Killer Kamal Posted March 6, 2019 Report Share Posted March 6, 2019 59 minutes ago, ultama said: @puppyslushthe same method is being ran in the original runelite client (albeit different variable names, same functionallity). You didn't include the entire segment of code either: l0l Link to comment Share on other sites More sharing options...
puppyslush Posted March 6, 2019 Author Report Share Posted March 6, 2019 10 minutes ago, ultama said: https://github.com/runelite/runelite/commit/2dd80f9b597d6f8800af59bddfd0d33ddb895e14 was where I got the code from. Old version and whatever, but need to compare it to the original source to ensure there's nothing dodgy. Is it dodgy? yes, especially considering there's no validation or anything to check URLs but the risk of BS being a rat is as equal as it is for runelite. That github snippet doesn't appear in the latest runelite versions. It is possible this is an exploit in some RSPSes client loaders and it just only takes an admin to exploit it I would say this is something BS would need to fix then because this is still open exploit Also the URL check in BS is indeed sanitized but can be bypassed because some escape characters in cmd are listed in the var10 check Link to comment Share on other sites More sharing options...
Sybum Posted March 6, 2019 Report Share Posted March 6, 2019 7 hours ago, Sharkbrew Warrior said: stop playing shit rsps and make a clan on the real game Link to comment Share on other sites More sharing options...
ultama Posted March 6, 2019 Report Share Posted March 6, 2019 1 minute ago, puppyslush said: That github snippet doesn't appear in the latest runelite versions. It is possible this is an exploit in some RSPSes client loaders and it just only takes an admin to exploit it I would say this is something BS would need to fix then because this is still open exploit Also the URL check in BS is indeed sanitized but can be bypassed because some escape characters in cmd are listed in the var10 check I guess from the time of the snippet, the runelite client was still open source whereas now it's moderated more heavily, they had to make it more secure. Link to comment Share on other sites More sharing options...
puppyslush Posted March 6, 2019 Author Report Share Posted March 6, 2019 6 minutes ago, ultama said: I guess from the time of the snippet, the runelite client was still open source whereas now it's moderated more heavily, they had to make it more secure. Possibly, either way i'll edit the main topic asking users to run it in sandboxie, speaking to some of the old school rsps owners, they don't believe it is a deliberate action from pali Thanks again for the clarifications Link to comment Share on other sites More sharing options...
Marko Posted March 6, 2019 Report Share Posted March 6, 2019 Link to comment Share on other sites More sharing options...
Geeke Posted March 6, 2019 Report Share Posted March 6, 2019 bs died overnight lmao Link to comment Share on other sites More sharing options...
z00m 13ox Posted March 6, 2019 Report Share Posted March 6, 2019 you could get ratted over rsps, who knew? Link to comment Share on other sites More sharing options...
PalidinoDH Posted March 6, 2019 Report Share Posted March 6, 2019 First off, this code has nothing to do with RuneLite. It was and still is contained inside the official OSRS client, you can decompile the current version of OSRS to see for yourself. Secondly, if you look closely at the code, it only allows launching a URL. For whatever reason, Jagex chose to launch URLs this way. The code clearly states the command to be executed has to start with http or https. Not only that, but the entire command after that is made sure to only contain the characters "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789?&=,.%+-_#:/*" to make sure it's a legitimate URL. No spaces are allowed to execute a second command after the URL. The command itself attempts to trigger your default browser to open the passed URL, it doesn't download something from a URL in the background. If you dig a little deeper, you'll also see that the command method is only even executed if another method using Desktop.getDesktop().browse fails. Next time, I would suggest contacting someone that could have explained what the code does after looking at it for 2 seconds instead of accusing me. Alternatively, being that I've been doing this for over 10 years and have never hacked clans in the past (they've been around BS for almost as long), you could have just asked me to explain what that is. YOOITZKID 1 Link to comment Share on other sites More sharing options...
Eztocrypt Posted March 6, 2019 Report Share Posted March 6, 2019 Koool Link to comment Share on other sites More sharing options...
Nos Posted March 7, 2019 Report Share Posted March 7, 2019 Lmao and to think I was catching backlash in the last topic for telling people to stop playing a shitty knockoff of the real deal when most of them clan on osrs anyway. It's one thing to play p servers for fun, but don't feed me some bs that it's "better than the main game" exhibit A here is one of the many reasons. I hope this is the last time p servers are revived and finally dies and some competent people leading clans there can move to the main game and we can get some growth and more clans in this small community. Link to comment Share on other sites More sharing options...
puppyslush Posted March 7, 2019 Author Report Share Posted March 7, 2019 9 hours ago, PalidinoDH said: First off, this code has nothing to do with RuneLite. It was and still is contained inside the official OSRS client, you can decompile the current version of OSRS to see for yourself. Secondly, if you look closely at the code, it only allows launching a URL. For whatever reason, Jagex chose to launch URLs this way. The code clearly states the command to be executed has to start with http or https. Not only that, but the entire command after that is made sure to only contain the characters "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789?&=,.%+-_#:/*" to make sure it's a legitimate URL. No spaces are allowed to execute a second command after the URL. The command itself attempts to trigger your default browser to open the passed URL, it doesn't download something from a URL in the background. If you dig a little deeper, you'll also see that the command method is only even executed if another method using Desktop.getDesktop().browse fails. Next time, I would suggest contacting someone that could have explained what the code does after looking at it for 2 seconds instead of accusing me. Alternatively, being that I've been doing this for over 10 years and have never hacked clans in the past (they've been around BS for almost as long), you could have just asked me to explain what that is. Thanks for clearing this up. Unfortunately, I taken a look at this code as an external developer and was unaware that this particular method was an archaic legacy code. With that said, it still doesn't invalidate my concerns where :/, and % are still special characters for windows shell. Off the back of my hand and in the right environment, using windows %variable% in conjunction with colon shell system can escape the encapsulated quotes you have around the shell execution. Such specially crafted query can still be used to bypass the initial Desktop check because it will just throw a noop exception which will then just proceed over to the next line where this cmd execution call takes place. Link to comment Share on other sites More sharing options...
