####################################################################### Luigi Auriemma Applications: Armed Assault and Armed Assault II (Real Virtuality engine) http://www.armedassault.com http://www.arma2.com Versions: ArmA <= 1.14 (beta 1.16 is vulnerable too) ArmA 2 <= 1.04 Platforms: Windows (exists also a Linux server for ArmA which is probably vulnerable too) Bug: access violation due to negative memcpy Exploitation: remote, versus server Date: 18 Jul 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Armed Assault (best known as ArmA) is a tactical military shooter developed by Bohemia Interactive (http://www.bistudio.com). ArmA 2 is the most recent game of the series and also the most played. ####################################################################### ====== 2) Bug ====== The port 2305 is used for the VoIP over Network (VON) protocol which allows the vocal communication between the players on the sever during the match. In one of the supported types of packets the 8bit number at its end contains the number of elements of 8 bytes to read, so the server performs a set of operations like the following: len = elements * 8; packet_size -= 1; memcpy(new_buffer, packet + packet_size - len, len); packet_size -= len; The major problem is just the last instruction where packet_size could become a negative number if are specified more elments than available. During the handling of these elements a particular flag is set to TRUE if there is a particular type of data in it and so the server continues with the reading of the rest of the packet (that one between the header and the elements) specified by packet_size. If packet_size is negative the server will crash immediately due to the reading of unallocated memory after the packet (the copying of the data is unsigned so -1 is 0xffffffff). ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/armadioz.zip ####################################################################### ====== 4) Fix ====== No fix. UPDATE: ArmA2 1.07 #######################################################################