|
On May 04 2010 20:01 dhe95 wrote:From Hot_Bid's R1CH quotes thread: Show nested quote +Sent a copy of this to hacks@blizzard, but if you catch anyone in person, direct them to this thread as this seems serious enough to warrant attention:
---------------------
There appears to be a hack circulating in SC:BW where an oversized game name is passed to bnet upon game creation. Bnet does not perform input sanitization on this value before storing it. Bnet then sends this information back to the client when the client is at the join game screen, at which point the oversized game name is added to the join game list box. When the user clicks the entry, the list box text is copied into an unchecked 128 byte buffer and a stack-based buffer overflow occurs.
On a quick glance, the return address looks possibly controllable, meaning with the right length and combination of characters, this could be exploited to execute arbitrary code on the StarCraft client.
Vulnerable code resides in battle.snp @ base + 0x237D0:
190237D0 |. 8B1D BCA20319 mov ebx,dword ptr ds:[<&USER32.SendMessa>; USER32.SendMessageA
190237D6 |. 6A 00 push 0 ; /lParam = 0
190237D8 |. 6A 00 push 0 ; |wParam = 0
190237DA |. 68 88010000 push 188 ; |Message = LB_GETCURSEL
190237DF |. 56 push esi ; |hWnd
190237E0 |. FFD3 call ebx ; \SendMessageA
190237E2 |. 83F8 FF cmp eax,-1
190237E5 |. 0F84 7D000000 je battle.19023868
190237EB |. 8D95 70FFFFFF lea edx,dword ptr ss:[ebp-90]
190237F1 |. 52 push edx ; /lParam
190237F2 |. 50 push eax ; |wParam
190237F3 |. 68 89010000 push 189 ; |Message = LB_GETTEXT
190237F8 |. 56 push esi ; |hWnd
190237F9 |. FFD3 call ebx ; \SendMessageA
As shown here, LB_GETTEXT is used to pull the string out of the listbox into edx. edx points to a stack buffer of 128 bytes. Since the string in the listbox is controlled by the attacker as no bounds checking is done on either the client or the server, a stack-based buffer overflow occurs.
My suggested immediate fix would be to limit the maximum game name / mapname and other user-controlled parameters that the battle.net server will accept as this would not require a client patch. If the user submits to bnet values of greater length than the BW client would normally allow, they can be flagged as malicious and handled accordingly. An additional suggested client-side update in the next patch would validate the game name and other parameters received from battle.net before working with them, to protect the player from 3rd party servers.
I would appreciate being informed of any updates to this issue, as if no action is taken I will make my own unofficial patch to address this bug. Thanks! seems like R1CH already found this ages ago.
Thats not the same thing. This hack sends a certain amount of specific packets to a target person that results in their client crashing. It does not depend on them viewing the game in the lobby.
On May 05 2010 04:02 Boundz(DarKo) wrote:
Also there is no such thing as anti-drophack unless the person using the drophack is using some exploited drophack with anti-package feature.
There is indeed such a thing as an anti-drophack. Pretty much all drophacks rely on the fact that BW will crash or desync if sent certain malformed packets. Therefore, to develop an anti-drophack, one must simply block/handle those packets and make sure the client doesn't crash.
|
On May 04 2010 13:33 Amnesia wrote:
Let's get R1CH to stomp his ass
this :D
luckily i just use iccup and are prevented by such thing by the AH 
|
I tried joining one of those games awhile back, and strangely, whenever I start up BW since then, nothing happens, except it reset my resolution to 600x800. I then have to reopen the game, occasionally several times, before the game actually launches.
Does anyone else have this sort of problem?
|
Sounds like he has a bot to spot you then an irc bot network to flood your ip with bad packets in whats called a DOS or Denial of Service attack. I've seen this before on console games like halo I actually have met people who have done this recently and they confirmed my suspicions. This is actually a felony, it's pretty sad how far people go to cheat lmao. I recommend switching your router or modems ip# afterwards. You may be able to stop this kind of attack by using your nat properly or through a proxy server, it's been around for 20 years.. basically if i have a bot attach it to some torrents, as people d/l them they get infected with this trojan. It doesn't harm the host, what it does is "check in" whenever that computer has an active internet connection to an irc bot. Once you get hundreds or thousands of these bots on computers all over the world you can have them all bombard a target ip# with bad packets or ip packets that have spoofed return addresses. Each bot is only using a tiny fraction of the computers bandwidth theve infected sp they go unnoticed by the infected. The network of the target ip gets eaten up by all the bad packets and if your modem or router get backed up enough they will reset. Basically there is so much crap clogging your connection that the good stuff can't get through fast enough. I'm going to dig up the link to a much better explanation of this, I'll post it as soon as i find it. There have been large attacks used to blackmail websites such as gambling sites, when they get enough bots they can hold a site down for days with these kind of attacks. I believe there was a bot network brought down by the FBI that numbered in the millions, the guilty were caught when they attempted to collect their ransom. This is a bit of a generalization but this should give you the gist of it. This is what it sounds like to me. For the record I HAVE NEVER DONE ANYTHING LIKE THIS, I know about it because almost 15 years ago I was a little nerd and hung out with tons of brilliant nerds and it was pretty common back then because people were so naive when it came to computers. But then I discovered breasts and fell out of the nerd loop. Nowadays so many people have anti virus that it is a bit more difficult to get huge bot networks going.
