Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 15:46

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 11 posts ] 
Author Message
 Post subject: Racer v0.5.3 beta 5 Remote + local Buffer Overflow Exploit
PostPosted: 14 Aug 2007 13:53 

Joined: 14 Aug 2007 13:32
Posts: 71
Racer is a free cross-platform car simulation project (for non-commercial use), using professional car physics to achieve a realistic feeling and an excellent render engine for graphical realism. Cars, tracks and such can be created relatively easy (compared to other, more closed, driving simulations). The 3D, physics and other file formats are documented. Editors and support programs are also available to get a very customizable and expandable simulator. OpenGL is used for rendering.


I came across some buffer over flow's yesterday,while testing the game.Im going to look into the linux version today.Luigi is probly the best person to look into the source code.Im just going to test the udp port's as i know port 26000 is for the console window in the game.I was able to over flow the buffer and execute shell code.Ok so to start with the remote version i rushed this which i should not have done i wanted to write a c version but to save time i wrote in in perl.


As you can see 1001 byte's the next 4 byte's the eip was over written,So esp was holding the buffer so i found a static jmp esp adress in the dll.Then the shell code.

On to the local version of this exploit is uses the same principle i used a file which is used to print console commands at the start of the race Just like the remote version appart from the register's esp was only holding 36 byte's of buffer which was no good but with a little more i was able to get the buffer into the ebx register.So then i was able to do just a call ebx or jmp ebx into the shell code as you can see by the script the ebx register was pointing 1018 byte's in the buffer.So i had to use the shell code to get us to the point where the eip was under our control.Becouse i used multiple shell code i had to calculate the buffer and shell code to make sure they didn't exceed 2019 byte's.


Attachments:
File comment: c exploit
racer local.rar [4.74 KiB]
Downloaded 177 times
File comment: Perl exploit
racer remote.rar [2.28 KiB]
Downloaded 151 times


Last edited by n00b on 14 Aug 2007 14:35, edited 5 times in total.
Top
 Profile  
 
 
 Post subject:
PostPosted: 14 Aug 2007 14:00 

Joined: 14 Aug 2007 10:06
Posts: 5
Why you don't paste the .c with the bug and explain how have you found it?
In that way all people can learn about it.


Top
 Profile  
 
 Post subject:
PostPosted: 14 Aug 2007 14:13 

Joined: 14 Aug 2007 13:32
Posts: 71
Hi khlero well i don't look at open source like luigi he will probly able to tell where the buffer over flow is.I wrote a simple fuzzer in perl to test the udp port's and by manipulating the packet's to cause the exception.I wrote the first local buffer over flow.Which on there site they had documented that command's could be sent throught the udp port so.I quickly realized i could also exploit the same buffer over flow through the udp port.


Last edited by n00b on 14 Aug 2007 14:16, edited 3 times in total.

Top
 Profile  
 
 Post subject:
PostPosted: 14 Aug 2007 14:14 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
good work n00b
I know a bit that game, I downloaded it for testing but than I saw it was in a beta stage so I decided to leave it.
I have just enabled the attachments in the forum, can you edit your post attaching the exploits to it?


Top
 Profile  
 
 Post subject:
PostPosted: 14 Aug 2007 14:22 

Joined: 14 Aug 2007 13:32
Posts: 71
Yeh lol it won't allow (txt pl cpp c) extension's.


Top
 Profile  
 
 Post subject: Re: Racer v0.5.3 beta 5 Remote + local Buffer Overflow Exploit
PostPosted: 20 Mar 2009 01:50 

Joined: 03 Feb 2009 01:40
Posts: 31
Cool , here is remote vs in C .
http://www.filehost.ro/450369/racertest_avi/


Attachments:
racer remote b0f.zip [16.88 KiB]
Downloaded 146 times
Top
 Profile  
 
 Post subject: Re: Racer v0.5.3 beta 5 Remote + local Buffer Overflow Exploit
PostPosted: 21 Mar 2009 16:57 

Joined: 14 Aug 2007 13:32
Posts: 71
ah aha flow flow good to see you about i saw your exploit on milw0rm its np from me for you to release a cleaner version.At the time i released that exploit in perl i was really busy.And didn't take much time to analyze and rebuild a cleaner solution in c..

But im working on some thing atm which i will release a poc in the next day or two but i need to collect more info on the vulnerability..

Lately i had so much on my plate with work and stuff there was no time for me to look at exploit development so I'm just breaking myself in again :)
..


Top
 Profile  
 
 Post subject: Re: Racer v0.5.3 beta 5 Remote + local Buffer Overflow Exploit
PostPosted: 21 Mar 2009 18:19 

Joined: 03 Feb 2009 01:40
Posts: 31
Great , I'm looking forword to see your work again , I know how it is , I'm really busy to with school all the time and it's real nice to make time for these litle things that are so important.
Btw here is the racer in action :) http://www.filehost.ro/450369/racertest_avi
What kind of bug are you working on ? I'm guessing b0f LOL ! :) is it classic or more complex ? pls lay down some debugging details here when your done, like I said I enjoy studying and reversing you work.


Top
 Profile  
 
 Post subject: Re: Racer v0.5.3 beta 5 Remote + local Buffer Overflow Exploit
PostPosted: 22 Mar 2009 14:10 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
anyway 0.5.3 is a jurassik version of Racer, the latest one is 0.7.3 (http://racer.nl/dl_beta_win.htm).
have you checked if the bug is still there?


Top
 Profile  
 
 Post subject: Re: Racer v0.5.3 beta 5 Remote + local Buffer Overflow Exploit
PostPosted: 22 Mar 2009 15:05 

Joined: 03 Feb 2009 01:40
Posts: 31
New dw link for video , I didn't put the correct usage , you have to mention shell at end -shellcode 0-2 ,as you saw probably.
http://rapidshare.com/files/212167054/r ... t.avi.html
I checked 0.7.3 it's fixed , and lower vs than 0.5.3 weren't having any problems as also.


Top
 Profile  
 
 Post subject: Re: Racer v0.5.3 beta 5 Remote + local Buffer Overflow Exploit
PostPosted: 23 Mar 2009 15:48 

Joined: 14 Aug 2007 13:32
Posts: 71
aluigi I checked the bug awhile ago once the developers fixed it and it is defiantly fixed,
Although i never checked the local version im sure some sort of precautions where put in place to stop the possibility for further exploitation.But have not gone through source code at all.

The buffer overflow im working on at the moment is a pure bitch lol.No other words the amount of filtered chars in the shell code is just a joke although im not going to release it yet as im still playing with it the poc code is all done and i was able to squeeze a few more buffer overflow out of the application.

But im more than sure there are a few more that need to be investigated .


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 11 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: