Giters

LandSandBoat / server

:sailboat: LandSandBoat - a server emulator for Final Fantasy XI. Just an X-34 landspeeder out for a drive.

Home Page:https://landsandboat.github.io/server/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

πŸ› Packet Audit - SmallPacket0x0FA

atom0s opened this issue Β· comments

commented

I affirm:

  • I understand that if I do not agree to the following points by completing the checkboxes my issue will be ignored.
  • I have read and understood the Contributing Guide and the Code of Conduct.
  • I have searched existing issues to see if the issue has already been opened, and I have checked the commit log to see if the issue has been resolved since my server was last updated.

OS / platform the server is running (if known)

Windows 11

Branch affected by issue

base

Additional Information

The furniture placement packet can be used to intentionally crash the server in multiple different ways due to a lack of validation on all of the incoming information. The packet handler also has little to no validation and error handling on any potential pointer usages it makes use of.

Crash 1 - Invalid Item Pointer

The newer gardening abuse check happens before the PItem pointer is null-checked. This allows malformed packets to be sent to the server and cause a crash.

Crash 2 - Invalid slotID (Causes crash 1.)

The slotID is not validated to be within the legal range of the given container based on the clients actual unlocked storage space. It is not validated beyond a global maximum for any container either, allowing the client to send invalid slot indexes in this packet. This will cause 'Crash 1' to happen when sending bogus slot values.

Bad / Incomplete Abuse Check

The abuse check to prevent 2nd-floor gardening pots is incomplete/incorrect in actually preventing that kind of situation from happening. Instead, it is currently setup to be a post-abuse catch. It is not checking the incoming parameters from the client to determine if they are trying to place the item onto the 2nd floor at the time of the packet usage. In its current setup, it will only catch those trying to move an item from the 2nd floor after its already been placed.

Missing Validation On Client Input

There is no validation happening on any of the client parameters for this packet allowing the client to do malicious things and bypass potential placement limitations by using invalid col and row values.

Example Addon

Here is an example addon that can be used with Ashita v4 to quickly test this kind of crash/exploit abuse:

local packet = [[
FA 08 00 00 4C 00
FF
01 00 00 00 16 00 00 00 00
]];

local pkt = packet:gsub('[\r\n ]', ''):parts(2):imap(function (v) return tonumber(v, 16); end);
AshitaCore:GetPacketManager():AddOutgoingPacket(pkt[1], pkt);

This will automatically parse the packet string, reformat it into a proper table and send it to the server.

commented

Handled in #5161