Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Limited buffer overflow in Painkiller 1.31

from [Luigi Auriemma] Network Security [Permanent Link]
Subject: [Full-Disclosure] Limited buffer overflow in Painkiller 1.31
Date: Tue, 24 Aug 2004 19:31:15 +0000 

#######################################################################

                             Luigi Auriemma

Application:  Painkiller
              http://www.painkillergame.com
Versions:     <= 1.3.1
Platforms:    Windows
Bug:          memory corruption with limited code execution
Risk:         medium/high
Exploitation: remote, versus server
Date:         24 August 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Painkiller is a famous FPS game developed by People can Fly
(http://www.peoplecanfly.com) and released in April 2004.


#######################################################################

======
2) Bug
======


The handshake to join a Painkiller server is composed by 3 packets:
- a connection request from the client (ID 0x02)
- a challenge key from the server (ID 0x03) used for the calculation of
  both the Gamespy cd-key authorization string
  (http://aluigi.altervista.org/papers/gskey-auth.txt) and the password
  used to access protected game servers
- the client's packet used to join (ID 0x04) and containing its game
  version, the Gamespy cd-key auth string, the password (if needed) and
  some other informations

The problem is just in the password field (read by both protected and
non-protected game servers), in fact it is encoded using a specific
algorithm and the challenge string received from the server, but when
the server tries to "unscramble" a too long password (over 256 chars)
some important memory zones are overwritten.
The full optimized encoding/decoding algorithm is available here:
  http://aluigi.altervista.org/papers/painkiller_pckpwd.h

Due to the type of encoding algorithm and the type of bug seems not
possible to fully execute remote code (at least not easily) because the
return address can be overwritten only by the bytes allowed in an
intermediate step of the password decoding, so from 0x00 until 0x3f.
Is possible that exist other exploitation methods however I have found
only this one that has this limitation.


#######################################################################

===========
3) The Code
===========


  http://aluigi.altervista.org/poc/painkex.zip


#######################################################################

======
4) Fix
======


No fix.
Developers have been contacted over one month ago but the patch (that
is ready) has not been released yet.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Limited buffer overflow in Painkiller 1.31, Luigi Auriemma <=
Previous by Date:  [Full-Disclosure] Re: Hafiye-1.0 Terminal Escape Sequence Injection Vulnerability, Rodrigo Barbosa
Next by Date:  [Full-Disclosure] Re: Hafiye-1.0 Terminal Escape Sequence Injection Vulnerability, Serkan Akpolat
Previous by Thread:  [Full-Disclosure] ANNOUNCE: VulnDisco RADIUS protocol testsuite v1.0, Evgeny Demidov
Next by Thread:  Internet Explorer Local File/Directory Detection, Rynho Zeros Web
Indexes:  [Date] [Thread] [Top] [All Lists]