Crash Exploit - Sendmap

google-code-export / assaultcuber

Automatically exported from code.google.com/p/assaultcuber

0 stars 0 forks source link

Crash Exploit - Sendmap #140

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

What steps will reproduce the problem?
Attack: cfgsizegz is a very low negative number
Conditions: the attacker is connected to the server
Impact: this is a potential shellcode exploit. The negative number is treated 
as an unsigned integer, but the memcpy size is the same as the allocation size, 
so it is unlikely.

See server.cpp for an outline of the exploit.

What is the expected output? What do you see instead?
See crash.txt for the crash output. Note that it crashes in another place.

Access to this is restricted, in order to protect the public servers until the 
next release.

Original issue reported on code.google.com by theonlypwner on 17 Aug 2013 at 3:12

GoogleCodeExporter commented 9 years ago

I forgot to attach these.

Original comment by theonlypwner on 17 Aug 2013 at 3:12

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by theonlypwner on 17 Aug 2013 at 3:14

Changed state: Started

GoogleCodeExporter commented 9 years ago

New conditions: the attacker must be connected and able to send maps

Original comment by theonlypwner on 17 Aug 2013 at 3:22

Attachments:

server.cpp

GoogleCodeExporter commented 9 years ago

This is fixed in TFS 30379, which also fixes Issue 139 and the client version 
of this exploit.

Original comment by theonlypwner on 24 Aug 2013 at 2:22

Changed state: Fixed
Removed labels: Restrict-View-Commit

GoogleCodeExporter commented 9 years ago

My server now disconnects my client for Tag Type when the exploit is used.

Original comment by theonlypwner on 24 Aug 2013 at 2:22

Changed state: Verified