Author Topic: ULX exploit and/or bug.  (Read 36205 times)

0 Members and 5 Guests are viewing this topic.

Offline NaRyan

  • Newbie
  • *
  • Posts: 39
  • Karma: 1
Re: ULX exploit and/or bug.
« Reply #30 on: March 07, 2011, 06:00:03 AM »
Got it installed on my 3 servers now.
Only "used" it on my TTT server and I do have one little problem.
On map change I have to re-connect for ULX to work for me.

If I try to use any ULX commands or change any settings it does not do the commands or change settings.
However if I re-connect then it works fine.

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: ULX exploit and/or bug.
« Reply #31 on: March 07, 2011, 09:48:49 AM »
NaRyan, even though it works fine for me I had forgotten about the really annoying bug of utter mystery, sorry about that. I'll be switching over the data transmission to another method shortly, so let me know if it fixes it for you.

Edit: Changed in ULib rev 185. Be sure to let me know if this fixes it for you NaRyan, as I have never been able to replicate this problem on my test server.
« Last Edit: March 07, 2011, 09:55:40 AM by Megiddo »
Experiencing God's grace one day at a time.

Offline NaRyan

  • Newbie
  • *
  • Posts: 39
  • Karma: 1
Re: ULX exploit and/or bug.
« Reply #32 on: March 07, 2011, 10:56:36 AM »
Ahh cool thanks :)
I'll let you know how it goes once I get a chance to update my servers....

*edit*
I tested it on my sandbox server, and after changing map I was still able to change settings and use Admin commands.

« Last Edit: March 07, 2011, 11:37:42 AM by NaRyan »

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: ULX exploit and/or bug.
« Reply #33 on: March 07, 2011, 02:46:49 PM »
CURSE YOU!

You're sadly awesome

Most interesting complement I've heard in a while.
Kudos!


We hope the changes made help in overall anti-exploitation, but, as this is a Source issue..those abusing it may know other ways around using ULX.
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline krooks

  • Sr. Member
  • ****
  • Posts: 382
  • Karma: 32
  • I don't like video games.
    • Diamond Krooks
Re: ULX exploit and/or bug.
« Reply #34 on: March 07, 2011, 04:51:00 PM »
Ok so people on the FP thread are suggesting that we disable rcon, I'd rather not ask there how to go about doing that (for obvious reasons), anyone here know how to completely disable rcon?
My TTT server. Join the fun!

Offline Pantho

  • Newbie
  • *
  • Posts: 39
  • Karma: 2
Re: ULX exploit and/or bug.
« Reply #35 on: March 07, 2011, 04:59:13 PM »
Ok so people on the FP thread are suggesting that we disable rcon, I'd rather not ask there how to go about doing that (for obvious reasons), anyone here know how to completely disable rcon?

Many ways, disable the port, set it to no password.

Not really sure why you would disable Rcon, I mean long as your not silly enough to set it inside a config and use command line.

I don't think there are many exploits that directly get rcon like there suggesting. Just make your rcon something long and obscure ;) I normally go for #randomwords@841235#smells@ etc ;)

Offline krooks

  • Sr. Member
  • ****
  • Posts: 382
  • Karma: 32
  • I don't like video games.
    • Diamond Krooks
Re: ULX exploit and/or bug.
« Reply #36 on: March 07, 2011, 05:25:02 PM »
ah ok, thanks for the information, I'll just go TheL0ngPassw0rdR0ut@!  :P
also by not setting in a config, do you mean not to have it in server.cfg? Then where should it go?

I don't and have never used rcon, so I'm very nooby about it.
My TTT server. Join the fun!

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: ULX exploit and/or bug.
« Reply #37 on: March 07, 2011, 06:12:09 PM »
not to have it in server.cfg? Then where should it go?
If you're going to enable it (by setting a password instead of rcon_password "" (which disables it)), you use a command line option in server startup.
I forget if you use a plus (+rcon_password) or minus (-rcon_password), but many Source exploits ago, it was recommended the command line option be used.
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline krooks

  • Sr. Member
  • ****
  • Posts: 382
  • Karma: 32
  • I don't like video games.
    • Diamond Krooks
Re: ULX exploit and/or bug.
« Reply #38 on: March 07, 2011, 07:19:16 PM »
ah ha, thanks again guys!
My TTT server. Join the fun!

Offline Aaron113

  • Hero Member
  • *****
  • Posts: 803
  • Karma: 102
Re: ULX exploit and/or bug.
« Reply #39 on: March 07, 2011, 07:39:04 PM »
It's +rcon_password

Offline NaRyan

  • Newbie
  • *
  • Posts: 39
  • Karma: 1
Re: ULX exploit and/or bug.
« Reply #40 on: March 08, 2011, 01:50:09 AM »
I updated Ulib on my 3 servers, and ULX commands now work fine after gamemode\map change :)

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: ULX exploit and/or bug.
« Reply #41 on: March 08, 2011, 07:14:17 AM »
I updated Ulib on my 3 servers, and ULX commands now work fine after gamemode\map change :)

Thanks, NaRyan!
Experiencing God's grace one day at a time.

Offline Pantho

  • Newbie
  • *
  • Posts: 39
  • Karma: 2
Re: ULX exploit and/or bug.
« Reply #42 on: March 09, 2011, 12:09:49 PM »
If you're going to enable it (by setting a password instead of rcon_password "" (which disables it)), you use a command line option in server startup.
I forget if you use a plus (+rcon_password) or minus (-rcon_password), but many Source exploits ago, it was recommended the command line option be used.

Not as long as you think.

The exploit got a refresh recently, still private. Might be patched again I've no idea.

But, here was a new download exploit around 1 month ago.

Offline krooks

  • Sr. Member
  • ****
  • Posts: 382
  • Karma: 32
  • I don't like video games.
    • Diamond Krooks
Re: ULX exploit and/or bug.
« Reply #43 on: March 09, 2011, 05:07:18 PM »
Ugh, not another download exploit..
Now that I look at it, I still have my sv_allowupload/download settings at 0, from the last time :P
My TTT server. Join the fun!

Offline ceribik

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
Re: ULX exploit and/or bug.
« Reply #44 on: March 20, 2011, 04:45:16 AM »
There appears to be some variation of this exploit floating about... similiar things are happening again

admin timesout --> admin rejoins --> ulx command is spoofed

I'm not entirely sure how this is working now that the server + client share a secret key, but i want to emphasise that this occurs when the admin rejoins and not while the admin is dc/d (like in the original variation of this exploit).