Lithtech Engine – Memory Corruption

• Exploit Database
• 10 阅读

• 作者： Luigi Auriemma
  日期： 2010-07-20
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14424/

• # Original Advisory: http://aluigi.org/adv/fearless-adv.txt
  #
  #######################################################################
  
   Luigi Auriemma
  
  Application:Lithtech engine
  http://www.lithtech.com
  Games:any game should be affected, refer to
  http://en.wikipedia.org/wiki/Lithtech#Lithtech_implementations
  those personally tested by me are:
  F.E.A.R.<= 1.08
  F.E.A.R. 2 Project Origin <= 1.05
  Home
  
  Platforms:Windows and Mac
  Bug:memory corruption
  Exploitation: remote, versus server
  Date: 20 Jul 2010
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bug
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  Lithtech is the well known game engine developed by Monolith and used
  in various famous games like Alien vs Predator 2, No One Lives Forever
  and the F.E.A.R. series.
  Currently the first episode of F.E.A.R. is the most played online of
  the games based on the Lithtech engine.
  
  
  #######################################################################
  
  ======
  2) Bug
  ======
  
  
  I premise that I haven't performed a deep research on the vulnerability
  and I have focused my tests mainly on F.E.A.R. although after a quick
  test has been confirmed the same/similar problem on other games that
  use protocol 2 of the Lithtech engine like No One Lives Forever 2.
  
  Through a malformed packet is possible to corrupt the memory of the
  game with effects that seem to suggest the possibility for an attacker
  to do something more than the crashing of the server.
  Indeed the problem affects some function pointers so it's not excluded
  the possibility to have a certain control over them and the code flow
  remotely.
  
  No other technical details are available at the moment.
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/poc/fearless.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14424.zip (fearless.zip)
  
  tuned to work with the F.E.A.R. series, so Project Origin included.
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################