#######################################################################

                             Luigi Auriemma

Application:  Area 51
              http://www.area51-game.com
              exists also another game from the same developers called
              BlackSite Area 51 but it should be not vulnerable (not
              tested)
Versions:     <= 1.1 (sometimes referred as 1.2 but in reality is 1.1)
Platforms:    Windows
Bug:          buffer-overflow
Exploitation: remote, versus server
Date:         30 Jun 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Area 51 is an old game of the 2005 developed by Midway but still played
in these days.
From the 2008 the game was released as freeware with in-game sponsors.


#######################################################################

======
2) Bug
======


The bug is very simple: the game uses a stack buffer of about 896 bytes
and calls recvfrom using a max size of 1024 with the result of a buffer
overflow... really incredible.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip

  udpsz -b 0x41 SERVER 27666 1024


#######################################################################

======
4) Fix
======


No fix.


#######################################################################