Log in

View Full Version : Ventrilo 2.3.0 Linux ELF


Nietsnie
August 10th, 2005, 20:30
Hi,

I'm attempting to remove the hardcoded connection limit from this software (it's restricted to 8).

I've been able to remove all the hardcoded checks, and I can have more than 8 clients connect, however, as soon as the 10th client connects, I segfault.

I think the reason for this is that they use a static buffer to keep track of clients... and this is hardcoded to 8 as well, so I get a buffer overflow.

I've been able to find the memory offset of where this structure is, and it belongs in the .bss region.

How would I increase the size of this buffer in order to support the client increase?

andrewg
August 11th, 2005, 00:09
Hello,

The best bet would be to find /all/ the references to that memory location, and move the pointers to a different memory location. Dependingly on how you want to do things, you could just modify an elf program header to allocate a large space for the structures (p_memsz == size you want, p_filesz == 0), and point stuff there, or perhaps use elfsh to do it another way.

In order to find the places you need to patch may be, hmm, interesting though

Couple of approaches come to mind, such as disassembling it, and re-moving them, or you could try writing something to do this somewhat automatically (mprotect() the page where it resides to no-perms, record eip, restore page perms, single step, put the perms back).

I'd be interested in hearing how successful you are with doing this.

Additionally, you might find hxxp://hte.sf.net or hxxp://elfsh.devhell.org/ useful for making modifications.

Thanks,
Andrew Griffiths

Nietsnie
August 11th, 2005, 02:27
It all seems to be referenced by mem location (0x08195ae0). At least according to REC.

Most of the references are for - type loops (iterating through the connected clients), There's about 10 or so total.

I'll have to go through elfsh and figure out how to allocate more space.

smz
August 11th, 2005, 07:32
Hi Nietsnie,

I did nearly the same thing. Hardpatched out the about 4 or 5 limitations. My version does not segfault after 9/10 users but displays (in console), that the server is at it's physical limit, which should be the same as your segfault.

Contact me at EFnet, name smnz, if you wanna do the task w me

Nietsnie
August 11th, 2005, 10:29
Nope... I fixed that one too.

I have 10 seperate locations (tho, 2 of those are just output, ie: MaxClients = %d and MAXCLIENTS: %d)

smz
August 12th, 2005, 05:43
Yeah okay but my version doesn't segfault after the 10th user

Let's try this one together, if you didn't get any further since your last posting ...

Nietsnie
August 12th, 2005, 11:25
It doesn't seg-fault, because you didn't remove the physical limit check. (It does a if (*userCountPtr >= 9) { do physical limit thing }

But sure, we can do this one together. I haven't been able to work on it lately as work is taking my free time at the moment.

LLXX
August 20th, 2005, 22:37
If there's something after that structure then you'll have a lot of work to do patching up memory addresses (so that whatever gets stored after the structure is moved up and out of the way.) You'll have to put the connection-limit checks back in though, or it'll probably segfault again if you connect more users than your new structure's size. I see no easy way around this other than doing some very heavy modifications to the code to make it allocate the necessary structures dynamically.