Guest Nemessis Posted October 14, 2007 Report Posted October 14, 2007 Counter-Strike CrossZone + XSS in webmod + Cookie problemDiscovered by Nemessis - http://rstcenter.comPublic disclosure: - 15 October 2007In this video tutorial you can see how an evil code in MOTD can run or read files located on your computer. This poc is far to be the best but is good to open your mind. The XSS and Rcon Password problems are very easy to understand and they are possible only if webmod is present on that server. NOTE: To have results you must modify the SERVER MOTD file not the client MOTD.Chapter 1CrossZone using Counter Strike MOTDLike most of you already knows, Counter Strike 1.6 MOTD can be a html page. You can see an iframe to a website, you can click on some links, you can see a image, all of this directly in your Counter-Strike client. But what is the real problem? The problems are:- if you use an iframe to a local file you have the chance to execute the file- if you use an iframe to a local text file you can read content of that file in the MOTD windowI tried to execute a shellcode but javascript is not allowed in this case and all the shellcodes I know are based on javascript. If anyone can make a better proof of concept I’ll be glad to see the results.Unfortunately I didn’t succed to execute .exe files without user intervention.Watch the video tutorial for a better understanding.Chapter 2XSS in webmodIs strange that we can find this vulnerability in a game like Counter Strike web application. Where are located the XSS vulnerabilities?1. Url: http://host.com:27015/auth.w?redir="><script>alert(document.cookie)</script>2. Ingame name: just use a name like “><script>alert(/XSS/)</script>”. When someone is viewing the webmod page an alert with /XSS/ message will pop-up. Lame coding? Yes! This can be very annoing and dangerous if someone can find a way to use his name for cookie stealing. The best part is just coming in the next chapter.Chapter 3 Cookie problemWell this is actually very simple. The cookie contains rcon password in plain-text.Chapter 4Worst case scenarioLet's say that someone finds a way to download&execute files using the MOTD bug, let's say that someone will use his name as a cookie stealer and let's say that he will succed to steal the cookie from the server admin and find rcon password. This acces can help him to log in the webmod page and change the server MOTD content with his evil code. This can be very simple and a good way to inject malicious software on the players computers.For a better understanding of what I'm saying just watch the video tutorial.Nemessis | RstZone 2007Video download link:http://rapidshare.com/users/FKNGHSPassword: rstzonehttp://www.megaupload.com/?d=YO9B3SLYVreau sa imi spuneti cum se aude sunetul pentru ca se pare ca am niste probleme cu codecurile audio si se cam aude din canal. Quote
jackc47 Posted October 18, 2007 Report Posted October 18, 2007 Foarte util tutorialul.Sunetul se aude distorsionat. Quote
ToxicBlood Posted October 21, 2007 Report Posted October 21, 2007 @nemessis poti uploada undeva google_adsense.php ,css3.js.... ptr. ca link-uld at in tut tau >> http://rstzone.net/xssrefere.zip << nu merge .. Quote
CobrA Posted December 11, 2007 Report Posted December 11, 2007 Cand il deschid apare asta:Se aude dar nu am imagine Ce sa fac?? Am K-Lite Codec Pack Quote
Guest Nemessis Posted December 11, 2007 Report Posted December 11, 2007 Nu am auzit pe nimeni sa se planga. E wmv deci ar trebui sa mearga pe orice pc cu Windows instalat. Incearca Ace Mega Codecs Pack. Quote
moubik Posted December 11, 2007 Report Posted December 11, 2007 tscc, daca ai fi cautat pe net ai fi vazut ca este un codec oferit de camtasia.techsmith screen capture codec.sunt multe variante prin care sa poti vedea filmul.eu folosesc 1 singur player pentru toate filmele, si pentru toate formatele.are suport pentru subtitrari, poate vedea prin streaming, poate reencoda, poate face ripping la streamuri, are codecuri incluse.va prezint: kmplayer(nu are legatura cu player-ul pentru linux mplayer) Quote
