Results 1 to 8 of 8

Thread: Ventrilo 2.3.0 Linux ELF

  1. #1
    Nietsnie
    Guest

    Ventrilo 2.3.0 Linux ELF

    Hi,

    I'm attempting to remove the hardcoded connection limit from this software (it's restricted to 8).

    I've been able to remove all the hardcoded checks, and I can have more than 8 clients connect, however, as soon as the 10th client connects, I segfault.

    I think the reason for this is that they use a static buffer to keep track of clients... and this is hardcoded to 8 as well, so I get a buffer overflow.

    I've been able to find the memory offset of where this structure is, and it belongs in the .bss region.

    How would I increase the size of this buffer in order to support the client increase?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Hello,

    The best bet would be to find /all/ the references to that memory location, and move the pointers to a different memory location. Dependingly on how you want to do things, you could just modify an elf program header to allocate a large space for the structures (p_memsz == size you want, p_filesz == 0), and point stuff there, or perhaps use elfsh to do it another way.

    In order to find the places you need to patch may be, hmm, interesting though

    Couple of approaches come to mind, such as disassembling it, and re-moving them, or you could try writing something to do this somewhat automatically (mprotect() the page where it resides to no-perms, record eip, restore page perms, single step, put the perms back).

    I'd be interested in hearing how successful you are with doing this.

    Additionally, you might find http://hte.sf.net or http://elfsh.devhell.org/ useful for making modifications.

    Thanks,
    Andrew Griffiths
    http://www.felinemenace.org || http://www.pulltheplug.org

  3. #3
    Nietsnie
    Guest
    It all seems to be referenced by mem location (0x08195ae0). At least according to REC.

    Most of the references are for - type loops (iterating through the connected clients), There's about 10 or so total.

    I'll have to go through elfsh and figure out how to allocate more space.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    smz
    Guest
    Hi Nietsnie,

    I did nearly the same thing. Hardpatched out the about 4 or 5 limitations. My version does not segfault after 9/10 users but displays (in console), that the server is at it's physical limit, which should be the same as your segfault.

    Contact me at EFnet, name smnz, if you wanna do the task w me
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Nietsnie
    Guest
    Nope... I fixed that one too.

    I have 10 seperate locations (tho, 2 of those are just output, ie: MaxClients = %d and MAXCLIENTS: %d)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    smz
    Guest
    Yeah okay but my version doesn't segfault after the 10th user

    Let's try this one together, if you didn't get any further since your last posting ...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Nietsnie
    Guest
    It doesn't seg-fault, because you didn't remove the physical limit check. (It does a if (*userCountPtr >= 9) { do physical limit thing }

    But sure, we can do this one together. I haven't been able to work on it lately as work is taking my free time at the moment.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    If there's something after that structure then you'll have a lot of work to do patching up memory addresses (so that whatever gets stored after the structure is moved up and out of the way.) You'll have to put the connection-limit checks back in though, or it'll probably segfault again if you connect more users than your new structure's size. I see no easy way around this other than doing some very heavy modifications to the code to make it allocate the necessary structures dynamically.

Similar Threads

  1. MAI Keylok on Linux
    By suryawomshi in forum The Newbie Forum
    Replies: 9
    Last Post: April 3rd, 2009, 12:39
  2. FlexLm in Linux
    By gxlly in forum The Newbie Forum
    Replies: 1
    Last Post: August 15th, 2008, 21:07
  3. Replies: 3
    Last Post: August 12th, 2008, 14:59
  4. Linux
    By Sorvat in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: April 30th, 2001, 21:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •