exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

stalker39x.txt

stalker39x.txt
Posted Jun 29, 2008
Authored by Luigi Auriemma | Site aluigi.org

S.T.A.L.K.E.R.: Shadow of Chernobyl versions 1.0006 and below suffer from multiple buffer overflow vulnerabilities.

tags | advisory, overflow, vulnerability
SHA-256 | 7818b7e864d05c6ead8abc3df7779a4863ba07568d3cb0c634c6fe6df87f58d8

stalker39x.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: S.T.A.L.K.E.R.: Shadow of Chernobyl
http://www.stalker-game.com
Versions: <= 1.0006
Platforms: Windows
Bugs: A] IPureServer::_Recieve buffer-overflow
B] NET_Compressor::Decompress integer overflow
C] MultipacketReciever::RecievePacket INT3
Exploitation: remote, versus server (probably clients too)
Date: 28 Jun 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


S.T.A.L.K.E.R. is a FPS game developed by GSC Game World
(http://www.gsc-game.com) and released at the beginning of the 2007
(the Clear Sky sequel is planned for the next months).


#######################################################################

=======
2) Bugs
=======

----------------------------------------
A] IPureServer::_Recieve buffer-overflow
----------------------------------------

MultipacketReciever::RecievePacket is a function used in the game when
a packet beginning with the byte 0x39 is received.
The main actions performed by this function are:
- checking if a specific value in the packet is equal to 0xe0 or 0xe1
- calling NET_Compressor::Decompress for checking the availability of
compressed data and decompress it through the lzo1x algorithm and a
specific dictionary (mp\lzo-dict.bin)
- calling _Recieve for handling the content of this data

The _Recieve function gets the 16 bit number specified in the incoming
packet and uses memcpy with a 8 kilobytes stack buffer as destination,
the data from the packet as source and that 16 bit value as amount of
bytes to copy.

Each UDP packet in S.T.A.L.K.E.R. has a maximum size of 1472 bytes but
through the LZO compression implemented in the game is possible to
place up to 32 kilobytes of data in the packet resulting in a stack
based buffer-overflow fully controllable by the attacker.


----------------------------------------------
B] NET_Compressor::Decompress integer overflow
----------------------------------------------

This function checks if a specific byte in the packet is equal to 0xc1
in which case is performed a CRC check and the decompression of the
data using the rtc9_decompress function (lzo1x_decompress_dict_safe).
If the data is not compressed the function gets the current size of the
data in the packet and performs a memcpy(dst, data, data_size - 1), so
the sending of a packet without data causes a crash of the server due
to the copying of 0xffffffff (0 - 1) bytes.


------------------------------------------
C] MultipacketReciever::RecievePacket INT3
------------------------------------------

One of the first operations made by this interesting function is
checking if a certain byte in the packet is equal to 0xe0 or 0xe1
otherwise an INT3 instruction is executed leading to the immediate
termination of the server:

01906F33 8A45 00 MOV AL,BYTE PTR SS:[EBP]
01906F36 3C E1 CMP AL,0E1
01906F38 56 PUSH ESI
01906F39 57 PUSH EDI
01906F3A 894C24 18 MOV DWORD PTR SS:[ESP+18],ECX
01906F3E 74 05 JE SHORT xrNetSer.01906F45 ; jump if 0xe1
01906F40 3C E0 CMP AL,0E0
01906F42 74 01 JE SHORT xrNetSer.01906F45 ; jump if 0xe0
01906F44 CC INT3 ; boom


The attacker needs to join the server for exploiting the above
vulnerabilities, but although it supports the banning of the IP
addresses is possible to spoof the packets and bypassing this
limitation due to the lack of handshakes in the protocol of the game.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/stalker39x.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


---
Luigi Auriemma
http://aluigi.org
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close