L2J Server

L2J Server Discussion Board
https://l2jserver.com/forum/

Need help with exploits in CT2.4 (fixes inside)

https://l2jserver.com/forum/viewtopic.php?t=31102

Page 1 of 1

Need help with exploits in CT2.4 (fixes inside)

Posted: Sat Mar 14, 2015 6:33 pm
by JMD
Does anyone know what critical exploits have show up from Epilogue till now? Or at least help me in any way to find them?

Re: Need help with exploits.

Posted: Fri Mar 20, 2015 11:10 pm
by Gries
Have you tried this one?
viewtopic.php?f=103&t=29411&p=175355&hi ... in#p175355

Re: Need help with exploits.

Posted: Sat Mar 21, 2015 6:12 pm
by JMD
i know about it but since the old trac is password protected now i cant look at the diffs.

Re: Need help with exploits.

Posted: Mon Mar 23, 2015 12:06 am
by Gries
JMD wrote:i know about it but since the old trac is password protected now i cant look at the diffs.
Here you go:
http://trac.l2jfree.com/l2jserver/changeset/6477

Code: Select all

Index: /branches/unstable/L2J_Server_BETA/java/com/l2jserver/gameserver/network/clientpackets/AuthLogin.java
===================================================================
--- /branches/unstable/L2J_Server_BETA/java/com/l2jserver/gameserver/network/clientpackets/AuthLogin.java	(revision 6365)
+++ /branches/unstable/L2J_Server_BETA/java/com/l2jserver/gameserver/network/clientpackets/AuthLogin.java	(revision 6477)
@@ -72,7 +72,14 @@
 		if (client.getAccountName() == null)
 		{
-			client.setAccountName(_loginName);
-			LoginServerThread.getInstance().addGameServerLogin(_loginName, client);
-			LoginServerThread.getInstance().addWaitingClientAndSendRequest(_loginName, client, key);
+			// Preventing duplicate login in case client login server socket was disconnected or this packet was not sent yet
+			if (LoginServerThread.getInstance().addGameServerLogin(_loginName, client))
+			{
+				client.setAccountName(_loginName);
+				LoginServerThread.getInstance().addWaitingClientAndSendRequest(_loginName, client, key);
+			}
+			else
+			{
+				client.close((L2GameServerPacket) null);
+			}
 		}
 	}
Index: /branches/unstable/L2J_Server_BETA/java/com/l2jserver/gameserver/LoginServerThread.java
===================================================================
--- /branches/unstable/L2J_Server_BETA/java/com/l2jserver/gameserver/LoginServerThread.java	(revision 6365)
+++ /branches/unstable/L2J_Server_BETA/java/com/l2jserver/gameserver/LoginServerThread.java	(revision 6477)
@@ -462,8 +462,9 @@
 	 * @param account the account
 	 * @param client the client
-	 */
-	public void addGameServerLogin(String account, L2GameClient client)
-	{
-		_accountsInGameServer.put(account, client);
+	 * @return {@code true} if account was not already logged in, {@code false} otherwise
+	 */
+	public boolean addGameServerLogin(String account, L2GameClient client)
+	{
+		return _accountsInGameServer.putIfAbsent(account, client) == null;

Re: Need help with exploits.

Posted: Mon Mar 23, 2015 12:35 am
by JMD
Thank you.

