![[DISCUSSION] Kick hack](https://www.elitepvpers.com/forum/iconimages/metin2/discussion-kick-hack_ltr.gif){kind=small}
[DISCUSSION] Kick hack
However, instead of getting the other player disconnected from the server and back to the login, his client actually closed. Looking at the syserr.txt of the target, this is what I found:
Being 34 (0x22) the packet header of the GC Whisper packet, and 24 (0x18) one of the bytes I'm sending in the message. Which means the client is handling the whisper packets, and then handling part of my message as if it were a packet. The client does not disconnect because it recvs too many packets as I first thought, but because an unknown packet is received. It is not a disconnection from the server because of message flood, but a bug somewhere in the client or the server in the way it handles the packets.Quote:
0528 20:27:08968 :: Unknown packet header: 24, last: 34 34
Then I thought.. maybe this is exploitable in another way. Maybe I can send an actual well-crafted packet within my private message and make the victim client handle it as if the server sent it, something like a remote packet injection. This worked with some big issues:
- Since private messages can't contain null bytes, neither can the packet. This reduces A LOT the type of packets we can use. Introducing just a single nullbyte at the end would be nice, but I couldn't even get that. Maybe someone tries and solves it? Some of the packets I could manage to inject are whisper packets, so this hack can make the target receive a whisper from whoever we want, even a GM. I'm sure there are other packets that can be injected.
- This is the worst point. We must know where to introduce the packet. I'm sending a few whisper packets as "padding", and then the final one containing the malicious packet, which is positioned just where the client starts to handle the non-existing packet that would otherwise close the client. The amount of packets and the length of the padding in the last packet seem to be variable. It actually seems to change between channels but I'm not sure of that. There's probably other things involved like the amount of packet traffic in the channel or something like that. When the malicious packet doesn't get well positioned, the client of the victim usually closes because of an invalid packet being handled (kick hack).
- After I got it kind of working, I discovered changing the bytes I used as padding made the hack not to work. I did not investigate this, but it is strange as fuck.
- Sometimes server seems to mute or disconnect me when it detects I'm sending too many messages to a player.
As you can see, it is unreliable as hell. I don't really know what's happening or why the bug happens, but it would be great further investigation to make it more reliable. I think it can be pretty interesting. Has anyone discovered this bug and tried to exploit it in a better way? Does anyone have any information about it?
I will probably update the post soon with a video showing the proof of concept.
Regards,
papi Klecko.
. I'm doing it for myself and for learning so don't expect it working in your servers or anything. The code of the packet injection can be found in file cmd.cpp at function Command::_packet_injection.Update: video showing proof of concept
