####################################################################### Luigi Auriemma Application: GEM 2 engine http://eng.bestway.com.ua/index.php/game-engine/gem2 Games: Men of War <= 1.17.5 Men of War. Victory Day Edition (Outfront 2 A2) <= 1.17.5 http://www.menofwargame.com Faces of War <= 1.04.1 http://www.facesofwargame.com V tylu Vraga 2 <= ??? (Soldiers: Heroes of World War II has not been tested, it uses the previous version of the engine called GEM 1) Platforms: Windows Bugs: A] NULL pointer B] multiple failed assertions C] buffer overflow Exploitation: remote, versus server Date: 11 Aug 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== GEM 2 is a game engine developed by Best Way (http://bestway.com.ua) for creating the well known series of strategic military games which includes Faces of War and the recent Men of War (GEM 2.5). GEM 3 is the new version of the engine which at the moment is used in no games. ####################################################################### ======= 2) Bugs ======= --------------- A] NULL pointer --------------- An incomplete type of packet generates a NULL pointer dereference. ----------------------------- B] multiple failed assertions ----------------------------- The server can be terminated through various failed assertions caused by packets with unavailable types of commands and too big or too small sizes which raise some exceptions like the following: "undefined option type" "Attempt to read beyond the stream!" "Invalid seek location!" ------------------ C] buffer overflow ------------------ Through a particular type of packet is possible to overwrite some parts of the memory allowing an attacker to control various registers and function pointers with the possibility of executing malicious code. ####################################################################### =========== 3) The Code =========== UPDATE 12 May 2010 http://aluigi.org/poc/gembugs.zip OLD METHOD: http://aluigi.org/poc/gem2bugs.zip nc SERVER 3210 -v -v -u < gem2bugs1.dat nc SERVER 3210 -v -v -u < gem2bugs2.dat nc SERVER 3210 -v -v -u < gem2bugs3.dat nc SERVER 3210 -v -v -u < gem2bugs4.dat nc SERVER 3210 -v -v -u < gem2bugs5.dat these proof-of-concept packets are compatible with Men of War. for the other games are needed small modifications like, for example, replacing the bytes at offset 0 and 0x27 with 0x07 and 0x01 for Faces of War and so on. ####################################################################### ====== 4) Fix ====== No fix. #######################################################################