I've also mirrored the gist since it appears to be have been taken down:
https://dl.dropboxusercontent.com/u/759758/gistd9872acbf2da227e9281-122b03e8c03fabc15f5acb3b52d5ca0b4baa2360.tar.gz
On Friday, April 18, 2014 9:33:56 PM, Ryan Kistner wrote:
Looking at that thread, it appears that engine_win32.dll has a working
bypass of the net_file blacklist. If anyone has a sample of that file
I would be interested in taking a look at it.
A quick look at the provided files (gist:
https://gist.github.com/Chrisaster/d9872acbf2da227e9281) suggests that:
- Initial infection from client to server is in client_init.lua, which
downloads server.cfg (looking for the RCON password to continue the
exploit) and uploads engine_win32.dll
- Once the server runs the server_infect.lua code, it writes back
engine_win32.dll and does a SendLua to install client_init.lua
If you've firewalled off RCON (as you should have) then this
particular version of the exploit won't hurt you. However, there is
definitely some sort of bypass for the net_file blacklist.
On 4/18/2014 9:11 PM, wickedplayer494 wrote:
http://facepunch.com/showthread.php?t=1386818
If your clients are complaining about "*cough*" spam or similar
through Steam chat, this is what's causing it. It may be wise to just
completely kill your server until the Facepunch folks release an
update to fix this (even though it's 3 AM in the UK), as it's rumored
that even if rcon/client uploads are disabled, it'll still work.
_______________________________________________
To unsubscribe, edit your list preferences, or view the list
archives, please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