puppyslush Posted March 7, 2019 Author Report Share Posted March 7, 2019 3 hours ago, Nos said: Lmao and to think I was catching backlash in the last topic for telling people to stop playing a shitty knockoff of the real deal when most of them clan on osrs anyway. It's one thing to play p servers for fun, but don't feed me some bs that it's "better than the main game" exhibit A here is one of the many reasons. I hope this is the last time p servers are revived and finally dies and some competent people leading clans there can move to the main game and we can get some growth and more clans in this small community. That is probably a pipe dream if I am honest considering that 1 man RSPS servers are able to introduce PvP/Clanning updates that somehow take muh 3 year engine work from Jagex... so until Jagex gets their game up, we will have Pservers around Link to comment Share on other sites More sharing options...
Cody9204 Posted March 7, 2019 Report Share Posted March 7, 2019 On 3/6/2019 at 9:18 AM, ultama said: @puppyslushthe same method is being ran in the original runelite client (albeit different variable names, same functionallity). You didn't include the entire segment of code either: Aren't you that gay guy we picked on a lot lol? SKEEZ 1 Link to comment Share on other sites More sharing options...
PalidinoDH Posted March 8, 2019 Report Share Posted March 8, 2019 23 hours ago, puppyslush said: Thanks for clearing this up. Unfortunately, I taken a look at this code as an external developer and was unaware that this particular method was an archaic legacy code. With that said, it still doesn't invalidate my concerns where :/, and % are still special characters for windows shell. Off the back of my hand and in the right environment, using windows %variable% in conjunction with colon shell system can escape the encapsulated quotes you have around the shell execution. Such specially crafted query can still be used to bypass the initial Desktop check because it will just throw a noop exception which will then just proceed over to the next line where this cmd execution call takes place. Even so, you singled me and BattleScape out for not stripping code out of the OSRS deob. This code exists in every RSPS that uses the OSRS deob, which is at least a handful of servers. There is even a chance other revisions past 317 have this code as well since the OSRS deob is just an older version of 525/530/600+/700+/etc. It would have been one thing to post a thread to be cautious of RSPS in general, but that's not what this is. If you don't mind, can you elaborate on this? To execute multiple commands on one line, you would need & and spaces or semi-colons so that Windows recognizes a second command. Both spaces and semi-colons are blocked. I don't really see a way this is exploitable to even warrant this thread even after my previous reply. Killer Kamal 1 Link to comment Share on other sites More sharing options...
puppyslush Posted March 8, 2019 Author Report Share Posted March 8, 2019 3 hours ago, PalidinoDH said: Even so, you singled me and BattleScape out for not stripping code out of the OSRS deob. This code exists in every RSPS that uses the OSRS deob, which is at least a handful of servers. There is even a chance other revisions past 317 have this code as well since the OSRS deob is just an older version of 525/530/600+/700+/etc. It would have been one thing to post a thread to be cautious of RSPS in general, but that's not what this is. If you don't mind, can you elaborate on this? To execute multiple commands on one line, you would need & and spaces or semi-colons so that Windows recognizes a second command. Both spaces and semi-colons are blocked. I don't really see a way this is exploitable to even warrant this thread even after my previous reply. Sorry if I intended it that way, I revised my topic originally once @ultamatold me this code is actually is spread quite broadly and I will make an addendum to the OP and editing the topic title if you will. Regards to the code in question, there are a couple of methods actually: For example, if the user have the appropriate session variable in place, the shell will expand your command as so: SET DIRECTORY_SPACE="\ " cmd start "J" "http://google.com%DIRECTORY_SPACE%&&C:/user/downloads/runrogue.exe" This opens up google chrome and runs the 2nd command afterwards Another method which does imply a sort of misparsing by the windows shell: cmd start "J" "http://file://user/downloads/runrogue.exe" ^^ If you actually try that out in the system shell, it doesn't automatically open up chrome or google, but display a prompt saying the file is not found. I believe this is due to how (poorly) windows shell handlers are originally designed..and I am pretty sure a windows shell expert would be able to figure out a way to get it to work, but as it stands at the moment, it is quite dangerous to run command line the way it is. If you must write commands, I would recommend you throw a try catch on uri parsing first, and i wouldn't recommend even trying to allow the user or the live server to dictate the full url as you may not have ill intentions with your code.. but run-time admins on the other hand... Link to comment Share on other sites More sharing options...
Nos Posted March 9, 2019 Report Share Posted March 9, 2019 On 3/6/2019 at 11:22 PM, puppyslush said: That is probably a pipe dream if I am honest considering that 1 man RSPS servers are able to introduce PvP/Clanning updates that somehow take muh 3 year engine work from Jagex... so until Jagex gets their game up, we will have Pservers around How unfortunate. But thanks for the psa. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now