Counter Strike : GO - (.bsp) Memory Control Exploit

So I’ve been holding onto this neat little gem of a .bsp that has four bytes very close to the end of the file that controls the memory allocator. See above picture. Works on all supported operating systems last I checked so Linux, Windows, and macOS, even after a few years. Download...

Valve: [GoldSrc] RCE via malformed BSP file

Description RCE can be achieved via a malformed BSP file due to the lack of length validation when copying data from the BSP file into a stack based buffer. POC 1. Place the attached BSP F666628 in the maps directory of the chosen GoldSrc game czero/maps, cstrike/maps, tfc/maps, etc.. 2. Launch t...

Valve: [GoldSrc] Remote Code Execution using malicious WAD list in BSP file

Summary TEXInitFromWad function calls COMFileBase to get file name from a path into a buffer on the stack. Since COMFileBase does not have boundary checks and the buffer is small, long WAD file name can trigger a Stack Buffer Overflow, leading to arbitrary code execution. Steps to reproduce...