+04]
0F B6 40 08 ; movzx eax, byte[eax+08]
A8 F0 ; test al, F0
74 02 ; jz +2
32 C0 ; xor al, al
88 45 FC ; mov byte[ebp-04], al
90
; Linux AMD
BYTES_ORIGINAL
90 90 90 90 90 90 ; nops for the patch
90 90 90 90 90 90 ; nops for the patch
*637 ; ...skip...
8b 44 24 30 ; mov eax,DWORD PTR [esp+48]
bd 0f 00 00 00 ; mov ebp,0xf
8b 78 04 ; mov edi,DWORD PTR [eax+4]
8a 50 08 ; mov dl,BYTE PTR [eax+8]
88 d0 ; mov al,dl
c0 e8 04 ; shr al,0x4
BYTES_PATCH
88 d0 ; mov al,dl
c0 e8 04 ; shr al,0x4
84 c0 ; test al,al
74 02 ; jz +2
30 c0 ; xor al,al
c3 ; ret
*637 ; ...skip...
8b 44 24 30 ; mov eax,DWORD PTR [esp+48]
bd 0f 00 00 00 ; mov ebp,0xf
8b 78 04 ; mov edi,DWORD PTR [eax+4]
8a 50 08 ; mov dl,BYTE PTR [eax+8]
e8 |-657 ; call patch
; Linux i486
BYTES_ORIGINAL
90 90 90 90 90 90 ; nops for the patch
90 90 90 90 90 90 ; nops for the patch
*f86 ; ...skip...
8b 45 08 ; mov eax,DWORD PTR [ebp+8]
8b 4d 08 ; mov ecx,DWORD PTR [ebp+8]
8b 40 04 ; mov eax,DWORD PTR [eax+4]
89 45 f8 ; mov DWORD PTR [ebp-8],eax
8a 51 08 ; mov dl,BYTE PTR [ecx+8]
88 d0 ; mov al,dl
c0 e8 04 ; shr al,0x4
BYTES_PATCH
88 d0 ; mov al,dl
c0 e8 04 ; shr al,0x4
84 c0 ; test al,al
74 02 ; jz +2
30 c0 ; xor al,al
c3 ; ret
*f86 ; ...skip...
8b 45 08 ; mov eax,DWORD PTR [ebp+8]
8b 4d 08 ; mov ecx,DWORD PTR [ebp+8]
8b 40 04 ; mov eax,DWORD PTR [eax+4]
89 45 f8 ; mov DWORD PTR [ebp-8],eax
8a 51 08 ; mov dl,BYTE PTR [ecx+8]
e8 |-fa6 ; call patch
; Linux i686
BYTES_ORIGINAL
90 90 90 90 90 90 ; nops for the patch
90 90 90 90 90 90 ; nops for the patch
*3c7 ; ...skip...
8b 44 24 30 ; mov eax,DWORD PTR [esp+48]
8b 78 04 ; mov edi,DWORD PTR [eax+4]
8a 50 08 ; mov dl,BYTE PTR [eax+8]
88 d0 ; mov al,dl
c0 e8 04 ; shr al,0x4
BYTES_PATCH
88 d0 ; mov al,dl
c0 e8 04 ; shr al,0x4
84 c0 ; test al,al
74 02 ; jz +2
30 c0 ; xor al,al
c3 ; ret
*3c7 ; ...skip...
8b 44 24 30 ; mov eax,DWORD PTR [esp+48]
8b 78 04 ; mov edi,DWORD PTR [eax+4]
8a 50 08 ; mov dl,BYTE PTR [eax+8]
e8 |-3e2 ; call patch

复制代码

万丈豪情 · 发表于 2013-1-1 18:39:14

你的防炸能给我用用吗，能的话加我qq627251996,谢谢

css · 发表于 2013-1-1 19:08:18

neverneverdead 发表于 2012-12-15 15:40
防范代码如下：

求炸中一直中

neverneverdead · 发表于 2013-1-3 08:49:22

css 发表于 2013-1-1 19:08
求炸中一直中

那个炸服的东西里炸服的方法太多了。。。哎。。。
现在就能防住Hl boom，然后加密码，才能防炸~

cboby · 发表于 2013-1-3 13:45:58

这是针对CS1.5的?

neverneverdead · 发表于 2013-1-4 19:22:51

cboby 发表于 2013-1-3 13:45
这是针对CS1.5的?

1.5 1.6 都有这问题

coolhurter · 发表于 2013-1-12 00:06:52

已经做好，你去看下吧
http://www.dt-club.net/forum.php ... &extra=page%3D1

cboby · 发表于 2013-2-9 12:03:27

朋友,hlds fake炸服,能解决吗

sunlei85106 · 发表于 2013-2-9 12:55:22

提示: 作者被禁止或删除内容自动屏蔽

sunlei85106 sunlei85106 当前离线积分 10 IP卡狗仔卡	发表于 2013-2-9 12:55:22 \| 显示全部楼层来自中国–黑龙江–大兴安岭地区提示: 作者被禁止或删除内容自动屏蔽
sunlei85106 sunlei85106 当前离线积分 10 IP卡狗仔卡
	回复使用道具举报显身卡

[AMXX 带源码] 关于防范HLDS Exploits Hl boom 炸服的想法

本帖子中包含更多资源