The online racing simulator
Serious bug in lfs2
(89 posts, closed, started )
Quote :
ok so if i caught your drift youve found a non remote exploitable buffer overflow right ?
so basically you need to inject a malicious exe into somebody elses pc to be able to execute malicious code on his machine ?

ahahah some of you make me laugh what would be the point in hooking dll and injecting code in a pre compiled exe lmfao.No of course not just wait till it's fixed please.Some of you guy's don't even know what im talking about unless you program and know why a buffer over flow exist's dont even start posting crap like that.
i said that from what you said you first need to get someone to run an exe that actually causes the overrun ie you cannot trigger it from within lfs
injecting it into his system not lfs

next time you give me that attitude ill be more unpleasant than you ever could be
Quote :
i said that from what you said you first need to get someone to run an exe

Nope i've never said that m8 look just leave it for now when it's fixed ill let you know haw it was done it's been a long day i've spent hour's on this so let's just leave it up to the dev's for now.
so then how would you go about pushing your own target adress for the ip on the stack and have something worth jumping to without executing something to do it first ?
What m8 you don't even need the ip the ip don't even get pushed on the stack normally in a programing language there are set protocol's to connect to,These can be identified by a banner grab,Or by reading the packet this is not remote but if i can get you to do some thing in lfs2 which wouldn't be to hard,I can gain access to your computer by using some reveres shell code,Normally a client and server you use the client to connect to the server,This is the other way round my ip is stored in the byte code which you will not be able to see then when you run lfs with these circumstance's,Your computer will connect to mine through your firewall regardless of you fire wall even if dep is on,Then my computer will be waiting for the connection once connected i have full access to your computer.Or we could even download a file from a web server and execute it,With out you even known share your full hard drive install a pre coded key logger anti virus wouldn't even know.Add a new user to your computer,Install and reveres connect vnc server,The option's are endless although i just execute calc.exe for a poc code to show it's exploitable and for safety reason's but there is plenty of room for much worse shell code.It's not easy for you guy's to understand you have to have a little programing knowledge first then you would understand the implication's of it.It's all to do with your register's inside your cpu it's called asm im dealing directly with the cpu and the instruction's inside it the main working's.
The more you talk, the less I believe you know what you're talking about.
It sounds like you know what you're talking about, muhaa.

Any idea, when can we expect the patch? I'm very interested in ...
Wow you guy's can't just shut the hell up and let the dev's fix it i've already supplied them the c c++ code for the poc code,If you belive me or not is just a matter of your own personal opinion,Soon or latter the dev's will release the patch i will release the poc code so it's publicly available,Un till then im saying nothing about the exploit what so ever.

Aimed at thisnameistaken not you xdream some people in here are just here for flaming.The problem is these people like thisnameistaken and a few other's cant even comprehend what im saying there living in denial i should ask the dev's to pop by here to back my story and claim's up.The reason they don't belive me is becouse i can't tell them every thing about it they are the one's that wanted me to keep it private..?
jeez not that ip ... the address the ip will point to after the exception handling sets to work

and this is a last warning stop treating me like a blithering idiot or i will get unpleasant beyond your wildest dreams
Shotglass please m8 if you are that interested in learning about exploit development read some book's first then come ask question m8,What you are asking is totally wrong it's got nothing to do with ip address or any thing it's to do with asm getting executed via the cpu.Which we point to it via the eip register.It shouldn't be long for the patch xdream m8.He is working on it i think he has every thing he need's to fix it.
Quote from muhaa :Aimed at thisnameistaken not you xdream some people in here are just here for flaming.The problem is these people like thisnameistaken and a few other's cant even comprehend what im saying there living in denial i should ask the dev's to pop by here to back my story and claim's up.

I don't do a lot of flaming. Most of the people here I actually quite like.

I do work as a programmer, but honestly I know very little about the low-level stuff (I actually think it's not worth learning, and that languages should cover all that stuff in the compiler/interpreter to avoid programmers making exploitable mistakes - we've seen from Windows that eventually a large codebase can become unmaintainable, leaving even the best programmers no choice but to employ nasty hacks. Phew, long digression...). I used to know a bit about assembly when I was a little kid, I got around to it after learning Basic and then Forth, so I do understand on a conceptual level what you're talking about.

Which is why I was asking how you proposed to run your exploit (when I postulated that it might be a bogus server). Which you've never answered.
Quote from muhaa :It shouldn't be long for the patch xdream m8.He is working on it i think he has every thing he need's to fix it.

Thanks for the info. Will have an eye on this thread, it's very interesting.
listen up kiddo if you cant figure out that this is exactly what im talking about and that the extended in the name is utterly redundant i too am starting to doubt that you know half as much as you claim about the matter
Quote :
Which is why I was asking how you proposed to run your exploit (when I postulated that it might be a bogus server). Which you've never answered.

