Lithtech Engine - Memory Corruption

EDB-ID:

14424

CVE:


EDB Verified:

Author:

Luigi Auriemma

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2010-07-20

Vulnerable App: 
# Original Advisory: http://aluigi.org/adv/fearless-adv.txt
#
#######################################################################

                             Luigi Auriemma

Application:  Lithtech engine
              http://www.lithtech.com
Games:        any game should be affected, refer to
              http://en.wikipedia.org/wiki/Lithtech#Lithtech_implementations
              those personally tested by me are:
                F.E.A.R.                                        <= 1.08
                F.E.A.R. 2 Project Origin                       <= 1.05
                  http://www.whatisfear.com
Platforms:    Windows and Mac
Bug:          memory corruption
Exploitation: remote, versus server
Date:         20 Jul 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Lithtech is the well known game engine developed by Monolith and used
in various famous games like Alien vs Predator 2, No One Lives Forever
and the F.E.A.R. series.
Currently the first episode of F.E.A.R. is the most played online of
the games based on the Lithtech engine.


#######################################################################

======
2) Bug
======


I premise that I haven't performed a deep research on the vulnerability
and I have focused my tests mainly on F.E.A.R. although after a quick
test has been confirmed the same/similar problem on other games that
use protocol 2 of the Lithtech engine like No One Lives Forever 2.

Through a malformed packet is possible to corrupt the memory of the
game with effects that seem to suggest the possibility for an attacker
to do something more than the crashing of the server.
Indeed the problem affects some function pointers so it's not excluded
the possibility to have a certain control over them and the code flow
remotely.

No other technical details are available at the moment.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/fearless.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14424.zip (fearless.zip)

tuned to work with the F.E.A.R. series, so Project Origin included.


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services