[mohaa] Fw: Medal of Honor remote buffer-overflow
patrick at fragzzhost.com
patrick at fragzzhost.com
Mon Jul 19 16:42:45 EDT 2004
yea many do....strange not much reactions on this matter, lets hope some guru can fix the linux version
----- Original Message -----
From: "Mohaa (kaleplek)" <mohaa at vandrosthagen.net>
To: <mohaa at icculus.org>
Sent: Monday, July 19, 2004 10:35 PM
Subject: Re: [mohaa] Fw: Medal of Honor remote buffer-overflow
> Great job man, But i'm running a linux server, and de hack works. Is there
> going to be a fix for linux to???
>
> Greetings
> Quint
>
> ----- Original Message -----
> From: "MoRPHeUs" <mohaa-icculus.maks3w at virtualplanets.net>
> To: <mohaa at icculus.org>
> Sent: Sunday, July 18, 2004 20:36
> Subject: [mohaa] Fw: Medal of Honor remote buffer-overflow
>
>
> >
> > ----- Original Message -----
> > From: "Luigi Auriemma" <aluigi at autistici.org>
> > To: <bugtraq at securityfocus.com>; <bugs at securitytracker.com>;
> > <news at securiteam.com>; <full-disclosure at lists.netsys.com>
> > Sent: Saturday, July 17, 2004 6:57 PM
> > Subject: Medal of Honor remote buffer-overflow
> >
> >
> > >
> > > #######################################################################
> > >
> > > Luigi Auriemma
> > >
> > > Application: Medal of Honor
> > > http://mohaa.ea.com
> > > Versions: Allied Assault <= 1.11v9
> > > Breakthrough <= 2.40b
> > > Spearhead <= 2.15
> > > Platforms: Windows and Linux
> > > Bug: buffer overflow
> > > Risk: critical
> > > Exploitation: remote, versus server
> > > (clients are vulnerables only in LAN)
> > > Date: 17 July 2004
> > > Author: Luigi Auriemma
> > > e-mail: aluigi at altervista.org
> > > web: http://aluigi.altervista.org
> > >
> > >
> > > #######################################################################
> > >
> > >
> > > 1) Introduction
> > > 2) Bug
> > > 3) The Code
> > > 4) Fix
> > >
> > >
> > > #######################################################################
> > >
> > > ===============
> > > 1) Introduction
> > > ===============
> > >
> > >
> > > Medal of Honor is a famous military FPS game located in the World War
> > > II.
> > > It has been developed by 2015 (http://www.2015.com) and was originally
> > > released at the beginning of 2002 but other expansion packs have been
> > > released later.
> > >
> > >
> > > #######################################################################
> > >
> > > ======
> > > 2) Bug
> > > ======
> > >
> > >
> > > The problem is a classical buffer-overflow located in different parts
> > > of the game code, but the first function vulnerable is the manager of
> > > the queries/replies that checks for slashs and NULL bytes but doesn't
> > > check the size of the values before copying them in a new buffer.
> > >
> > > In Allied Assault 1.11v9 dedicated server for Win32 we can see the
> > > first bugged function at offset 0x00428f20 where the return address
> > > (0x00429291) is overwritten by the client's data if it contains a value
> > > of 520 bytes or more (1032 on the Linux version).
> > >
> > > The data causing the overflow can be used in a lot of packet types, in
> > > fact it can be in the "getinfo" query, in the "connect" packet and in
> > > others.
> > > The most dangerous method to exploit this vulnerability is through the
> > > getinfo query because it is a single UDP packet that the server cannot
> > > block and the attacker can also spoof it.
> > >
> > > Naturally also clients are vulnerables but the bugged function is used
> > > only for LAN queries, in fact online the clients use the standard
> > > Gamespy protocol that is not vulnerable.
> > >
> > >
> > > #######################################################################
> > >
> > > ===========
> > > 3) The Code
> > > ===========
> > >
> > >
> > > http://aluigi.altervista.org/poc/mohaabof.zip
> > >
> > >
> > > #######################################################################
> > >
> > > ======
> > > 4) Fix
> > > ======
> > >
> > >
> > > No fix.
> > > Developers at 2015 have been noticed the 1 July 2004 but the support of
> > > the game is in the hands of Electronic Arts (I'm still waiting a patch
> > > or at least an answer from EA about the buffer-overflow in Need for
> > > Speed Hot Pursuit 2 noticed tons of months ago...).
> > >
> > > However I have developed an universal patch that can be applied to any
> > > version, game and type of server/client (dedicated or normal, with the
> > > only requirement that naturally the executable of the normal version
> > > must be decrypted, aka No-CD) because fortunately the part of code to
> > > modify is ever exactly the same.
> > > Actually my patch is available only for the Win32 executables, not for
> > > Linux:
> > >
> > > http://aluigi.altervista.org/patches/mohaaboffix.zip
> > >
> > > All the details about the fix are in the text file inside the package
> > > however the original bugged function contains a lot of slow code so I
> > > have optimized it for gaining the space where placing my patched code
> > > and I have also saved 38 bytes.
> > >
> > >
> > > #######################################################################
> > >
> > >
> > > ---
> > > Luigi Auriemma
> > > http://aluigi.altervista.org
> >
> >
>
>
>
>
More information about the Mohaa
mailing list