search

GravitLauncher / Launcher

Улучшеный Minecraft лаунчер на основе sashok's742 v3
https://gravitlauncher.com
GNU General Public License v3.0
127 stars 105 forks source link

Exploit, Manipulate with params before launch #702

Closed Dead4W closed 5 months ago

Dead4W commented 5 months ago

In EntryPoint https://github.com/GravitLauncher/Launcher/blob/db6ab061de68ddc9b92c5b2da1afb150589400be/LauncherClient/src/main/java/pro/gravit/launcher/client/ClientLauncherEntryPoint.java#L86

before launch read params from 127.0.0.1:X where x is port from 32148 to 32659 If we start tcp socket in this port before launch, then we can manipulate with launch params, dir watchers and etc...

Proof of concept: 1) Start wireshark on lookup interface and filter for port (for me is 32202 always) with query (tcp.port >= 32148 and tcp.port <= 32659) 2) Launch minecraft with launcher to main menu or server 3) Find package in begin of logs in wireshark with big size image 4) Copy bytes from data 5) Run this script and replace 32202 to your port from wireshark, PASTE_YOUR_DATA_BYTES_HERE to your data binary

import json
import socket
import time

host = '127.0.0.1' 
port = 32202

server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_socket.bind((host, port))
server_socket.listen()

print(f"Server started on {host}:{port}")

# example:
# str = '00112233445566778899aabbccddeeff'
str = 'PASTE_YOUR_DATA_BYTES_HERE'
str = bytes.fromhex(str).decode()

# Remove check dirs
data_str = json.loads(str)
data_str['profile']['updateVerify'] = []
data_str['profile']['update'] = []

str = json.dumps(data_str).encode()

def write_bytes_num(socket, value):
    shift = 0
    while True:
        temp = (value >> shift) & 0x7F
        if (value >> shift) >= 0x80:
            temp |= 0x80
        socket.send(temp.to_bytes(1, 'big'))
        print(temp.to_bytes(1, 'big'))
        shift += 7

        if not (temp & 0x80):
            break

while True:
    client_socket, address = server_socket.accept()

    print("Please add your mods to /mods folder or modify something")
    time.sleep(3)

    # Send size of json
    write_bytes_num(client_socket, len(str))

    # send json
    client_socket.send(str)

    # send zero files in clientDir
    client_socket.send(b'\x00')

    # send zero files in assetDir
    client_socket.send(b'\x00')

    # send isNeedReadJar = 0
    client_socket.send(b'\x00')

    client_socket.close()

6) Close minecraft and try again start minecraft

gravit0 commented 5 months ago

Thanks for the report! Please report vulnerabilities via PM to someone from our team on Discord. This is a rather labor-intensive method, but we will try to fix it