####################################################################### Luigi Auriemma Application: OpenBOR http://www.openbor.net Beats of Rage http://www.senileteam.com HOR: Horizontal Shooter BOR http://openbor.net/hor/ Versions: OpenBOR <= 2.0046 BOR <= 1.0029 HOR <= 2.0000 Platforms: Dreamcast, GP32, PSP, Palm OS, Pocket PC, GP2X, Amiga, Linux, PC, Playstation 2 and Xbox Bug: format string vulnerabilities Exploitation: local Date: 20 May 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Beats of Rage (BOR) is a very nice open source beat'em up engine developed by Senile Team (http://www.senileteam.com) and inspired by games like "Streets of Rage" and "the King of Fighters". It works on many platforms and supports mods: http://borrevolution.vg-network.com http://www.borhosting.com ####################################################################### ====== 2) Bug ====== Exist some format string vulnerabilities in BOR which can be exploited through malicious mod files. The following are the pieces of code containing the bugs, anyway the most used functions are just shutdown (used to kill the game at its end or when an error is occurred) and update (for showing the text on the screen through the font_printf function): void shutdown(char *msg, ...){ static char buf[2048]; va_list arglist; va_start(arglist, msg); vsprintf(buf, msg, arglist); va_end(arglist); ... printf("Done.\n\n\n\n"); printf(buf); exit(0); } From predrawstatus(): font_printf(21+xo, savedata.windowpos+19, 0, player[i].opponent->name); ... else if(player[i].joining && player[i].model){ font_printf(21+xo, savedata.windowpos+2, 0, player[i].model->name); ... From update(): font_printf(0,230, 0, debug_msg); From choose_difficulty: if(savedata.times_completed >= ifcomplete[i]) font_printf(120,160+i*10, (selector==i), set_names[i]); ####################################################################### =========== 3) The Code =========== Take an existing mod and: - add the following line in data/scenes/intro.txt: music %08x.%08x.%08x.%08x 0 - add the following line in data/easy/1aeasy.txt: background %08x.%08x.%08x.%08x The first operation exploits the format string in the update function when the game starts and the intro is automatically launched. The second one instead exploits the bug located in the shutdown function when the Easy level is selected and the character is chosen. For extracting and rebuilding the PAK files is possible to use the following tool: http://aluigi.org/papers/borpak.zip ####################################################################### ====== 4) Fix ====== No fix. BOR is no longer supported while OpenBOR yes but I have received no replies from its developers. #######################################################################