Anonymous Remote Arbitrary Code Execution in Alien Arena

Anonymous Remote Arbitrary Code

Execution in Alien Arena

Jason [email protected]

AHA_0x0025 • October 28th, 2009

About Me• 2007 – Present

Principal Security Consultant@ NGSSoftware

• 2004 – 2007Reverse Engineer@ Microsoft Corporation

BackgroundJune 21, 2009 – New open source

gameannounced on Slashdot

Approach• Download source code• Analyze how incoming packets are

parsed• Look for security vulnerabilities• Develop proof-of-concept exploit• Responsibly disclose vulnerability to

publisher

Parsing Incoming Packets





Stack FrameStack Frame

OffsetValue Byte

s-0x012A seps 2-0x0128 players 4-0x0124 result 4-0x0120 playername 32-0x0100 lastToken 256 0x0000 Return Address 4 0x0004 adr 20 0x0018 status_string 4

Exploitation• We can clearly overwrite the Return

Address

• What address should we use, though?

Exploitation• Ideally:

1. Address is constant across all versions of Windows

2. Address does not contain a null-byte (0x00345678 would be bad)

3. Code at this address is readable and executable

4. Attacker can write to this address

Exploitation• Address of a static/global variable in Alien

Arena’s executable:

1. Address is constant across all versions of Windows

Constant address since the executable is not linked for Address Space Layout Randomization (ASLR)



2. Address does not contain a null-byte (0x00345678 would be bad)

The .data PE section ranges from[0x000BB000 – 0x05A833D9], so we should be able to find a variable whose address doesn’t contain a null-byte



3. Code at this address is readable and executable

The .data PE section’s characteristics are linked as both Readable and Writeable, and since the executable isn’t linked for DEP, the section is executable too



4. Attacker can write to this address

We need to find a static/global variable in Alien Arena that we can write to whose address doesn’t contain a null-byte

The servers Global Array

• The servers global array begins at static address 0x05BE8EE0

• servers[0].port is at static address 0x05BE8F00

• servers[1].port is at static address 0x05BE9734

Payload #1• We can write 2 bytes to static address 0x05BE9734

• The function with the overflow vulnerability is a __cdecl function, so after “returning” to the overwritten return address, ESP points right after the overwritten return address, which we also control

• Machine code for JMP ESP is 0xFF 0xE4– Exactly two bytes! How convenient!

UDP Packet #1Offset Hex Data ASCII

0x000000000x000000080x00000010

FF FF FF FF 73 65 72 7665 72 73 20 00 00 00 0000 00 00 00 00 00 FF E4

....servers ............

-1 to causeCL_ReadPackets()to call

CL_ConnectionlessPacket()

“servers” command to cause CL_ConnectionlessPacket()

to call CL_ParseGetServersResponse()

servers[0].port = 0x0000 servers[0] lP address= 0.0.0.0

servers[1] lP address= 0.0.0.0 servers[1].port = 0xE4FF

Payload #2• We now have a static address to return

to

• We need to overflow the lasttoken buffer, overwrite the return address, and follow it with our shellcode

• Shellcode can’t contain null-bytes, ‘\n’, or ‘\\’ characters since they’re used for string tokenization

Offset Hex Data ASCII0x000000000x00000008...

0x00000108...

0x000001F0

FF FF FF FF 70 72 69 6E74 0A 41 41 41 41 41 41...

41 41 34 97 BE 05 33 C9...

7A 1A 0A

....print.AAAAAAAA4...3.z..

UDP Packet #2

-1 to causeCL_ReadPackets()to call

CL_ConnectionlessPacket()

“print” command to cause CL_ConnectionlessPacket()

to call M_AddToServerList(…)

Overwritten Return Address: 0x05BE9734 256 (0x100) junk bytes

‘\n’ for GetLine(…) Shellcode

Demo

Conclusion• Anonymous remote attacker can execute

arbitrary code on clients’ systems by sending two UDP packets

• Other vulnerabilities likely still exist in codebase

• Developers:– GS, ASLR, DEP would have deterred exploitation– Don’t use SDL-banned API functions like strcpy(…)

Q & A