The online racing simulator
Serious bug in lfs2
(89 posts, closed, started )
#1 - muhaa
Serious bug in lfs2
Hi i do alot of exploit development and i think i might have came across a serious bug where we could execute shellcode by gain control of the eip through a seh overwrite if one of the dev wants to pm for further detail's it isn't a problem although i wont release and exploit or give out any detail's but clearly the exception handler's got smashed.I will be investigating this tonight.

#2 - Gunn
#3 - muhaa
Yeh im just looking into this m8 collecting some more information by what i know of seh overwrite's it look exploitable because we can walk the long chain of exception handler's then just do a pop pop ret <=== asm > back to our shell code we could use a address inside the dll like we would use normally a jmp or call with a straight forward buffer over flow this is alot different we need to pop 2 address of the stack and return back in the stack where our shell code or could do a jmp esp +8 there are a few way's.

So the stack would look like this

----------------------------------------------
41414141
41414141
0012F498 44444444 Pointer to next SEH record
0012F49C 45454545 SE handler
-----------------------------------------------

SEH chain of main thread
#Address SE handler
#---------------------------
#0012E46C
#45454545 <<<--SE handler

Look's exploitable to me thank god it's not remotely exploitable.But m8 if they see it here thay can pm me just the same and get the detail's about it i get a little sick of contacting vendor's about buffer over flow's and stuff nothing happen's then this happen's lol the bug's get released to ther public via a fully functional exploit ..

http://www.milw0rm.com/author/664

That's just a hand full that i've released due to vendor taking no notice so what make's this any diffrent.
I don't get it. what does this bug do?
so your a 1337 H4XX0R

and your homepage is this
Quote from muhaa :But m8 if they see it here thay can pm me just the same and get the detail's about it i get a little sick of contacting vendor's about buffer over flow's and stuff nothing happen's then this happen's lol the bug's get released to ther public via a fully functional exploit.

You're better off PMing Scawen about this, I bet he would be interested in what you have to say. The devs here actually listen to what the community has to say.
Well, you can't PM Scawen, but you can write him a mail via the link Gunn posted.
#8 - muhaa
imthebestracerthereis ur not funny no im not 1337 H4XX0R LOL i write exploit's and do alot of exploit development ur brain cant even comprehend what im talking about so you got to make a joke about it.If i was you i would be worried as you own lfs 2 also.Some people just don't realize that i was actually trying to help the community..

Quote :
I don't get it. what does this bug do?

Have a read and it will tell you.
http://www.uninformed.org/?v=5&a=2

Ill try and get in touch today with him no one should be worried as the bug has not been confirmed and only me know's about it and will be kept that way.
Amazingly, LFS2 isn't out, probably never will be, and if it is I'd expect about 10 years time.
Link tells me nothing i am afraid. Made me dizzy though. This is not really the place for this kind of technical info. Don't know if you are referring to a general windows bug or something LFS devs can prevent.

My experience is that the devs are quite receptive to the community and communicate with it a lot.

This kind of bug/exploit can best be handled with them directly.
Yeh im not going to untill im 100% sure this is exploitable although i was having problems recreating the same result's i did last night for some reason although i will see what happen's today and if i do come across it ill send them all the info they need..It's not window's related it lfs

Oh fuk i just recreated the bug and it's a buffer over flow im not 100% sure where but i have a test file that show's this bug is easy exploitable through a standard exploit rather than seh over write it's a pretty serious bug i was able to over write the eip and my esp point's to the user supplied data serious bug.I just cant get over all the time i've been looking at finding a bug in lfs and come across an exploitable buffer over flow as i know im not the only one who has looked.

I think ill write a poc code for the dev's to show it is exploitable the problem is it's a comon buffer over flow,The actual result's im looking at know show's that it's a serious problem like i said ill write a poc and itll get fixed so be prepared for a new patch some time soon..
Clever enough to play with code, but too stupid to type/spell properly? All in all just making the English look lazy and idiotic with no grasp of even their own language.
tristancliffe ok if you want to play like that m8 it's not a problem im trying to do 1000 thing's at once and im typing fast as hell im not bothered weather i make typo or not.The reason it's like that is because i just updated the post u numpty.Look if your guna be funny about it ill just write and release a poc for it simple then it put's every one at risk of being hacked.Im not 100% english so my english is bad if you cant read it then tough sh!t.

