Premium Cycu 8 Posted March 13, 2022 Premium Share Posted March 13, 2022 (edited) Hi! TL;DR Rodnia has RCE (Remote Code Execution) that allows the attacker to run malicious code on the targets PC’s simply by clicking an item in chat/private message. Part 1 I wanted to check how the link system works on this server so I ended up intercepting a random chat message containing a link from youtube. |Lro|l |empire|c| |Hmsg:redacted|hredacted|h : Live |cFF00C0FC|h|Hweb:httpsXxXwww.youtube.com/watch?v=redacted|hhttps://www.youtube.com/watch?v=redacted|h|r It can be concluded that a new hyperlink with the code “web”, that also contains a link “://” changed to “XxX”. “ So it’s time to replace the link from youtube with our own link. How To Part Removed by ASIKOO Surprisingly there is no link whitelist so it works without any issues. Time to look at their code. Part 2 This code appeared I thought “tragedy”. No regex checking links and other stuff. Immediately a light bulb turned on inside my head. I’ve also noticed that there is a “sysweb” type and decided to check it first as it didn’t require link entry confirmation. How To Part Removed by ASIKOO What do you think? Did it work? Did the server check if the client can send hyperlinks with the “sysweb” type meant for server messages? Well. . . no Part 3 It’s time to play with the os.system function. According to the documentation, this function allows you to invoke a command in a shell directly from python. So let’s try to run a calculator. How To Part Removed by ASIKOO No surprise, but what else can we do then? Well, my dear. . . everything. WE can literally run any command with administrator privileges. https://medium.com/@Proclus/reverse-bind-shells-for-everyoned-e7507853bf4e Part 4 I decided to check if I can chat with a hyperlink resembling an item that would be performed by RCE by clicking on it. So I sent the following message to chat, being sure that it would work. How To Part Removed by ASIKOO I was not wrong. IT was only at this point that I realized that it was a lethal weapon that could do a lot of harm. [Video] Spoiler Conclusion This “small” error could lead to a mass takeover of PC’s, as surely many people would click on “Sell [Sword+9] 999% average damage from GM”. I hope that servers with similar systems will carefully check their code and will remember about such threats in the future. (Rodnia administration was informed about this in advance and they fixed this bug) Edited August 16, 2022 by Metin2 Dev Core X - External 2 Internal 2 3 3 1 1 5 Link to comment Share on other sites More sharing options...
Management AZICKO 7411 Posted March 13, 2022 Management Share Posted March 13, 2022 A small fix : import webbrowser as WB def OpenLink(link): try: return WB.open(link) except WB.Error as e: print("An error has occoured while trying to open {link}".format(link=link)) return False That should fix the problem, (python module) webbrowser.open makes a call to subprocess.Popen function with the parameter shell=False which ensures that whatever input(url string in our case) is passed, it will be handled by the specified application (browser in our case)... Docs: https://docs.python.org/3/library/subprocess.html#security-considerations 1 1 1 Scamming ? Reselling ? metin2.download | metin2.dev | fr.metin2.dev | metin2dev.org | metin2.top | top-metin2.org Link to comment Share on other sites More sharing options...
Flourine 106 Posted March 15, 2022 Share Posted March 15, 2022 (edited) Destiny probably has damaged brain. He accused me that i sent .dat files (which i havent btw.) thanks to which will be possible to unpack his client and inject hlbot from @ Cycu Some of screens ( i shouldnt but i already dont care since he behaves like bitch) https://metin2.download/picture/ERpO1JXZ2XhVhHS68AJ4oj9EsYl9dr9Q/.png https://metin2.download/picture/9r8EcuZnFX1O0W2nuN3QVJPX0rs5V9pl/.png https://metin2.download/picture/E2j9ts6E3bltmawjcz16kCt0X6Oi07c2/.png https://metin2.download/picture/l0c7AW29n70IAdr1Rn6AD6HT4U83KCsK/.png https://metin2.download/picture/s5w6v1Gwq2oy0TAJqgJhOnJ26w8g444y/.png https://metin2.download/picture/yhF706JO5w4JjOMraAypI6PDkLD1UW86/.png Greetings from Italy. Edited September 4, 2022 by Metin2 Dev Core X - External 2 Internal 3 2 Link to comment Share on other sites More sharing options...
PeaceMaker 121 Posted March 19, 2022 Share Posted March 19, 2022 (edited) On 3/15/2022 at 2:16 PM, Flourine said: Destiny probably has damaged brain. He accused me that i sent .dat files (which i havent btw.) thanks to which will be possible to unpack his client and inject hlbot from @ Cycu Some of screens ( i shouldnt but i already dont care since he behaves like bitch) https://metin2.download/picture/ERpO1JXZ2XhVhHS68AJ4oj9EsYl9dr9Q/.png https://metin2.download/picture/9r8EcuZnFX1O0W2nuN3QVJPX0rs5V9pl/.png https://metin2.download/picture/E2j9ts6E3bltmawjcz16kCt0X6Oi07c2/.png https://metin2.download/picture/l0c7AW29n70IAdr1Rn6AD6HT4U83KCsK/.png https://metin2.download/picture/s5w6v1Gwq2oy0TAJqgJhOnJ26w8g444y/.png https://metin2.download/picture/yhF706JO5w4JjOMraAypI6PDkLD1UW86/.png Greetings from Italy. Bad boy Edited September 4, 2022 by Metin2 Dev Core X - External 2 Internal 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now