Application: Painkiller http://www.painkillergame.com Versions: <= 1.35 Platforms: Windows Bug: limited buffer-overflow Exploitation: remote, versus server (in-game) Date: 02 Feb 2005 Author: Luigi Auriemma e-mail: email@example.com web: http://aluigi.altervista.org
1) Introduction 2) Bug 3) The Code 4) Fix
=============== 1) Introduction ===============
Painkiller is the great FPS game developed by People can Fly (http://www.peoplecanfly.com) and released in April 2004.
====== 2) Bug ======
The bug is about the buffer that must contain the Gamespy cd-key hash for the online server-side authorization. This buffer is limited to 100 bytes (the Gamespy cd-key hash is long 72 chars), so if an attacker uses a longer hash will be able to overflow the buffer.
However exist two limitations for the exploitation of this bug, the first is that only alpha-numeric chars are allowed (1-9, A-Z and a-z) while the second is not so important since this is an in-game bug, so if a server is protected by password the attacker must know it.
=========== 3) The Code ===========
====== 4) Fix ======
Luigi Auriemma http://aluigi.altervista.org
Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html