####################################################################### Luigi Auriemma Applications: - Haegemonia http://www.haegemonia.com - Desert Rats vs. Afrika Korps http://www.desertratsgame.com Versions: Haegemonia <= 1.07 Desert Rats vs. Afrika Korps 1.0 (???) Platforms: Windows Bug: reading of unallocated memory (crash) Exploitation: remote, versus server Date: 24 Feb 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Haegemonia is a strategic space combat game developed by Digital Reality (http://www.digitalreality.hu) and distribuited by many publishers like DreamCatcher (http://www.dreamcatchergames.com) and Monte Cristo (http://www.montecristogames.com). It has been released in the 2002 while Desert Rats vs. Afrika Korps is the newer game that will be released at March 2004 (german version has been already released at the beginning of February, thanx to Rushjo for the information). ####################################################################### ====== 2) Bug ====== The bug is a classical reading of unallocated memory caused by the sending of a packet containing a chat message with a too big 32bit number identifying the length of the message. Note for Gamespy Internet game: the bug is exploitable when the server is in the final multiplayer lobby (that available just when is launched the server normally without Gamespy support) and not in the previous chat room screen. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/hgmcrash.zip ####################################################################### ====== 4) Fix ====== No fix. Developers have not replied to my mails. #######################################################################