####################################################################### Luigi Auriemma Applications: Purge and Purge Jihad http://www.purgejihad.com Versions: Purge <= 1.4.7 Purge Jihad <= 2.0.1 Platforms: Windows Bug: broadcast client's buffer overflow Exploitation: remote, versus clients (broadcast) Date: 16 Feb 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Purge Jihad is a game developed by Freeform Interactive using the Lithtech Talon graphic engine: "It is a hybrid Role-Playing-Game / First-Person-Shooter set in the near future accounting a war between the diametrically opposed forces of science-fiction (the Order) and fantasy (the Chosen)" ####################################################################### ====== 2) Bug ====== The bug is a "broadcast" buffer-overflow affecting clients. In fact each client that enters in the multiplayer screen automatically contacts the master server and then sends a query to each available online game server to know informations about the current match running on it. The attacker'server must simply reply to clients'requests with an information packet containing 2 big fields: battle type and map name. These fields in fact are managed by a vulnerable function that copies the provided strings in a 64 bytes buffer not able to contain the maximum size of 256 bytes of each field. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/purge-cbof.zip ####################################################################### ====== 4) Fix ====== Purge Jihad 2.0.2 #######################################################################