####################################################################### Luigi Auriemma Application: X-Motor Racing http://www.xmotorracing.com Versions: <= 1.275 (server 1.24) Platforms: Windows Bugs: A] buffer-overflow in IP_CAR_INFO B] two memory exceptions Exploitation: remote, versus server Date: 06 May 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "X-Motor Racing is an Indie racing simulator with accurate physics simulation." ####################################################################### ======= 2) Bugs ======= --------------------------------- A] buffer-overflow in IP_CAR_INFO --------------------------------- The server is affected by a stack based buffer-overflow which happens during the handling of the IP_CAR_INFO packet where the string containing the name of the client's car is copyed into a buffer of 256 bytes. ------------------------ B] two memory exceptions ------------------------ There are 2 exceptions caused by the allocation (HeapAlloc) of an amount of memory decided by the client. That allows to crash the server (NO_MEMORY exception) specifying an unallocable amount of memory. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/xmotorbof.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################