CobrA Posted December 14, 2007 Report Posted December 14, 2007 am luat ace mega codec si tot degeaba. Cand il deschid pe bsplayer imi arata imaginea neagra si am sunet. Cand ii dau cu media player classic mi se restarteaza pc :evil: Cred ca este o problema la windows. Cred ca o sa il reinstalez... Quote
moubik Posted December 14, 2007 Report Posted December 14, 2007 eu cand vorbesc sa nu ma asculti ca vorbesc degeaba. Quote
CobrA Posted December 14, 2007 Report Posted December 14, 2007 imi pare rau ca am uitat sa specific ca am instalat si kmplayer si imi arata aceeasi eroare...sorry dar nu a functionat.... Quote
&#208;&#210;& Posted December 14, 2007 Report Posted December 14, 2007 ia Vlc media player Quote
Corleone Posted February 12, 2008 Report Posted February 12, 2008 am faqt ce zice akolo si imi da o "eroare" in care e un cookie. ce trebuie sa fac cu acel cookie? Quote
Caracal Posted February 12, 2008 Report Posted February 12, 2008 ciudat...am incercat sa-l deschid cu wmp 11 si nu vrea decat sunetul sa mearga...cu vlc player merge cheers Quote
Pacalici Posted February 17, 2008 Report Posted February 17, 2008 Merge numai pe serverele care ruleaza pe windows sau si pe linux? Daca intrebarea suna cam prosteasca scuzati dar nu prea ma pricep. Multumesc. Quote
Guest Nemessis Posted February 27, 2008 Report Posted February 27, 2008 Merge numai pe serverele care ruleaza pe windows sau si pe linux? Daca intrebarea suna cam prosteasca scuzati dar nu prea ma pricep. Multumesc.Pe orice tip de server Quote
Pacalici Posted May 26, 2008 Report Posted May 26, 2008 Stiu ca e cam vechi topicu....am incercat si eu ca in filmulet si am o problema....1. pe calc personal ....nu imi deschidea comsetup.log , iar cand dadeam open la calc , imi dadea o eroare cu certificate....aia am reusit sa o scot si se deschide calc pana la urma.....dar comsetup.log tot nu mi-l deschide. 2. pe alt pc.....nu mi se intampla nimic....se inchide cs-u si atat.Nu prea am eu treaba cu cookie-uri si astea dar eram curios totusi. Daca se poate un raspuns...multumesc. Quote
chicco_10 Posted April 23, 2010 Report Posted April 23, 2010 foarte interesanta chestia...Bravo... Quote
koderS Posted June 12, 2010 Report Posted June 12, 2010 ma tata, poate nu am nici numarul minim de posturi, sau ma rog. Dar am si eu o rugaminte de fier Vreau sa aflu si eu parola de la un server de cs (rcon-ul). Va rog frumos, care aveti buna placere sa ma ajutati putin, raman si eu dator. Quote
nedo Posted June 13, 2010 Report Posted June 13, 2010 din cunostintele mele limitate nu prea ai cum sa spargi rconul, decat probabil printr-un brutforcer special facut pt asta, alta solutie ar fi un keyloger pe calculatorul unuia din admini care au rcon sau un sniffer/troian pe server, (cu troianul poti afla rconu si nu numai pentru ca poti umbla prin serverul respectiv). Acum creerea unui troian care sa nu fie detectat de catre antivirusi tine doar de tine, nu cred ca te va ajuta cineva de pe aici pentru asa ceva, iar instalarea troianului pe acel server e si mai complicata dar exista si acolo posibilitati Quote
koderS Posted June 13, 2010 Report Posted June 13, 2010 Multumesc frumos pentru raspuns. Problema sta in felul urmator :Eu detin Owner pe acel server, dar doresc sa aflu parola de la rcon, ca imi tot da stres cineva Stii.. ca nu ne putem caca in placerea omului.Am tot citit , ca exista tot felul de posibilitati prin XSS-uri si de asta am apelat la voi. Quote
nedo Posted June 22, 2010 Report Posted June 22, 2010 pai rconul este salvat prin configurile serverului daca nu ma insel, nu prea am umblat cu serverele de cs dar din cate imi aduc aminte parola de rcon era salvata in server.cfg (s-ar putea sa ma insel) Quote