Dear Elitepvpers,
I decided to release some exploits before anyone uses them against any servers.
Most of them are not Public as far as I know, most of them need a bit of advanced knowledge to exploit:
SQL-Injection Guild [Function: CDPSrvr::OnQuerySetGuildName]:
In this case there are 2 Bugs which make this attack even possible on most of the servers.
Problem 1:
SQL-Injection Name [Function: CDPSrvr::OnQuerySetPlayerName]:
This is similar to the one above.
Problem :
Buffer Overflow [Function: CProject::IsInvalidName]:
This is a critical bug, but most of the "flyff hackers" would not be able to abuse this other than just crashing the server.
Problem :
Array out of bounds [Function: CItemUpgrade::RemovePetVisItem]:
This can result in a servercrash or even stathacks and more.
Problem :
UPDATE 1 (15.05.2016)
Array out of bounds [Function: CExchange::ResultExchange]:
This can result in a servercrash or even dupes and more.
Problem :
UPDATE 2 (02.04.2018)
Nullpointer [Function: CDPSrvr::OnTransformItem]:
This results in a servercrash.
Problem :
UPDATE 3 (09.10.2018)
Out of Memory [Function: CDPSrvr::OnRainbowRaceMiniGamePacket]:
This can result in a servercrash .
Problem :
Array out of bounds[Function: CMiniGame::Bet_FiveSystem]:
This can result in a servercrash or even dupes and more.
Problem :
I will only be releasing bugs that affect the availability of the server. I won't be releasing fixes for anything that is not causing a DoS.
If your server gets crashed by someone and the fix is not public, please don't hesitate to contact me, I'm happy to help :)
Zerux
I decided to release some exploits before anyone uses them against any servers.
Most of them are not Public as far as I know, most of them need a bit of advanced knowledge to exploit:
SQL-Injection Guild [Function: CDPSrvr::OnQuerySetGuildName]:
In this case there are 2 Bugs which make this attack even possible on most of the servers.
Problem 1:
Problem 2:Quote:
There is no check if the item that is used is the "Change Guild-Name" item
Solution[Define for both fixes is __GUILD_RENAME_FAKE]:Quote:
The developers validate the String that contains the name ("lpszGuild") but even if this check fails they forgot to return.
SQL-Injection Name [Function: CDPSrvr::OnQuerySetPlayerName]:
This is similar to the one above.
Problem :
Solution[Define for the fix is __CHAR_RENAME_INVALID]:Quote:
The developers validate the String that contains the name ("lpszPlayer") but even if this check fails they forgot to return.
Buffer Overflow [Function: CProject::IsInvalidName]:
This is a critical bug, but most of the "flyff hackers" would not be able to abuse this other than just crashing the server.
Problem :
Solution[Define for the fix is __BUFFEROVERDLOW_NAMECHECK]:Quote:
The critical line of this is "pszName" is a local buffer of size 64 but szName can be up to 100 characters long.Quote:
strcpy( pszName, szName );
If szName exeeds the limit of 64 ,the stack canary is overwritten and therefore an error will be raised resulting in a servercrash. There are 2 ways to fix this: Either increasing the buffersize up to 100 or preventing the buffer overflowing
Array out of bounds [Function: CItemUpgrade::RemovePetVisItem]:
This can result in a servercrash or even stathacks and more.
Problem :
Solution[Define for the fix is __PET_PIERCING_BOUNDS]:Quote:
I will keep this simple. There is no check of the value of "nPosition" so we can easily get out of bounds
UPDATE 1 (15.05.2016)
Array out of bounds [Function: CExchange::ResultExchange]:
This can result in a servercrash or even dupes and more.
Problem :
Solution[Define for the fix is __EXCHANGE_NEGATIVE]:Quote:
Similar to the one above. There is no check of the value of "nListNum" so we can easily get out of bounds as if its "nListNum < 0" it will pass all checks
UPDATE 2 (02.04.2018)
Nullpointer [Function: CDPSrvr::OnTransformItem]:
This results in a servercrash.
Problem :
Solution[Define for the fix is __INVALID_TRANSFORM]:Quote:
ITransformer::Transformer only returns a valid Object if the argument is 0 which is for EggTransformation and otherwise NULL which leads to de-referencing a nullpointer (if you actively use Assertions you might want to add a check in the Transformer function itself)
UPDATE 3 (09.10.2018)
Out of Memory [Function: CDPSrvr::OnRainbowRaceMiniGamePacket]:
This can result in a servercrash .
Problem :
Solution[This is NOT a perfect fix but as far as i know the maximum size used in this system is 3. Define for the fix is __MINIGAME_SIZE_VALIDATE]:Quote:
When serializing __MINIGAME_EXT_PACKET the size of the vector is not checked(nSize) which allows people to create arbitrary size vectors.
Array out of bounds[Function: CMiniGame::Bet_FiveSystem]:
This can result in a servercrash or even dupes and more.
Problem :
Solution[Define for the fix is __MINIGAME_EARLY_CHECK]:Quote:
The developers messed up. They validated the index (nBetNum) but too late.
I will only be releasing bugs that affect the availability of the server. I won't be releasing fixes for anything that is not causing a DoS.
If your server gets crashed by someone and the fix is not public, please don't hesitate to contact me, I'm happy to help :)
Zerux
