#######################################################################

                             Luigi Auriemma

Application:  Star Wars Battlefront II
              http://www.lucasarts.com/games/swbattlefrontii/
Versions:     <= 1.1
Platforms:    Windows and PS2
Bug:          access violation caused by the usage of 7 guests
Exploitation: remote, versus server
Date:         24 Jul 2009
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Star Wars Battlefront II (SWBF2) is the sequel of the homonym game
developed by Pandemic Studios (http://www.pandemicstudios.com) and
published by LucasArts at the end of the 2005 and which is still very
played online.


#######################################################################

======
2) Bug
======


Just like its prequel also SWBF2 supports the "guest" players where the
same player can occupy more slots.
In SWBF1 the guests were limited to 1 per player (1 bit) while in SWBF2
this number has been increased to 7 due to the usage of 3 bits assigned
to this field.

The problem is that the game doesn't support 7 guests per player,
indeed seems that its phisical limit is set to 6.
The effect is that if a player can join the server with 7 guests for
two consecutive times the server crashes for an access violation caused
by a number (looks like the player slot) read from an array and used to
seek the position of another one, and which results invalid (for
example like 0x07040000) causing the writing of data to unallocated
zones of the memory.

The attacker needs to join the server so if it's protected by password
he must know the right keyword.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/fakep/swbfp.zip

  swbfp -g SERVER


#######################################################################

======
4) Fix
======


No fix.

The game is no longer supported, so I have written a fix for it:

  http://aluigi.org/patches/swbf2sevenfix.lpatch


#######################################################################