I did answer your question before take a look back at the post's,I cant say where the buffer over flow is because it will then be leaked i might as well release the poc code for it.Ok haw much asm do you know because it just seam's that you didn't know what a jmp esp was or a call esp or even a pop popret..?
-xdream- did you get the pm i sent you explaining where the buffer over flow is i know i can trust you to not say any thing.oop's didn't refresh you guy's are posting so damn fast lol.Look you made me double post.
Quote from muhaa :I did an swear your question before take a look back at the post's,I cant say where the buffer over flow is because it will then be leaked i might as well release the poc code for it.

Remind me. I'm not asking for where the buffer is that you're exploiting - it sounds like the sort of thing that would require a major con to pull off.

Quote from muhaa :Ok haw much asm do you know because it just seam's that you didn't know what a jmp esp was or a call esp or even a pop popret..?

I understand how stacks work, it's not rocket science. I don't think I can remember any opcodes by name, nor do I really care about them.
Lol it's obvious why you are here stop trolling in my post's you have no idea what im even talking about so just leave it,And yes you where saying is the buffer over flow in some sort of iffy server.

Quote :
I understand how stacks work, it's not rocket science

Explain then im all ear's ..
I'm not gonna intrude here and say I know what I'm on about, cause I don't.

I'm just curious to know, has either of the Dev's replied to your email saying "OK, we know the problem, we'll fix it" I'm not trying to say you're lying, I'm just a curious bugger
Hey yeh i got a few email's from them i told them where it is,And sent them the poc code wrote in c which they have along with all the debugging info,I will send them an email tomorrow when i get up so they can make a quick post in here if they will no doubt,It will be fixed in no time they have the source code so im sure it won't be a problem it can only be 2 thing's no length checking or using a dangerous function like strcpy() any thing like that will cause this.Coz these c function's should never be used they don't implement any kind of length checking or bound's checking.


Email from them
Hello,

Scawen is very busy at the moment so he can't talk to you directly.

All he needs to know at the moment is the principle of the exploit, and
which buffer is overflowed by what means.

Thanks for your help with this.

- Tech

P.S. The best language is C.
#70 - Gunn
Quote from muhaa :Hold on there is nothing to say i have to tell them any thing about this i could keep it to my-self im not sure haw easy it will be to fix this problem.I wasn't sure if it was exploitable i needed to do more testing on this which i confirmed my suspicions that it is,Do you think it is that easy just to write a poc with debugging info and send it to them try it and let me know,It take's time to write every thing up with explanation of the stuff needed.I need to know which language they want the pc code in..Perl,ruby,python,c c++ but ill send them an email i wasn't going to bother them till i new that it was exploitable which i know now.

Sent email fingure's crossed they take it seriously.

Mate, the time you have spent here so far could have been a waste of time for you. If you had contacted the devs right away you might have saved some time. Scawen may very likely be able to put his finger on the issues that you are eluding to and save you the effort. While I do think it is good for exploits and bugs to be fixed, I don't see the point in telling everyone about it here. Don't you think that you run the risk of exposing the exploit to someone who can and will do something malicious? Whatever the outcome (or lack thereof) I see nothing noble or righteous about making a thread and asking/telling people here about it. If you really desire to be protective of LFS or helpful to the devs why tell us about it?
This is the bug part of the forum this is a bug m8.
Quote :
Don't you think that you run the risk of exposing the exploit to someone who can and will do something malicious?

nope not at all like ive asked load's of time's if people can just drop it and let the dev's fix it.
#72 - Gunn
"Hi, I may have found a serious bug in LFS but I don't wish to post it publicly. What's the best way to give this info to the devs please?"
Quote from muhaa :Lol it's obvious why you are here stop trolling in my post's you have no idea what im even talking about so just leave it,And yes you where saying is the buffer over flow in some sort of iffy server.

I know what I said, what I don't know is what you claim to have said. What you've actually said amounts to **** all.


Quote from muhaa : Explain then im all ear's ..

Don't patronise me, a stack is - conceptually - a piece of piss to understand. How about you actually answer a question for a change, or should I just write you off as yet another id-ridden script kiddie who talks a lot of shit but doesn't actually know his arse from his elbow?

Maybe you did stumble upon an exploitable buffer, I don't know or particularly care (I would like to know how you're planning to run your exploit, but I've asked you several times and you're not so keen to tell me because it's almost certainly not a realistic proposition in the slightest), but I can imagine you did it while playing with toys you downloaded from h4x0ring4dummies.com.
And your point is ??? I havn't posted it i was unsure of haw to get in touch with the dev's don't think i have had to..Then people started asking question's.See what i mean absolutely unbelievable don't flame it ain't my fault you don't know about it.Just leave the post till it's patched then we will talk.If i tell you where the buffer over flow is it will not be private,that is why i've said wait till it's patched then i will release every thing i know about it.
#75 - Gunn
Quote from muhaa :And your point is ??? I havn't posted it i was unsure of haw to get in touch with the dev's don't think i have had to..Then people started asking question's.

I told you how to contact the devs, check out the second post of the thread.
This thread is closed

Serious bug in lfs2
(89 posts, closed, started )
FGED GREDG RDFGDR GSFDG