####################################################################### Luigi Auriemma Application: Battle Isle: The Andosia War http://www.bluebyte.net/battleisle-e/default.asp Versions: <= 2.08 Platforms: Windows Bug: remote crash Exploitation: remote, versus both server and client Date: 09 Mar 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Battle Isle: The Andosia War (aka Battle Isle 4) is a turn-based strategy game developed by Cauldron (http://www.cauldron.sk) and released at the end of the year 2000. ####################################################################### ====== 2) Bug ====== The game is not able to manage a 32 bit number that is located at offset 8 of each packet if it is different than expected (usually 0xffffffff, 0 and 7). The problem in fact is the reading of an unallocated memory zone that causes a crash affecting both clients and servers. The following is the instruction causing the crash in the server coming from the demo version of the game: :0057DA56 8984932C020000 mov dword[ebx+4*edx+0000022C], eax And the following is that of the client: :0057AEEC 660FB60439 movzx ax, byte[ecx+edi] ####################################################################### =========== 3) The Code =========== The following proof-of-concept causes the immediate crash of the remote server: http://aluigi.org/poc/bisleboom.zip I have also coded a PoC to test the client's crash also if naturally it is quite useless due the low dangerousness of the bug in the client: http://aluigi.org/poc/bisle-client.zip ####################################################################### ====== 4) Fix ====== No official fix. I have tried to contact Cauldron without success, the game is probably not yet upported. #######################################################################