The most interesting bug I have found in my research is the following.
A specially formatted packet crash immediately EVERY server that uses
Unreal engine: ALL the versions are vulnerable to the same packet!
Let me start to explain a bit of Unreal engine basis:
Unreal engine uses a method (a bit crazy) so to use less space in files
and in network packets.
This method is called "index type" or "Compact Indices" and is a long
type number (31 bits + 1 bit for the sign) that is saved in a amount
of bytes that can go from 1 to 5 (a long type number is 4 bytes, so
this method is good for small values).
In every packet sent through the network, before the data there is
one of this index type numbers that specify the size of the data after
it.
Within each packet can exist many data "parts" and this index
value is used for specify how many long is the current piece of data.
Example:
[index1][data1][index2][data2]...[indexN][dataN]
The Unreal engine first decodes the packet and then simply reads the
index number and finally allocate that size in memory.
However seems that the Unreal engine makes a check for this index
number for avoid possible abuses if an attacker try to set a big index
number (something like:
"if(index_number > packet_or_file_size) break;"), but unfortunately it
sucks when the sign of this value is negative because the Unreal engine
consider negative numbers as Unicode format that needs 2 bytes for each
char.
Example:
If I want that the remote server allocates 512 Mb of RAM for read my
packet, I must not use 512000000 (and naturally convert it in index
format) but I must use -256000000 (negative sign plus half amount of
data).
Simple and funny.
The maximum bytes of memory that we can allocate is a long type number
so 0xffffffff less the first left bit that is used for the sign:
2147483647 bytes.
The effects of this attack are really incredible:
(09:09:13) Clix: - if the size of the bytes to allocate is less than the maximum
available memory on the remote system, the CPU will rise to 100% and
will be consumed all the bytes of memory specified by the attacker.
This effect will persist for a variable amount of time that depend
by the size of the bytes that must be allocated and the performance
of the victim machine (CPU and memory speed).
For example my PII @ 448 Mhz takes 25 seconds to allocate
250 Megabytes in memory (with the UCC.EXE server, without the
other weight of graphic, sound and artificial intelligence of the
game).
During this time seems that the server cannot manage Unreal packets.
If you aren't running a dedicated server but you are playing on your
same server, the game will freeze totally for a variable amount of
seconds.
- if the memory that must be allocated is superior than the available,
the server will crash immediately!
.
The effects actually work and he is using multi-ip bots. Here is a short server log
Critical: (NetMode=1)
Critical: TickLevel
Critical: UGameEngine::Tick
Critical: XGameEngineExt::Tick
Critical: UpdateWorld
Critical: MainLoop
Exit: Exiting.
Uninitialized: Name subsystem shut down
Uninitialized: Log file closed, 08/20/06 19:23:32
. Im seriously thinking of writing his ass off to jail. Just because one guy has a different opinion does not mean he has to spoil it for others, to this extent anyway. Ban his ass from this forum and every DX forum ever known and hopefully he'll discover the wonders of hacking rather than sad black hat script kidding.
update: Hes a snippit from his readme
/****************************************
DeusEx Multiplayer GameServer Bot Crasher
*****************************************
(can be used for most of unreal based games)
This is my first C++ project.
How this bot works?
The bot acts as every other bot (rx, sd, etc..), but it has no irc client.
On start, it copies itself into windir\system32, adds to registry for autostart
and delete the original file. Bot connects to website and download the instructions:
can be list of servers to crash all over again, update or uninstall the bot.
This bot can pack some serious damage to unreal engine based games. Having around 50
bots and set them to crash server each 60 seconds means that the server will be off
all the time. In future i will be working to implement MasterServer list downloader
with query for server info, so the crashing would be automatic (no more webupdate
needed) with defined equality eg. if (initialaugs == 0) crash();
bcuzz, stoney, x-lock, ionix, phatty, nesespray and rbot dev team for rBot skelleton
- Luigi Auriemma for unrcrash exploit <No longer here, ha!>
- DejaVu for the idea, porting unrcrash to the bot, final job
This is beta test release. No optimizations yet! Useless stuff in! Known bugs:
- crashdelay took like 2 times longer (dont know why this is happening)
- sometimes ftp url cant be accessed (might be just my testing ftp)
Instructions:
- you need to have Microsoft Visual Studio 6, latest service pack for it, processor pack
and SDK library - where to find? www.google.com)))
- edit cfg.h in map config
- open crasher.dsw
- build crasher.exe (ignore 2 warnings, the bot works just fine)
DO NOT LEAK! FOR PRIVATE USE AND TESTING ONLY!
btw: FUCK YOU SCRIPT KIDDIES
DejaVu
i1337bb@hotmail.com
</center><