Here is the fix for CT2.4
Gist by: JMD13
Index: java/com/l2jserver/gameserver/network/clientpackets/AuthLogin.java
===================================================================
--- java/com/l2jserver/gameserver/network/clientpackets/AuthLogin.java (revision 6670)
+++ java/com/l2jserver/gameserver/network/clientpackets/AuthLogin.java (working copy)
@@ -20,6 +20,7 @@
import com.l2jserver.gameserver.LoginServerThread;
import com.l2jserver.gameserver.LoginServerThread.SessionKey;
import com.l2jserver.gameserver.network.L2GameClient;
+import com.l2jserver.gameserver.network.serverpackets.L2GameServerPacket;
/**
@@ -72,9 +73,16 @@
// avoid potential exploits
if (client.getAccountName() == null)
{
- client.setAccountName(_loginName);
- LoginServerThread.getInstance().addGameServerLogin(_loginName, client);
- LoginServerThread.getInstance().addWaitingClientAndSendRequest(_loginName, client, key);
+ // Preventing duplicate login in case client login server socket was disconnected or this packet was not sent yet
+ if (LoginServerThread.getInstance().addGameServerLogin(_loginName, client))
+ {
+ client.setAccountName(_loginName);
+ LoginServerThread.getInstance().addWaitingClientAndSendRequest(_loginName, client, key);
+ }
+ else
+ {
+ client.close((L2GameServerPacket) null);
+ }
}
}
Index: java/com/l2jserver/gameserver/LoginServerThread.java
===================================================================
--- java/com/l2jserver/gameserver/LoginServerThread.java (revision 6670)
+++ java/com/l2jserver/gameserver/LoginServerThread.java (working copy)
@@ -94,7 +94,7 @@
private boolean _reserveHost;
private int _maxPlayer;
private List<WaitingClient> _waitingClients;
- private Map<String, L2GameClient> _accountsInGameServer;
+ private final FastMap<String, L2GameClient> _accountsInGameServer = new FastMap<String, L2GameClient>();
private int _status;
private String _serverName;
private String _gameExternalHost;
@@ -121,7 +121,7 @@
_gameExternalHost = Config.EXTERNAL_HOSTNAME;
_gameInternalHost = Config.INTERNAL_HOSTNAME;
_waitingClients = new FastList<WaitingClient>();
- _accountsInGameServer = new FastMap<String, L2GameClient>().shared();
+ _accountsInGameServer.shared();
_maxPlayer = Config.MAXIMUM_ONLINE_USERS;
}
@@ -430,9 +430,10 @@
}
}
- public void addGameServerLogin(String account, L2GameClient client)
- {
- _accountsInGameServer.put(account, client);
+ //@return {@code true} if account was not already logged in, {@code false} otherwise
+ public boolean addGameServerLogin(String account, L2GameClient client)
+ {
+ return _accountsInGameServer.putIfAbsent(account, client) == null;
}
public void sendAccessLevel(String account, int level)
view raw gistfile1.java hosted with ❤ by GitHub

Re: Need help with exploits.

Posted: Tue Mar 24, 2015 7:37 pm
by Gries
Probably this one too
viewtopic.php?f=77&t=29776

Re: Need help with exploits.

Posted: Tue Mar 24, 2015 7:55 pm
by JMD
Gries wrote:Probably this one too
viewtopic.php?f=77&t=29776
Nice thanks.
Gist by: JMD13
Index: java/com/l2jserver/gameserver/network/L2GameClient.java
===================================================================
--- java/com/l2jserver/gameserver/network/L2GameClient.java (revision 6670)
+++ java/com/l2jserver/gameserver/network/L2GameClient.java (working copy)
@@ -45,6 +45,7 @@
import com.l2jserver.gameserver.model.L2World;
import com.l2jserver.gameserver.model.actor.instance.L2PcInstance;
import com.l2jserver.gameserver.model.entity.L2Event;
+import com.l2jserver.gameserver.model.olympiad.Olympiad;
import com.l2jserver.gameserver.model.entity.TvTEvent;
import com.l2jserver.gameserver.network.serverpackets.L2GameServerPacket;
import com.l2jserver.gameserver.network.serverpackets.ServerClose;
@@ -651,6 +652,7 @@
|| (player.isInCraftMode() && Config.OFFLINE_CRAFT_ENABLE))
{
player.leaveParty();
+ Olympiad.getInstance().unRegisterNoble(getActiveChar());
if (Config.OFFLINE_SET_NAME_COLOR)
{
player.getAppearance().setNameColor(Config.OFFLINE_NAME_COLOR);
view raw gistfile1.java hosted with ❤ by GitHub

Re: Need help with exploits in CT2.4 (fixes inside)

Posted: Wed Apr 01, 2015 7:27 pm
by Gries
It appears that L2jFree site is now down, can't check changes anymore now :cry:
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited