####################################################################### Luigi Auriemma Application: Soldier of Fortune II with PunkBuster enabled http://www.ravensoft.com/soldier2.html http://www.PunkBuster.com Versions: PunkBuster for server <= 1.728 Platforms: Windows, Linux and Mac Bug: buffer-overflow Exploitation: remote, versus server (in-game) Date: 09 Aug 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== PunkBuster is a loved/hated anti-cheat system developed by Even Balance (http://www.evenbalance.com) and officially used in many diffused games like America's Army, Battlefield 1942/Vietnam/II, Call of Duty, Doom 3 and almost all the games based on the Quake 3 engine. Soldier of Fortune II is a widely played FPS game developed by Raven Software (http://www.ravensoft.com) and published by Activision (http://www.activision.com). Although it has been released at May 2002 it's still very played (about 500 servers online of which half with Punkbuster enabled). ####################################################################### ====== 2) Bug ====== A specific (logging?) function in pbsv.dll of sof2 uses sprintf with a buffer of 4 kilobytes for generating the log string: sprintf( buffer, "%s: %s", "^3PunkBuster Server", string); Through a particular in-game packet of Punkbuster (called "restart packet") it's possible for an attacker to exploit the buffer-overflow derived from the previous function where "string" will have a value like "Invalid Restart Packet: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAA". In my tests this one was the only way for exploiting the vulnerability. The bug is in-game so the attacker needs to join the server with the client-side Punkbuster enabled (pb_cl_enable), but it's not necessary to have a the PB service active because the bug is exploited immediately before the various checks. ####################################################################### =========== 3) The Code =========== http://aluigi.org/mytoolz/proxocket.zip http://aluigi.org/poc/sof2pbbof.zip - copy ws2_32.dll and myproxocket.dll in the folder of the game - launch the client - enable punkbuster (pb_cl_enable) - join the server (it must support punkbuster) - the server will crash immediately when the player joins the server after having loaded the map ####################################################################### ====== 4) Fix ====== No fix. #######################################################################