COD GetStatus() Exploit Packet Structure

[Brett]

Hey guys,

 

With a huge amount of activity on this exploit lately, I had to take quite a bit of time going around and patching all the servers we had running that had been setup prior to the patch being pre-installed.

 

We (and quite a few others) are still falling victim to it though, from various sources which do not have their servers patched. I plan to write a small tool that hooks into Winsock and drops all GetStatus() replies (since hosting machines should only be getting requests).

 

Would anyone who has been running Wireshark or similar tools and has been hit by this exploit be able to provide me with the packet structure? Having both the packet structure for replies and requests would be great, but I really only need that of the replies to log and drop the packets.

 

Obviously not a permanent fix, especially when multiple are being used, but will at least help with the smaller attacks and make logging easier than Wireshark.

[Fragnet]

Brett,

 

I believe I have some Wireshark logs I can share.

I will try to find it/them and send them over.

[omnigenus]

If you're getting bombarded with status responses (DDoSed) there's really no point in filtering that traffic as even a smaller DDoS will put your router/firewall to the test...

 

But if you really want to do it, CoD status responses are easy to filter out as they all start with '????statusResponse' (FF FF FF FF 73 74 61 74 75 73 52 65 73 70 6F 6E 73 65)

 

Like this example:

????statusResponse.\fs_game\PAMD_105\g_antilag\0\g_gametype\sd\g_needpass\1\gamename\Call of Duty 2\mapname\mp_burgundy\protocol\118\scr_friendlyfire\1\scr_killcam\0\shortversion\1.3\sv_allowAnonymous\0\sv_floodProtect\1\sv_hostname\My server\sv_maxclients\12\sv_maxPing....

 

So, simply search all packets for statusResponse string (FF FF FF FF 73 74 61 74 75 73 52 65 73 70 6F 6E 73 65).

[Monk]

Why hook winsock? Just Dllmain() into the process / use detours and asm to nop out the part.. easy