From 28707fa0f364e82fd3aaccf01255b53bf4080c0b Mon Sep 17 00:00:00 2001 From: RubenD96 Date: Wed, 7 Apr 2021 17:26:49 +0200 Subject: [PATCH 1/2] Fix exploit for invalid skill macro name length --- .../channel/handlers/SkillMacroHandler.java | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/main/java/net/server/channel/handlers/SkillMacroHandler.java b/src/main/java/net/server/channel/handlers/SkillMacroHandler.java index 148d93a986..d071b74b56 100644 --- a/src/main/java/net/server/channel/handlers/SkillMacroHandler.java +++ b/src/main/java/net/server/channel/handlers/SkillMacroHandler.java @@ -21,24 +21,35 @@ */ package net.server.channel.handlers; +import client.MapleCharacter; import client.MapleClient; import client.SkillMacro; -import tools.data.input.SeekableLittleEndianAccessor; +import client.autoban.AutobanFactory; import net.AbstractMaplePacketHandler; +import tools.data.input.SeekableLittleEndianAccessor; public final class SkillMacroHandler extends AbstractMaplePacketHandler { - + @Override public final void handlePacket(SeekableLittleEndianAccessor slea, MapleClient c) { + MapleCharacter chr = c.getPlayer(); int num = slea.readByte(); + if (num > 5) return; + for (int i = 0; i < num; i++) { String name = slea.readMapleAsciiString(); + if (name.length() > 12) { + AutobanFactory.PACKET_EDIT.alert(chr, "Invalid name length " + name + " (" + name.length() + ") for skill macro."); + c.disconnect(false, false); + break; + } + int shout = slea.readByte(); int skill1 = slea.readInt(); int skill2 = slea.readInt(); int skill3 = slea.readInt(); SkillMacro macro = new SkillMacro(skill1, skill2, skill3, name, shout, i); - c.getPlayer().updateMacros(i, macro); + chr.updateMacros(i, macro); } } } From e8d2256683478154a5a28120ff8c67f710defe5c Mon Sep 17 00:00:00 2001 From: RubenD96 Date: Wed, 7 Apr 2021 17:26:55 +0200 Subject: [PATCH 2/2] Fix exploit for negative itemId's in PetExcludeItemsHandler --- .../handlers/PetExcludeItemsHandler.java | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/src/main/java/net/server/channel/handlers/PetExcludeItemsHandler.java b/src/main/java/net/server/channel/handlers/PetExcludeItemsHandler.java index b0619ac4fe..0b0fb48c44 100644 --- a/src/main/java/net/server/channel/handlers/PetExcludeItemsHandler.java +++ b/src/main/java/net/server/channel/handlers/PetExcludeItemsHandler.java @@ -21,37 +21,43 @@ */ package net.server.channel.handlers; -import client.MapleClient; import client.MapleCharacter; +import client.MapleClient; +import client.autoban.AutobanFactory; import client.inventory.MaplePet; import net.AbstractMaplePacketHandler; import tools.data.input.SeekableLittleEndianAccessor; -//import tools.MaplePacketCreator; /** * @author BubblesDev * @author Ronan */ public final class PetExcludeItemsHandler extends AbstractMaplePacketHandler { - + @Override public final void handlePacket(SeekableLittleEndianAccessor slea, MapleClient c) { final int petId = slea.readInt(); - slea.skip(4); - + slea.skip(4); // timestamp + MapleCharacter chr = c.getPlayer(); - byte petIndex = (byte)chr.getPetIndex(petId); + byte petIndex = chr.getPetIndex(petId); if (petIndex < 0) return; - + final MaplePet pet = chr.getPet(petIndex); if (pet == null) { return; } - + chr.resetExcluded(petId); byte amount = slea.readByte(); for (int i = 0; i < amount; i++) { - chr.addExcluded(petId, slea.readInt()); + int itemId = slea.readInt(); + if (itemId >= 0) { + chr.addExcluded(petId, itemId); + } else { + AutobanFactory.PACKET_EDIT.alert(chr, "negative item id value in PetExcludeItemsHandler (" + itemId + ")"); + return; + } } chr.commitExcludedItems(); }