Future/MW3ServerFreezer
1
0
Fork 0
mirror of https://github.com/diamante0018/MW3ServerFreezer.git synced 2025-07-03 17:51:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

maint: major write up improvement. No functional changes

Browse Source
This commit is contained in:
6arelyFuture
2024-01-25 13:26:30 +01:00
parent 1a691ed547
commit 4d0ef6279a
5 changed files with 73 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
README.md
View File

@ -10,9 +10,47 @@ This software has been created purely for the purposes of academic research. It
## Summary
This software is a proof of concept for a vulnerability that is patched. You can't harm anyone with it if you use it on Pluto (If you were to update the addresses for the 1.9 patch).
You also can't use this vulnerability on Tekno as it was fixed last year (2.0.6 version of their client).
This software is a proof of concept for a vulnerability that is patched. You can't harm anyone with it if you use it on Pluto (If you were to update the addresses for the 1.9 patch of the game).
You also can't use this vulnerability on Tekno as it was fixed in 2021 (2.0.6 version of their client).
If you think your server is vulnerable you should seek help in the appropriate discord server or forum of the client you use.
The exploit is documented in [exploit.cpp](https://github.com/diamante0018/MW3ServerFreezer/blob/main/src/client/component/exploit.cpp)
## Update
The original patch by the Tekno gods was done incorrectly.
The patch made by Discord user "Zero Bytes" made the Netchan_Process stub return `-1` when suspicious packets were detected.
The return value is completely non-sensical and allows for the execution of SV_PacketEvent to continue.
```c
int __cdecl Netchan_Process_stub(netchan_t* a1, msg_t* a2)
{
if ( a2->cursize <= 14 || !a2->data[14] )
return Netchan_Process_Original(a1, a2);
// Forces the bytes of the packet to remain within acceptable values
a2->data[7] = 0;
a2->data[14] = 0;
// Returns wrong value. SV_PacketEvent is allowed to continue
return -1;
}
```
Later revisions of the Tekno gods server DLL seem to have changed this behaviour and now the stub returns `0` when a suspicious packet is detected.
```c
int __cdecl Netchan_Process_stub(netchan_t* a1, msg_t* a2)
{
if ( a2->cursize <= 14 || !a2->data[14] )
return Netchan_Process_Original(a1, a2);
// Redundant operation
a2->data[7] = 0;
a2->data[14] = 0;
// Returns correct value. SV_PacketEvent will return and it will not process the packet any further
return 0;
}
```
## Compile from source