Nukes

From Call of Duty 2

Jump to: navigation, search

Nukes are special commands (or .cfg files) that allow a player to crash to a server. I had to learn about these myself because assholes were crashing my servers.

These config files are provided here as a way of testing YOUR server if it is vulnerable to these Denial of Service attacks.

Please don't be an asshole and go around crashing other people's servers.


Contents

long message attacks

Luigi provided Proof-of-concept code for testing if a server is vulnerable to the buffer overflow: http://aluigi.org/poc/codmsgboom.cfg (and by 'testing for vulnerability', I mean trying to crash the server.)

Local Mirror: (view codmsgboom.cfg) http://view.smaert.com/codmsgboom.cfg

Local Mirror: (download codmsgboom.cfg) http://download.smaert.com/codmsgboom.cfg

nuke.cfg

I made one small change to Luigi's config... If you try to crash a server using codmsgboom.cfg and it FAILS to crash (i.e. the server is patched) it looks really obvious that you just tried to crash the server (because you just said a long string of aaaa's.) My tweak is to make it slightly less obvious: how about an overly dramatic 'nooooooooooooooooooo....', instead?

View nuke.cfg: http://view.smaert.com/nuke.cfg

Download nuke.cfg: http://download.smaert.com/nuke.cfg

If executed against a server and the attack is successful...

  • All clients (people playing on the server) will see the "Connection Interrupted" message and the disconnected from server icon at the bottom of the screen (The one that looks like a phone cord unplugged from a phone jack)
  • On A Windows server, the program will still look as though it's running as normal for a minute. After a minute or so, the CoD2 server program will close itself. No error messages or explanations for the crash are shown. (This was tested on Windows 2000 Server)

Defending against overly long message attacks

Linux servers are NOT vulnerable to this attack.

Windows servers ARE vulnerable to this attack.

Windows servers can apply a patch to fix the problem.

Please see the article on Server_Patching for more details. Server_Patches#Patch_1:_message_buffer_overrun_fix_(CRITICAL)

va() (long command) attacks

There was no proof of concept code provided, but I did eventually learn that this is triggered by issuing 1000 character commands.

nuke2.cfg

nuke2.cfg is for triggering the va() bug in a CoD2 server.

If the server is vulnerable, it will crash with the va() error.

View nuke2.cfg: http://view.smaert.com/nuke2.cfg

Download nuke2.cfg: http://download.smaert.com/nuke2.cfg

If exploitation of this bug is successful...

  • All clients will be immediately disconnected from the server with an error message that says "Server Disconnected - Attempted to overrun a string in a call to va()"
  • The server console will show this error message: 
********************
ERROR: Attempted to overrun string in call to va()
********************
----- Server Shutdown -----
Sending heartbeat to cod2master.activision.com
==== ShutdownGame ====
2: EXE_DISCONNECTED
---------------------------

The server program will continue to run, but will not function correctly. The error message will remain on the server console until the server is manually restarted.

Defending against va() attacks

Linux AND Windows servers ARE vulnerable to this attack.

A patch can be applied to the server to fix this problem.

Please see the article on Server_Patching for details Server_Patches#Patch_2:_work-around_for_the_va()_bug_(CRITICAL)

Retrieved from "http://cod2.smaert.com/wookie/index.php/Nukes"
Personal tools