#######################################################################
BrandiniMP
Application: Halo: Combat Evolved
http://www.microsoft.com/games/pc/halo.aspxVersions: <= 1.08
Platforms: Windows
Bug: buffer overflow
Exploitation: remote, versus server
Date: 15 June 2009
Author: Brandon McLeod-Miller
web:
http://brandinimp.com#######################################################################
1) Introduction
2) Bug
3) Assembly (Halo PC 1.00.080.0616 Dedicated Server)
4a) Patches (Assembly: Halo PC 1.00.08.0616 Dedicated Server)
4b) Fix
#######################################################################
===============
1) Introduction
===============
Halo is the great FPS game developed by Bungie Studios and ported on PC
by Gearbox Software (
http://www.gearboxsoftware.com).
Although it has been released at the end of 2003, it's still one of the
most played games with hundreds of internet servers.
#######################################################################
======
2) Bug
======
This vunerability is related to the previously found Haloloop exploits.
When attacking a server with multiple, looping haloloop attacks, the
server's packet buffer will begin to write outside the allocated area
of memory, this will cause a classic Buffer Overflow, additionally
various parts of the memory begin to try to read areas in the memory
that are out of bounds.
This vunerability can be found by attacking at server with haloloop,
haloloop2 or haloloop3 proof of concepts.
#######################################################################
======
3) Assembly (Halo PC 1.00.080.0616 Dedicated Server)
======
004FC9D9 |. 0FBF6E 22 MOVSX EBP,WORD PTR DS:[ESI+22]
004FC9DD |. 8B5E 34 MOV EBX,DWORD PTR DS:[ESI+34]
ESI becomes 0 causing ESI+0x22 to be an invalid memory region.
-----------------------------------------------------------------------
0042BDB0 /$ A1 144B7600 MOV EAX,DWORD PTR DS:[764B14]
0042BDB5 |. 8A48 01 MOV CL,BYTE PTR DS:[EAX+1]
the DWORD value at 0x764B14 becomes 0x0100007F and the code at 0x42BDB5
tries to read a byte found at 0x0100007F+0x1 which is also an out
of bounds memory region.
-----------------------------------------------------------------------
0045AA98 |. 6BC9 44 IMUL ECX,ECX,44
0045AA9B |. 8999 8C067600 MOV DWORD PTR DS:[ECX+76068C],EBX
0045AAA1 |. 66:89B9 90067600 MOV WORD PTR DS:[ECX+760690],DI
the value of ECX appears to be a counter for the packet buffer,
incremented by 44 each use, and this is the code that causes the actual
overflow.
ECX keeps getting incremented when the loop attack is in progress, thus
causing the code at 0x45AA9B to start reading outside the packet buffer.
-----------------------------------------------------------------------
0045AA74 |> /395E FC /CMP DWORD PTR DS:[ESI-4],EBX <
0045AA77 |. |75 05 |JNZ SHORT haloded.0045AA7E |
0045AA79 |. |66:393E |CMP WORD PTR DS:[ESI],DI |
0045AA7C |. |74 0A |JE SHORT haloded.0045AA88 |
0045AA7E |> |40 |INC EAX |
0045AA7F |. |83C6 44 |ADD ESI,44 |
0045AA82 |. |3BC1 |CMP EAX,ECX |
0045AA84 |.^\7C EE \JL SHORT haloded.0045AA74 -^
A similar overflow problem occurs here on the first line when using ESI,
as the code still increments by 44 and attempts to read from the pointer.
this overflow occurrs after the previous one, even thought this code is
executed prior to the previous code.
#######################################################################
======
4a) Patches (Assembly: Halo PC 1.00.08.0616 Dedicated Server)
======
This fix consists of code caves, and checks of the registers.
-----------------------------------------------------------------------
004FC9D9 . /E9 BB640C00 JMP haloded_.005C2E99
004FC9DE |90 NOP
004FC9DF |90 NOP
------
005C2E99 > \83FE 00 CMP ESI,0
005C2E9C . 75 05 JNZ SHORT haloded_.005C2EA3
005C2E9E . BE C8441900 MOV ESI,1944C8
005C2EA3 > 0FBF6E 22 MOVSX EBP,WORD PTR DS:[ESI+22]
005C2EA7 . 8B5E 34 MOV EBX,DWORD PTR DS:[ESI+34]
005C2EAA .^ E9 319BF3FF JMP haloded_.004FC9E0
check for ESI being 0, if it is 0 spoof to a value that worked previously
in the code.
-----------------------------------------------------------------------
0042BDB0 $ /E9 FB701900 JMP haloded_.005C2EB0
------
005C2EB0 > \813D 144B7600 7F000001 CMP DWORD PTR DS:[764B14],100007F
005C2EBA . 75 0A JNZ SHORT haloded_.005C2EC6
005C2EBC . C705 144B7600 40773040 MOV DWORD PTR DS:[764B14],40307740
005C2EC6 > A1 144B7600 MOV EAX,DWORD PTR DS:[764B14]
005C2ECB .^ E9 E58EE6FF JMP haloded_.0042BDB5
check the value at 0x764B14 for 0x100007F, if the value is 0x100007F
spoof the value to a valid value that has worked previously.
-----------------------------------------------------------------------
0045AA9B . /E9 31841600 JMP haloded_.005C2ED1
0045AAA0 |90 NOP
------
005C2ED1 > \81F9 00540000 CMP ECX,5400
005C2ED7 . 72 0A JB SHORT haloded_.005C2EE3
005C2ED9 . B8 FFFFFFFF MOV EAX,-1
005C2EDE . B9 00000000 MOV ECX,0
005C2EE3 > 8999 8C067600 MOV DWORD PTR DS:[ECX+76068C],EBX
005C2EE9 .^ E9 B37BE9FF JMP haloded_.0045AAA1
Check ECX for being an out of range value, if it is out of range, set
it to 0 which will begin rewriting the packet buffer, the after effect
of this is slight lag, however it takes a few seconds to actually
fill the packet buffer and set the return value to -1 which the loop that
calls this function is checking for to exit the loop.
-----------------------------------------------------------------------
0045AA74 > /E9 76841600 JMP haloded_.005C2EEF
------
005C2EEF > \81FE 00540000 CMP ESI,5400
005C2EF5 . 72 02 JB SHORT haloded_.005C2EF9
005C2EF7 . 5E POP ESI ; kernel32.7C817077
005C2EF8 . C3 RETN
005C2EF9 > 395E FC CMP DWORD PTR DS:[ESI-4],EBX
005C2EFC .^ 0F85 7C7BE9FF JNZ haloded_.0045AA7E
005C2F02 .^ E9 727BE9FF JMP haloded_.0045AA79
Check the value of ESI and if it is out of range, exit the function.
#######################################################################
======
4b) Fix
======
Patches downloads can be found at:
http://brandinimp.com/?p=62Halo PC 1.00.08.0609 Dedicated Server –
http://vivid-abstractions.net/brandinim ... ed_108.zipHalo CE 1.00.08.0609 Dedicated Server –
http://vivid-abstractions.net/brandinim ... ed_108.zipHalo PC 1.00.04.0607 Dedicated Server –
http://vivid-abstractions.net/brandinim ... ed_104.zipHalo CE 1.00.00.0619 Dedicated Server –
http://vivid-abstractions.net/brandinim ... ed_100.zip#######################################################################
End of File
#######################################################################
Board index
