A program that crashes Ultrapowa Clash Servers written in C#.
UcsDowner does practically the same thing but its written by the guys at RedMoon and in Java.
I dug around the source code of ucs and found a vulnerability which allows a remote logged in attacker to cause a StackOverflowException with the ExecuteCommandsMessage and FreeWorkCommand.
In the Clash of Clans protocol, the ExecuteCommandsMessage allows you to send a list of commands to the server, such as BuyBuildingCommand which tells the server that you bought a building and the server checks if you have enough resources available to do so then it places the building in your village.
In the UCS implementation, you are allowed to send embedded commands inside of the FreeWorkerCommand. As you can send an embedded command inside of it you can embed another FreeWorkerCommand inside of it and this is where the vulnerability is.
In this case here is what is generated by the program.
FreeWorkerCommand
{
m_vTimeLeftSeconds = 1337
m_vIsCommandEmbedded = 1
m_vCommand = FreeWorkerCommand
{
m_vTimeLeftSeconds = 1337
m_vIsCommandEmbedded = 1
m_vCommand = FreeWorkerCommand
{
...
m_vCommand = FreeWorkerCommand
{
...
m_vCommand = FreeWorkerCommand
{
...
m_vCommand = FreeWorkerCommand
{
//1000 more nested command
...
}
}
}
}
}
}If you create a FreeWorkerCommand which contains a lot of nested FreeWorkerCommands then when the server reads it, it will stress out and cause a StackOverflowException by making a lot of calls to CommandFactory.Read.
You can watch a demo of the attack here.
This can fixed by simpling implementing a reading depth limitation.
Here is example usage of how you should use it.
[mono] ucs-exploit.exe -s 5000 127.0.0.1
Printing help will display all the available options.
[mono] ucs-exploit.exe -h