[mohaa] Fw: Medal of Honor remote buffer-overflow
patrick at fragzzhost.com
patrick at fragzzhost.com
Mon Jul 19 16:58:47 EDT 2004
yes please Mr Ryan :)
----- Original Message -----
From: "Chris Adams" <chris at fragzzhost.com>
To: <mohaa at icculus.org>
Sent: Monday, July 19, 2004 10:48 PM
Subject: Re: [mohaa] Fw: Medal of Honor remote buffer-overflow
> Perhaps Ryan will read this soon considering it's his list and he makes the
> Ded binary :-)
>
> Chris
>
> ----- Original Message -----
> From: <patrick at fragzzhost.com>
> To: <mohaa at icculus.org>
> Sent: Monday, July 19, 2004 9:42 PM
> Subject: Re: [mohaa] Fw: Medal of Honor remote buffer-overflow
>
>
> yea many do....strange not much reactions on this matter, lets hope some
> guru can fix the linux version
>
> ----- Original Message -----
> From: "Mohaa (kaleplek)" <mohaa at vandrosthagen.net>
> To: <mohaa at icculus.org>
> Sent: Monday, July 19, 2004 10:35 PM
> Subject: Re: [mohaa] Fw: Medal of Honor remote buffer-overflow
>
>
> > Great job man, But i'm running a linux server, and de hack works. Is there
> > going to be a fix for linux to???
> >
> > Greetings
> > Quint
> >
> > ----- Original Message -----
> > From: "MoRPHeUs" <mohaa-icculus.maks3w at virtualplanets.net>
> > To: <mohaa at icculus.org>
> > Sent: Sunday, July 18, 2004 20:36
> > Subject: [mohaa] Fw: Medal of Honor remote buffer-overflow
> >
> >
> > >
> > > ----- Original Message -----
> > > From: "Luigi Auriemma" <aluigi at autistici.org>
> > > To: <bugtraq at securityfocus.com>; <bugs at securitytracker.com>;
> > > <news at securiteam.com>; <full-disclosure at lists.netsys.com>
> > > Sent: Saturday, July 17, 2004 6:57 PM
> > > Subject: Medal of Honor remote buffer-overflow
> > >
> > >
> > > >
> > > >
> #######################################################################
> > > >
> > > > Luigi Auriemma
> > > >
> > > > Application: Medal of Honor
> > > > http://mohaa.ea.com
> > > > Versions: Allied Assault <= 1.11v9
> > > > Breakthrough <= 2.40b
> > > > Spearhead <= 2.15
> > > > Platforms: Windows and Linux
> > > > Bug: buffer overflow
> > > > Risk: critical
> > > > Exploitation: remote, versus server
> > > > (clients are vulnerables only in LAN)
> > > > Date: 17 July 2004
> > > > Author: Luigi Auriemma
> > > > e-mail: aluigi at altervista.org
> > > > web: http://aluigi.altervista.org
> > > >
> > > >
> > > >
> #######################################################################
> > > >
> > > >
> > > > 1) Introduction
> > > > 2) Bug
> > > > 3) The Code
> > > > 4) Fix
> > > >
> > > >
> > > >
> #######################################################################
> > > >
> > > > ===============
> > > > 1) Introduction
> > > > ===============
> > > >
> > > >
> > > > Medal of Honor is a famous military FPS game located in the World War
> > > > II.
> > > > It has been developed by 2015 (http://www.2015.com) and was originally
> > > > released at the beginning of 2002 but other expansion packs have been
> > > > released later.
> > > >
> > > >
> > > >
> #######################################################################
> > > >
> > > > ======
> > > > 2) Bug
> > > > ======
> > > >
> > > >
> > > > The problem is a classical buffer-overflow located in different parts
> > > > of the game code, but the first function vulnerable is the manager of
> > > > the queries/replies that checks for slashs and NULL bytes but doesn't
> > > > check the size of the values before copying them in a new buffer.
> > > >
> > > > In Allied Assault 1.11v9 dedicated server for Win32 we can see the
> > > > first bugged function at offset 0x00428f20 where the return address
> > > > (0x00429291) is overwritten by the client's data if it contains a
> value
> > > > of 520 bytes or more (1032 on the Linux version).
> > > >
> > > > The data causing the overflow can be used in a lot of packet types, in
> > > > fact it can be in the "getinfo" query, in the "connect" packet and in
> > > > others.
> > > > The most dangerous method to exploit this vulnerability is through the
> > > > getinfo query because it is a single UDP packet that the server cannot
> > > > block and the attacker can also spoof it.
> > > >
> > > > Naturally also clients are vulnerables but the bugged function is used
> > > > only for LAN queries, in fact online the clients use the standard
> > > > Gamespy protocol that is not vulnerable.
> > > >
> > > >
> > > >
> #######################################################################
> > > >
> > > > ===========
> > > > 3) The Code
> > > > ===========
> > > >
> > > >
> > > > http://aluigi.altervista.org/poc/mohaabof.zip
> > > >
> > > >
> > > >
> #######################################################################
> > > >
> > > > ======
> > > > 4) Fix
> > > > ======
> > > >
> > > >
> > > > No fix.
> > > > Developers at 2015 have been noticed the 1 July 2004 but the support
> of
> > > > the game is in the hands of Electronic Arts (I'm still waiting a patch
> > > > or at least an answer from EA about the buffer-overflow in Need for
> > > > Speed Hot Pursuit 2 noticed tons of months ago...).
> > > >
> > > > However I have developed an universal patch that can be applied to any
> > > > version, game and type of server/client (dedicated or normal, with the
> > > > only requirement that naturally the executable of the normal version
> > > > must be decrypted, aka No-CD) because fortunately the part of code to
> > > > modify is ever exactly the same.
> > > > Actually my patch is available only for the Win32 executables, not for
> > > > Linux:
> > > >
> > > > http://aluigi.altervista.org/patches/mohaaboffix.zip
> > > >
> > > > All the details about the fix are in the text file inside the package
> > > > however the original bugged function contains a lot of slow code so I
> > > > have optimized it for gaining the space where placing my patched code
> > > > and I have also saved 38 bytes.
> > > >
> > > >
> > > >
> #######################################################################
> > > >
> > > >
> > > > ---
> > > > Luigi Auriemma
> > > > http://aluigi.altervista.org
> > >
> > >
> >
> >
> >
> >
>
>
>
>
>
>
More information about the Mohaa
mailing list