Quote :
Clever enough to play with code, but too stupid to type/spell properly

Obviously alot more cleaver than you by the look's of thing's.Any way which part of my post can you not read because if it's the memory register's there supposed to look like that.
Quote from muhaa :Obviously alot more cleaver than you by the look's of thing's.

I rest my case.

Edit: I don't care about memory registers. To be honest I don't really care about this exploit you claim exists, mainly because you are too stupid to tell us in normal terms what it means. But the major parts of your posts I don't understand are the parts you have written. Doing 1000 things at once? Wow. Why not calm down, do 10 things at once, and do them to a level that is vaguely meritorious? Or did you fail your SATS for the 10 times last week?
Chances are, nobody is going to take you seriously if you don't give a shit about typing properly. You might be knowledgeable, but you come off as a script kiddie that way.
Wow
Quote :
but you come off as a script kiddie that way

You guy's need to calm the hell down .And know what a script kiddie is not some one who write's there own exploit's im far from a script kiddie as you could possibly get maybe you should find out what a script kiddie is before calling some one this ****ing never been insulted so much you know what it's your loss you guys obviously are just plain looking for an argument look ill just release the poc for every one i know ok then we will see who is being a smart ass.
You guy's need to grow up and stop trawl for argument's if you got nothing constructive to post dont bother posting simple.

Quote :
To be honest I don't really care about this exploit you claim exists, mainly because you are too stupid to tell us in normal terms what it means

Do you mean your to stupid to realize what the hell im talking about that's your problem not mine.
Oooh, a new exploit mod. Can't wait. Shame it was made/found by an idiot, but if he can find it so can anyone else here.
Quote from muhaa :...

Holy crap, did you even read my post? I didn't say you are a script kiddie who doesn't have any clue about real hacking, just that you look like one with a spelling as bad as yours.
I don't understand the bashing mentality in here sometimes.
Anyway, i don't think this exploit could work online as there has been an exploit like this in the past but it wouldn't work online or for hotlaps.

If it's true that it wont work online then i'm not too bothered, people can hack/exploit single player as much as they want. However, if it could be used online or in hotlaps then we may have a problem.

Anyway, i'd suggest just sending a mail to the DEV's
Ok well what i can tell you is i was right it is exploitable and after 20 min's of trial and error i was able too execute shell code it is local exploit but it wont be to hard for some one to be tricked into this very easy if you want to be my Guinea pig just let me know lol.I am still not sure what to do i want to release a poc code for it .But i don't want to put other's in risk maybe ill tell the dev's then release the poc code..It's up to them to fix it not me .But it defiantly work's was able to execute calc.exe ..Ok haw do i get in touch with dev's.

Was straight forward the eip got overwritten 37 byte's of buffer the next 4byte's for the static adress inside jmp esp next 4byte's point's directly to our user supplied data then we added 351 byte's of shell code followed by 353 byte's of buffer to fill the rest of the static buffer up..The done a jmp esp into our shell code..
#22 - Gunn
Why don't you just send an email to the devs and be done with it?
Hold on there is nothing to say i have to tell them any thing about this i could keep it to my-self im not sure haw easy it will be to fix this problem.I wasn't sure if it was exploitable i needed to do more testing on this which i confirmed my suspicions that it is,Do you think it is that easy just to write a poc with debugging info and send it to them try it and let me know,It take's time to write every thing up with explanation of the stuff needed.I need to know which language they want the pc code in..Perl,ruby,python,c c++ but ill send them an email i wasn't going to bother them till i new that it was exploitable which i know now.

Sent email fingure's crossed they take it seriously.
Quote from muhaa :Hold on there is nothing to say i have to tell them any thing about this i could keep it to my-self im not sure haw easy it will be to fix this problem.I wasn't sure if it was exploitable i needed to do more testing on this which i confirmed my suspicions that it is,Do you think it is that easy just to write a poc with debugging info and send it to them try it and let me know,It take's time to write every thing up with explanation of the stuff needed.I need to know which language they want the pc code in..Perl,ruby,python,c c++ but ill send them an email i wasn't going to bother them till i new that it was exploitable which i know now.

Sent email fingure's crossed they take it seriously.

If they take our safety and LFS seriously, which they do. They probably will. Just bear in mind its holiday season now.
It's only a local exploit so it's not a major issue, however it is an issue.
I'm sure if the DEV's think there is a genuine risk to the LFS players they will sort it out.
This thread is closed

Serious bug in lfs2
(89 posts, closed, started )
FGED GREDG RDFGDR GSFDG