####################################################################### Luigi Auriemma Application: Call of Duty series http://www.callofduty.com Versions: Call of Duty <= 1.5b Call of Duty United Offensive <= 1.51b Call of Duty 2 <= 1.3 Platforms: Windows, Linux and Mac Bug: buffer-overflow through the callvote map command Exploitation: remote, versus server (in-game) Date: 24 Sep 2006 Author: Sindre Dahl Advisory: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Call of Duty is the famous military FPS game developed by Infinity Ward (http://www.infinityward.com) and published by Activision (http://www.activision.com). The first episode of the game has been released in October 2003 while Call of Duty 2 two years later. ####################################################################### ====== 2) Bug ====== callvote is the command used by the clients for asking the server to start a voting poll for the selection of a new map, for kicking someone and so on. Voting is enabled by default on the server. The "callvote map MAP" string is handled by a function of the server which takes the MAP parameter and copies it (memcpy) in a local buffer of 64 bytes. Note that in some versions of the games this local buffer is in the stack while in others it's static. ####################################################################### =========== 3) The Code =========== Type the following command in the in-game console: /callvote map aaaaaaa...(185_'a's)...aaaaaaa In Call of Duty 70 'a's are enough ####################################################################### ====== 4) Fix ====== I have created some unofficial patches for all the latest Windows and Linux versions of the games: http://aluigi.org/patches/codmapboffix.lpatch #######################################################################