####################################################################### Luigi Auriemma Application: GameCore engine http://gamecore3d.com Versions: <= 2.5 Platforms: Windows, Mac OSX, browser Bug: Denial of Service Exploitation: remote, versus server Date: 12 May 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== GameCore is an engine for 3d games playable also via browser through a plugin. ####################################################################### ====== 2) Bug ====== The packets of this engine contain some 32bit fields that specify the size of the strings/data that follow them. Specifying a negative number is possible to cause an integer overflow during a memcpy of the string in a newly allocated buffer but it's not possible to take control of the code flow because the packets used by the game are limited to 512 bytes so the only effect is a crash of the server (EIP 00000000). Exist also two other less important effects of the abusing of this 32bit field, the first is the "Error: Out of memory" exception caused by an unallocable amount of memory (for example specifying 0x7fffffff) and the other is "Error: Attempting to read past end of stream" if the server expects a specific amount of bytes (for example if in the first packet it wants a GameID of 16 bytes). The good thing of this vulnerability is that is possible to exploit it even without knowing the GameID (a 16 chars string) that differs for each game developed with this engine, indeed the exploitation will take place just in the field that sends the GameID. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/gamecorex.dat nc SERVER PORT -u < gamecorex.dat ####################################################################### ====== 4) Fix ====== No fix. #######################################################################