####################################################################### Luigi Auriemma Application: S.T.A.L.K.E.R.: Clear Sky http://cs.stalker-game.com/en/ Versions: Clear Sky <= 1.5.10 (aka 1.0010) (Shadow of Chernobyl has not been tested) Platforms: Windows Bug: unhandled strcpy_s exception Exploitation: remote, versus server Date: 22 Jul 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== S.T.A.L.K.E.R. is a famous FPS game series developed by GSC Game World (http://www.gsc-game.com) composed by Shadow of Chernobyl, Clear Sky and a new sequel (Call of Pripyat) not far from the release. ####################################################################### ====== 2) Bug ====== In this game the players can have a nickname of max 64 chars which are sent from the client in unicode utf16 format and on which the server performs the following operations: WideCharToMultiByte(CP_ACP, 0, input_utf16_nickname, -1, output_ascii_nickname, 64, NULL, NULL); strcpy_s(new_buffer, 64, output_ascii_nickname); The problem is that the output_ascii_nickname buffer is located just before some other variables and so, although WideCharToMultiByte does its job returning max 64 bytes, there is a non-zero 32 bit value located exactly after output_ascii_nickname which makes it 65 bytes long, example: 071CF680 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 071CF690 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 071CF6A0 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa 071CF6B0 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 00 aaaaaaaaaaaaaaa. 071CF6C0 18 00 00 00 03 00 00 00 3E FA 1C 07 00 00 00 00 ........>ú...... So when strcpy_s is executed it raises an exception because the output buffer is shorter (64 bytes) than the input one (65) and the server terminates immediately. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/dirtysky.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################