ASI SAMP 0.3.7 MultiRCE Fix (Menu, GameText & Animation)

mhertz

Известный
Автор темы
148
308
Я хуею с калкора, пока я патчил меню, я нашёл ещё один недопатченный buffer overflow (который он пытался пофиксить в samp 0.3.7-r4-2)
Кому интересно и кто хочет попробовать написать абуз его (мне лень :D):
В RPC DisplayGameText первый параметр (стиль текста) не проверяется должным образом (калкор проверяет только, что он меньше 200, и то знаковым сравнением - jg вместо ja, видимо запутался в длине и стиле GameText). В итоге мы получаем static buffer overflow c 0xC1A970 где-то до 0xC1CEF0 (и это не включая то, что калкор делает знаковое сравнение, скорее всего можно записать даже дальше), там есть пара поинтеров и прочих интересных вещей, которые можно подменить и тем самым скорее всего получить RCE
А недопатч калкора в samp 0.3.7-r4-2 заключается в том, что он тупо берёт и заменяет все символы ниже ASCII-пробела (исключение - новая строка) на ASCII-пробел))
Фотокарточка 1 - сам обработчик RPC (он одинаковый в R3 и R5)
Фотокарточка 2 - как функция показа выглядит в R3
Фотокарточка 3 - как функция показа выглядит в R5
 

Вложения

  • 1721247243574.png
    1721247243574.png
    81.2 KB · Просмотры: 229
  • 1721247267525.png
    1721247267525.png
    38.4 KB · Просмотры: 228
  • 1721247403424.png
    1721247403424.png
    60.1 KB · Просмотры: 221
  • Нравится
Реакции: whyega52 и Mintha

Loku

Известный
30
7
It's lame that the guy that created this exploit reported it to OpenMP team so they can make a fix, Amyr then gives it to SampAddon creator and you suddenly make a fix like 5 days after. To the SAME exploit we reported. Coincidence? I think not.

Next time just a "thanks" would be nice for it, these things make you think to report an exploit like this again or just sell it like some of you do.
 
  • Нравится
  • Вау
Реакции: Mintha и whyega52

sazzas1978

Известный
133
125
It's lame that the guy that created this exploit reported it to OpenMP team so they can make a fix, Amyr then gives it to SampAddon creator and you suddenly make a fix like 5 days after. To the SAME exploit we reported. Coincidence? I think not.

Next time just a "thanks" would be nice for it, these things make you think to report an exploit like this again or just sell it like some of you do.
Why couldn't you just post fix of this exploit on the forum and now you're crying? Stupid
 

fzfzfz123

Новичок
9
22
Why couldn't you just post fix of this exploit on the forum and now you're crying? Stupid
no need to insult buddy. publishing a fix like this has the downside of exposing the vulnerability, that's the only reason why i didn't want to.
now be prepared for this to be exploited in the wild, with the majority of SA-MP players not knowing about this fix or even this forum.

to the post creator, thanks for writting the patch and sharing it. but it will be fair if you give me some credit, as i'm pretty sure you got my PoC (or any relevant info about the vuln) from what i shared with some open-mp devs a few weeks ago.

PS: nice vuln report
 
  • Нравится
Реакции: Mintha и EvgeN 1137

mhertz

Известный
Автор темы
148
308
no need to insult buddy. publishing a fix like this has the downside of exposing the vulnerability, that's the only reason why i didn't want to.
now be prepared for this to be exploited in the wild, with the majority of SA-MP players not knowing about this fix or even this forum.

to the post creator, thanks for writting the patch and sharing it. but it will be fair if you give me some credit, as i'm pretty sure you got my PoC (or any relevant info about the vuln) from what i shared with some open-mp devs a few weeks ago.

PS: nice vuln report
i've actually discovered it myself, if you wanna see my rce pawn code, dm me
 

sazzas1978

Известный
133
125
i've actually discovered it myself, if you wanna see my rce pawn code, dm me
That dude thinks that he is fucking genius and only he can discover this exploit. I stay by side that more people acquainted with these more people will have this fix. More projects will fix this in theirs clients. Nothing helps players who play on small rp dumps
 
  • Bug
Реакции: Mintha и Sargon

Loku

Известный
30
7
06/29/2024 XXXXXXX - Posted PoC of the exploit

07/03/2024 7:21 PM - Disclosure of the exploit to the OpenMP guy
07/10/2024 00:13 AM - SAMPAddon guy tells Evgen that OpenMP guy messaged him about the exploit (Without any permission) -
07/12/2024 18:13 PM - SAMPAddon guy releases a fix, at least credit the author or say "thanks"?. - https://vk.com/wall-50232903_447662

07/17/2024 00:40 AM - You release this fix

Again, coincidence? I think not. Either someone gave you this info or you RE'd SAMPAddon, but we don't think this is a coincidence. At the end, users are protected which is what he wanted, but, it's the matter of saying "thanks".
EDIT: And don't get me wrong, thanks for the fix you made, that was the goal after all, it's just the credits.
 
Последнее редактирование:

chromiusj

average yakuza perk user
Модератор
5,672
3,973
06/29/2024 XXXXXXX - Posted PoC of the exploit

03/07/2024 7:21 PM - Disclosure of the exploit to the OpenMP guy
10/07/2024 00:13 AM - SAMPAddon guy tells Evgen that OpenMP guy messaged him about the exploit (Without any permission) -
07/12/2024 18:13 PM - SAMPAddon guy releases a fix, one could imagine he discovered the RCE since he doesn't thank the original author. Translating the text seems like he discovered it but you could help on that, if not, at least credit the author or say "thanks". - https://vk.com/wall-50232903_447662

07/17/2024 00:40 AM - You release this fix

Again, coincidence? I think not. Either someone gave you this info or you RE'd SAMPAddon, but we don't think this is a coincidence. At the end, users are protected which is what he wanted, but, it's the matter of saying "thanks".
It all looks like an episode from Rick and Morty, where Beth didn't apologize to Tommy for what she did to him, and decided to go the radical way by killing everyone.
Anyway, thanks for such job, the game is worth the candle, thanks guys❤️
 
  • Нравится
  • Влюблен
Реакции: moreveal, whyega52 и Loku