####################################################################### Luigi Auriemma Application: Painkiller http://www.painkillergame.com Versions: <= 1.35 Platforms: Windows Bug: limited buffer-overflow Exploitation: remote, versus server (in-game) Date: 02 Feb 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Painkiller is the great FPS game developed by People can Fly (http://www.peoplecanfly.com) and released in April 2004. ####################################################################### ====== 2) Bug ====== The bug is about the buffer that must contain the Gamespy cd-key hash for the online server-side authorization. This buffer is limited to 100 bytes (the Gamespy cd-key hash is long 72 chars), so if an attacker uses a longer hash will be able to overflow the buffer. However exist two limitations for the exploitation of this bug, the first is that only alpha-numeric chars are allowed (1-9, A-Z and a-z) while the second is not so important since this is an in-game bug, so if a server is protected by password the attacker must know it. ####################################################################### =========== 3) The Code =========== http://aluigi.altervista.org/poc/painkkeybof.zip ####################################################################### ====== 4) Fix ====== Version 1.61. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html