Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Quake 2 Lithium Mod V 1.24 Macro Expansion Vuln?

from [nukemmeister] Network Security [Permanent Link]
Subject: Quake 2 Lithium Mod V 1.24 Macro Expansion Vuln?
Date: 25 Aug 2005 19:40:48 -0000 
Well I ran quake 2 (using Lithium mod V 1.24) under OllyDBG and it seems that 
the
lithium II mod for quake 2 (latest PATCH 3.20) is parsing the '%' in
nicks. My well crafted nickname '%999f%f%f%f%f' is being pushed onto
the stack as
004144A1 |. 68 E821AF00 PUSH QUAKE2.00AF21E8 ;
ASCII "0.000000 0.000000 0.000000"

A huge real number. This expansion seems to be causing a stack
overflow. I ran it on my test server and sure enough it crashes. I'm currently 
working on code executing and the ability to read any memory address.

I contacted the creator of Lithium mod II , he still hasn't returned my emails.


I found that any 'percent' in the nick is interpreted as 0.0000 you
can use various combo's such as %d for int %c for a char. This is
telling me that it's a format string vulnerability.

This only works on lithium quake 2 server. It's manifested in the
latest release V 1.24. Probably affects prior versions also.

I am currently Reverse Engineering the mod to Get more info on this. Probably 
gonna take a while cause I'm at my mom's house with 8 people and one computer ;p

The vuln lies in the code that updates the score (frags) when you die, the 
overflow will manifest. I will write a more detailed explanation on this after 
I finish RE'ing it.

Regards, SinNULL


More info on the vuln will be posted shortly. When I find some allocated time 
to work with.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Quake 2 Lithium Mod V 1.24 Macro Expansion Vuln?, nukemmeister <=
Previous by Date:  Tool for Identifying Rogue Linksys Routers, Martin Mkrtchian
Next by Date:  An Illustrated Guide to IPSec, Steve Friedl
Previous by Thread:  Tool for Identifying Rogue Linksys Routers, Martin Mkrtchian
Next by Thread:  An Illustrated Guide to IPSec, Steve Friedl
Indexes:  [Date] [Thread] [Top] [All Lists]