Yes, I'm back- been busy the past few days... here's a little something new for the forums.Spoofing & Spamming in DirectPlay8.Although it's depreciated now, the DirectPlay8 (COM) interface was once used in a range of games to manage (send and receive) their related networking traffic.
I read somewhere that the protocol was reasonably secure from packet editing and spoofing. Although it held up in regards to spoofing; simply hooking the IDirectPlay8Client interface in a similiar manner as to that used in Direct3D hooks, and logging calls to Send() is all that is needed to create a trival reverse engineering toolkit.
Having familiarity with vietcong in the past- I decided to see what I could come up with in regards to this kind of interface hacking. I could not find samples of DirectPlay8 source/binary proxy dlls anywhere; and believed no one had attempted the method (publically anyway). What I found whilst researching was not only several format string vulnerabilities in VC itself- but a certain client packet that contains a source player ID field, which is sent off the server and blindly processed.
I created a movie featuring this method, and one of the exploits I found using it. I can spoof the source of all kill packets- creating a mass headache for ALL players. By ripping through the player structures list, it has the ability to kill all players instantly by expoding the nades at their destination, as well as forcing other players to commit suicide. What's even better is that I can force logged in admins to kill their whole team and instantly receive an autoTK ban.
.
Here's a screen...
And enough talking- take a look at in in action!
doubleu doubleu doublew dot speedyshare dot chom slash 198691341
(it's WMV) don't see why it can't be linked to.
Subsky
If I know you and I trust you- feel free to ask for the binaries in PM, it's HOURS of garenteed fun
.