CellFactor Revolution Format String and Buffer Overflow

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052892 漏洞类型
发布时间 2007-09-14 更新时间 2007-09-14
CVE编号 CVE-2007-4838
CVE-2007-4832
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2007090047
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#######################################################################

                             Luigi Auriemma

Application:  CellFactor Revolution
              http://www.cellfactorrevolution.com
Versions:     <= 1.03
Platforms:    Windows
Bugs:         A] format string
              B] buffer-overflow
Exploitation: remote, versus server
Date:         07 Sep 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


CellFactor Revolution is a full freeware game realized for showing the
power of the Ageia PhysX cards but it can be played on systems which
don't have them.
The game supports also multiplayer through LAN and direct IP.
CellFactor is developed by Artificial Studios and uses their Reality
Engine.


#######################################################################

=======
2) Bugs
=======

----------------
A] format string
----------------

A format string vulnerability is exploitable through malformed clients
nicknames.


------------------
B] buffer-overflow
------------------

A buffer-overflow is exploitable through the message packets 0x21, 0x22
and 0x23.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/cellfucktor.zip


#######################################################################

======
4) Fix
======


No fix.
Seems that the game is no longer supported and the mail address
bugs@artificialstudios.com is unexistent.


#######################################################################