[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040325194443.10e49084.aluigi@altervista.org>
From: aluigi at altervista.org (Luigi Auriemma)
Subject: Remote crash in Etherlords I 1.07 and II 1.03
#######################################################################
Luigi Auriemma
Application: - Etherlords I
http://www.etherlords.com/etherlords1/
- Etherlords II
http://www.etherlords.com
Versions: Etherlords I <= 1.07
Etherlords II <= 1.03
Platforms: Windows
Bug: reading of unallocated memory (crash)
Risk: medium
Exploitation: remote, versus server and client
Date: 25 Mar 2004
Author: Luigi Auriemma
e-mail: aluigi@...ervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Etherlords is a 3D turn based game developed by Nival
(http://www.nival.com).
Etherlords I was released at November 2001 while the second game has
been released at October 2003.
#######################################################################
======
2) Bug
======
The packet signed by the number 3 is usually sent by the server to the
client and contains a 16 bit value at offset 9 used to specify the size
of the data block that follows it.
If this number is too big the game will read also the unallocated
memory after the packet and will crash immediately.
The following memcpy() instruction comes from Etherlords II 1.03 and
is exactly where the bug happens:
:0076FD4B C1E902 shr ecx, 02
:0076FD4E F3A5 rep movsd
:0076FD50 8BCA mov ecx, edx
:0076FD52 83E103 and ecx, 003
:0076FD55 F3A4 rep movsb
The nice thing is that the packet 3 can also be used versus the server
that in fact will manage it just as the client does and will crash.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/ethboom.zip
#######################################################################
======
4) Fix
======
No fix.
No reply from developers.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
Powered by blists - more mailing lists