#######################################################################

                             Luigi Auriemma

Application:  Painkiller
              http://www.painkillergame.com
Versions:     <= 1.3.1
Platforms:    Windows
Bug:          memory corruption with limited code execution
Exploitation: remote, versus server
Date:         24 August 2004
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Painkiller is a famous FPS game developed by People can Fly
(http://www.peoplecanfly.com) and published by DreamCatcher
(http://www.dreamcatcher.com).
The game has been released in April 2004.


#######################################################################

======
2) Bug
======


The handshake to join a Painkiller server is composed by 3 packets:
- a connection request from the client (ID 0x02)
- a challenge key from the server (ID 0x03) used for the calculation of
  both the Gamespy cd-key authorization string
  (http://aluigi.org/papers/gskey-auth.txt) and the password
  used to access protected game servers
- the client's packet used to join (ID 0x04) and containing its game
  version, the Gamespy cd-key auth string, the password (if needed) and
  some other informations

The problem is just in the password field (read by both protected and
non-protected game servers), in fact it is encoded using a specific
algorithm and the challenge string received from the server, but when
the server tries to "unscramble" a too long password (over 256 chars)
some important memory zones are overwritten.
The full optimized encoding/decoding algorithm is available here:
  http://aluigi.org/papers/painkiller_pckpwd.h

Due to the type of encoding algorithm and the type of bug seems not
possible to fully execute remote code (at least not easily) because the
return address can be overwritten only by the bytes allowed in an
intermediate step of the password decoding, so from 0x00 until 0x3f.
Is possible that exist other exploitation methods however I have found
only this one that has this limitation.


#######################################################################

===========
3) The Code
===========


  http://aluigi.org/poc/painkex.zip


#######################################################################

======
4) Fix
======


No fix.
Developers have been contacted over one month ago but the patch (that
is ready) has not been released yet.


#######################################################################