[cod] Cod WW: 1024 bytes Command Exploit
MikeTNT
MikeTNT at gmx.de
Sat Jan 24 17:42:54 EST 2009
Thank you so much that you send such information in a non puplic mailing list like icculus.org
Now all admins over the world can be sure that nobody will copy your string and try it out. :-(
----- Original Message -----
From: Jumping Jack Flash
To: cod at icculus.org
Sent: Saturday, January 24, 2009 9:53 PM
Subject: [cod] Cod WW: 1024 bytes Command Exploit
Hi guys, every day my cod5 server fall down cause this error: Attempted to overrun string in call to va()
I've found some information about it:
"va() is a function of the Quake 3 engine used to quickly build strings
using snprintf and a static destination buffer.
If the generated string is longer than the available buffer the server
shows an "Attempted to overrun string in call to va()" error and
terminates.
>From Call of Duty 2 (and consequently) the size of this buffer has
been reduced from the original 32000 bytes to only 1024 causing many
problems to the admins.So in CoD5 an attacker which has joined the server can exploit this
vulnerability through the sending of a command longer than 1024 bytes
causing the immediate termination of the server."I try it, and it works. I you send this command to the server, it will crash:
cmd I'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsv
I test it in differents servers, in someones worked, in other didn't... Anybody knows a solution for this exploit?Thank, and sorry my english :P
JuMp!nG
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20090124/cca019dc/attachment.htm>
More information about the Cod
mailing list