Jump to content

Rodnia - Remote Code Execution


Cycu

Recommended Posts

  • Premium

Hi!

TL;DR

Rodnia has RCE (Remote Code Execution) that allows the attacker to run malicious code on the targets PC’s simply by clicking an item in chat/private message.

Part 1

I wanted to check how the link system works on this server so I ended up intercepting a random chat message containing a link from youtube.

|Lro|l |empire|c| |Hmsg:redacted|hredacted|h : Live |cFF00C0FC|h|Hweb:httpsXxXwww.youtube.com/watch?v=redacted|hhttps://www.youtube.com/watch?v=redacted|h|r

It can be concluded that a new hyperlink with the code “web”, that also contains a link “://” changed to “XxX”. “
So it’s time to replace the link from youtube with our own link.

How To Part Removed by ASIKOO

Surprisingly there is no link whitelist so it works without any issues. Time to look at their code.

Part 2

This code appeared

YShE766.png

I thought “tragedy”. No regex checking links and other stuff. Immediately a light bulb turned on inside my head. I’ve also noticed that there is a “sysweb” type and decided to check it first as it didn’t require link entry confirmation.

How To Part Removed by ASIKOO

What do you think? Did it work? Did the server check if the client can send hyperlinks with the “sysweb” type meant for server messages?
Well. . . no 🙂

Part 3

It’s time to play with the os.system function. According to the documentation, this function allows you to invoke a command in a shell directly from python. So let’s try to run a calculator.

How To Part Removed by ASIKOO

No surprise, but what else can we do then?
Well, my dear. . . everything. WE can literally run any command with administrator privileges.

https://medium.com/@Proclus/reverse-bind-shells-for-everyoned-e7507853bf4e

Part 4

I decided to check if I can chat with a hyperlink resembling an item that would be performed by RCE by clicking on it. So I sent the following message to chat, being sure that it would work.
 

How To Part Removed by ASIKOO


I was not wrong. IT was only at this point that I realized that it was a lethal weapon that could do a lot of harm.
 

[Video]

Spoiler

 

 

Conclusion

This “small” error could lead to a mass takeover of PC’s, as surely many people would click on “Sell [Sword+9] 999% average damage from GM”.

I hope that servers with similar systems will carefully check their code and will remember about such threats in the future.


(Rodnia administration was informed about this in advance and they fixed this bug)

Edited by Metin2 Dev
Core X - External 2 Internal
  • Metin2 Dev 1
  • Eyes 3
  • Scream 3
  • Lmao 1
  • Good 1
  • Love 5
Link to comment
Share on other sites

  • Management

A small fix :

import webbrowser as WB

def OpenLink(link):
    try:
        return WB.open(link)
    except WB.Error as e:
        print("An error has occoured while trying to open {link}".format(link=link))
    return False

That should fix the problem, (python module) webbrowser.open makes a call to subprocess.Popen function with the parameter shell=False which ensures that whatever input(url string in our case) is passed, it will be handled by the specified application (browser in our case)...

Docs: https://docs.python.org/3/library/subprocess.html#security-considerations

  • Good 1
  • Love 1
  • Love 1
Link to comment
Share on other sites

Destiny probably has damaged brain.

He accused me that i sent .dat files (which i havent btw.) thanks to which will be possible to unpack his client and inject hlbot from @ Cycu

Some of screens ( i shouldnt but i already dont care since he behaves like bitch)

https://metin2.download/picture/ERpO1JXZ2XhVhHS68AJ4oj9EsYl9dr9Q/.png

https://metin2.download/picture/9r8EcuZnFX1O0W2nuN3QVJPX0rs5V9pl/.png

https://metin2.download/picture/E2j9ts6E3bltmawjcz16kCt0X6Oi07c2/.png

https://metin2.download/picture/l0c7AW29n70IAdr1Rn6AD6HT4U83KCsK/.png

https://metin2.download/picture/s5w6v1Gwq2oy0TAJqgJhOnJ26w8g444y/.png

https://metin2.download/picture/yhF706JO5w4JjOMraAypI6PDkLD1UW86/.png

Greetings from Italy.

 

Edited by Metin2 Dev
Core X - External 2 Internal
  • Eyes 3
  • Lmao 2
Link to comment
Share on other sites

 

On 3/15/2022 at 2:16 PM, Flourine said:

Destiny probably has damaged brain.

He accused me that i sent .dat files (which i havent btw.) thanks to which will be possible to unpack his client and inject hlbot from @ Cycu

Some of screens ( i shouldnt but i already dont care since he behaves like bitch)

https://metin2.download/picture/ERpO1JXZ2XhVhHS68AJ4oj9EsYl9dr9Q/.png

https://metin2.download/picture/9r8EcuZnFX1O0W2nuN3QVJPX0rs5V9pl/.png

https://metin2.download/picture/E2j9ts6E3bltmawjcz16kCt0X6Oi07c2/.png

https://metin2.download/picture/l0c7AW29n70IAdr1Rn6AD6HT4U83KCsK/.png

https://metin2.download/picture/s5w6v1Gwq2oy0TAJqgJhOnJ26w8g444y/.png

https://metin2.download/picture/yhF706JO5w4JjOMraAypI6PDkLD1UW86/.png

Greetings from Italy.

 

Bad boy 

Edited by Metin2 Dev
Core X - External 2 Internal
  • Scream 1
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now

Announcements



×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.