#######################################################################

                             Luigi Auriemma

Application:  Scrapland
              http://www.scrapland.com
Versions:     <= 1.0
Platforms:    Windows
Bug:          server termination
Exploitation: remote, versus server (partially in-game)
Date:         28 Feb 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Scrapland is the known game developed by MercurySteam Entertainment
(http://www.mercurysteam.com) with the creative support of American
McGee (http://www.americanmcgee.com).
It is published by Enlight (http://www.enlight.com) and been released
at the beginning of 2005.


#######################################################################

======
2) Bug
======


The main problem of the game is that the server terminates after any
error instead of simply showing the error message in the game console
and continuing its work.

This situation lets an attacker to easily crash a Scrapland game server
in many ways, some of them are:

- size>SSize: the game uses 8 bits numbers to specify the size of the
  text strings inside the packets. These 8 bits numbers are handled as
  signed integers so any value bigger than 127 causes the server error.

- unexistent model: if the client uses a model (like engine, pilot or
  player) not available on the server, this one will terminate saying
  that the model specified by the client has not been found.

- newpos<=size: another type of error.

- access violation caused by the reception of two partial packets.

If the server is full, is not possible to terminate it.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/scrapboom.zip


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers.


#######################################################################