The reason i suspect this is the culprit is because you said you loose all network service, that's a major tell tail sign of this type of attack. It probably subsides pretty quick because he's simply changing targets.
|
|
|
iccup wont let that happen!
|
|
|
man...some guys on bnet are jsut total jerks =_=
im gonna try this and see what happens...
edit: waited about 5 minutes, nothing happened =\
|
Hmm, just went there today and didn't see any of the FROST@USEAST>YOU games. Wonder why he stopped?
|
On May 05 2010 04:22 BalloonFight wrote:Show nested quote +On May 05 2010 04:18 GreEny K wrote:On May 04 2010 12:57 Mindcrime wrote:On May 04 2010 12:52 Excel Excel wrote:
Creating a new Bnet account will get around this, and so will creating passworded games, but I fear that eventually Frost will begin to prevent ALL people from hosting through some manner. that would be pretty epic tbh Obviously it's not permanent if you can just make a new account and get back on, not sure what it is but he didn't hack your computer if that's what you're wondering. Read the thread. It can be used to execute arbitrary code.
Code injection means arbitrary code using whatever SC/battle.net uses. If you use code injection into php, you get php code. I'm skeptical that you can use SC code to install arbitrary programs onto a computer.
The oh so cool hacker forum mentions something about a dlist, so they're probably adding names onto a continuously running list to either continually attack their bnet account or their internet connection. I'm going to assume the majority of their wannabe shenanigans is done by downloading this battle net packet sender and using their limited coding skills to achieve their narrow results.
|
Code injection means arbitrary code using whatever SC/battle.net uses. If you use code injection into php, you get php code. I'm skeptical that you can use SC code to install arbitrary programs onto a computer.
When shit gets executed from a stack/heap/etc. in overflows, bad things happen. It is literally "arbitrary" code, as in, EVERYTHING. Php and SQL injections are much more limited than overflow exploits.
Also, I thank Reborn8u for being one of the very few people who actually read the thread  .
|
I remember this happening before. the game name was Zynastor's New Drophack!
And, that Frost might not be Frost and some random bnet spoofer. that isnt a new hack. thats been out for about 5 months and it drops everyone in lobby by spamming "____ HAS JOINED THE GAME"
Its like you flooding cept its in the Lobby. wait network connection? well fuck..
not sure why you guys think USEast is funny. Frost@USWest might not be Frost@USEast. I use to call myself Grimmjow@World because i owned all Grimmjows (and still do) except the one on iccup..
|
I'm actually interested to see if this guy can take over all of bnet.
|
On May 05 2010 08:14 Pokebunny wrote:
I'm actually interested to see if this guy can take over all of bnet.
A guy tried and got jailed man not saying any names
just thinking about him makes my heart pump.
|
On May 05 2010 08:15 Kenpachi wrote:Show nested quote +On May 05 2010 08:14 Pokebunny wrote:
I'm actually interested to see if this guy can take over all of bnet. A guy tried and got jailed man not saying any names just thinking about him makes my heart pump.
lol what?
Also, talking about weird games. Today there's a DL ONLY: Crash RPG:Soulburn game being hosted on east. When you enter the game, all the slots are empty and you dl from nobody :o
|
Yeah I have had problems with him as well. It crossed my mind that it could be Blizzard just trying to get people switched to SC2, but that's highly unlikely.
|
Is this worth it? This guy could be looking at 10 years in prison if he gets caught? WTF is he thinking? I just laugh at them.... your risking 10 years of your life for what? It's sad when people think they are smart for doing something like this when they in fact are abysmally retarded! The kid in that link was also forced to pay 37k in restitution, how long do you think he'll be getting his paychecks docked after he gets out to pay that? I'm sure he's gonna find a good job after a 10 year prison stay.
If you want to taunt frost try getting on Bnet after setting your computer connection up through an anonymous proxy. If his attack no longer works it is because he can no longer detect your ip. Just your proxied Ip, which will probably be some huge server he can't possibly overload. So you will be free to tell him the penalties of his actions and make him feel very smart I'm sure.
|
Maybe Frost@USEast IS R1CH!
dun dun dunnnnnnnnn
probably not though, LoL
|
On May 04 2010 19:16 GTR wrote:![[image loading]](http://i30.tinypic.com/359cv0y.jpg)
Just gonna go out and say, that card would be fucking broke if it was real. Holy shit the imbalance of that card.
|
On May 05 2010 08:35 Chairman Ray wrote:
Yeah I have had problems with him as well. It crossed my mind that it could be Blizzard just trying to get people switched to SC2, but that's highly unlikely.
Well some people have said this has been going on for quite a while, so maybe it isn't blizzard trying to get people to sc2, although the thought reminds me of the mass mass mass starcraft / diablo 2 bans blizzard nailed people with for using programs that had been floating around b.net for years. This took place 1-2 weeks before a new WoW expansion was released.
So if it were blizzard trying to open up StarCraft 2 a bit, I think they'd just throw out mass bans again?
|
|
|
|
|
|
EPT
