####################################################################### Luigi Auriemma Applications: Engine used in Kart Racing Pro, GP Bikes and World Racing Series http://www.kartracing-pro.com http://www.gp-bikes.com http://www.worldracingseries.net Versions: current ones, refer to the date of this advisory Platforms: Windows Bug: stack overflow Exploitation: remote, versus server Date: 27 Jun 2011 (found and reported on my forum 15 Dec 2010) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Kart Racing Pro, GP Bikes and World Racing Series are some "forever work-in-progress" commercial games that are very used and appreciated due to their features (gpbikes is really promising) and the simulation and type of simulated vehicle (KRP has a big growing community). ####################################################################### ====== 2) Bug ====== The games use all the same engine and they encrypt their UDP packets with blowfish (bf_ecb) using the key "fe7epraruWRa7reV". This engine is vulnerable to an 8 bytes stack overflow caused by the usage of a buffer of 1400 bytes and the calling of recvfrom with a size of 1408. The overflow happens immediately after the decryption of the content. Note that Kart Racing Pro is compiled with the exception handler so code execution is not possible there, only a crash. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/piboso_1.dat nc SERVER PORT -u < piboso_1.dat the default ports are 10600 for KRP or 10500 for the other games. ####################################################################### ====== 4) Fix ====== No fix. #######################################################################