####################################################################### BrandiniMP Application: Halo: Combat Evolved http://www.microsoft.com/games/pc/halo.aspx Versions: <= 1.08 Platforms: Windows Bug: buffer overflow Exploitation: remote, versus server Date: 15 June 2009 Author: Brandon McLeod-Miller web: http://brandinimp.com ####################################################################### 1) Introduction 2) Bug 3) Assembly (Halo PC 1.00.080.0616 Dedicated Server) 4a) Patches (Assembly: Halo PC 1.00.08.0616 Dedicated Server) 4b) Fix ####################################################################### =============== 1) Introduction =============== Halo is the great FPS game developed by Bungie Studios and ported on PC by Gearbox Software (http://www.gearboxsoftware.com). Although it has been released at the end of 2003, it's still one of the most played games with hundreds of internet servers. ####################################################################### ====== 2) Bug ====== This vunerability is related to the previously found Haloloop exploits. When attacking a server with multiple, looping haloloop attacks, the server's packet buffer will begin to write outside the allocated area of memory, this will cause a classic Buffer Overflow, additionally various parts of the memory begin to try to read areas in the memory that are out of bounds. This vunerability can be found by attacking at server with haloloop, haloloop2 or haloloop3 proof of concepts. ####################################################################### ====== 3) Assembly (Halo PC 1.00.080.0616 Dedicated Server) ====== 004FC9D9 |. 0FBF6E 22 MOVSX EBP,WORD PTR DS:[ESI+22] 004FC9DD |. 8B5E 34 MOV EBX,DWORD PTR DS:[ESI+34] ESI becomes 0 causing ESI+0x22 to be an invalid memory region. ----------------------------------------------------------------------- 0042BDB0 /$ A1 144B7600 MOV EAX,DWORD PTR DS:[764B14] 0042BDB5 |. 8A48 01 MOV CL,BYTE PTR DS:[EAX+1] the DWORD value at 0x764B14 becomes 0x0100007F and the code at 0x42BDB5 tries to read a byte found at 0x0100007F+0x1 which is also an out of bounds memory region. ----------------------------------------------------------------------- 0045AA98 |. 6BC9 44 IMUL ECX,ECX,44 0045AA9B |. 8999 8C067600 MOV DWORD PTR DS:[ECX+76068C],EBX 0045AAA1 |. 66:89B9 90067600 MOV WORD PTR DS:[ECX+760690],DI the value of ECX appears to be a counter for the packet buffer, incremented by 44 each use, and this is the code that causes the actual overflow. ECX keeps getting incremented when the loop attack is in progress, thus causing the code at 0x45AA9B to start reading outside the packet buffer. ----------------------------------------------------------------------- 0045AA74 |> /395E FC /CMP DWORD PTR DS:[ESI-4],EBX < 0045AA77 |. |75 05 |JNZ SHORT haloded.0045AA7E | 0045AA79 |. |66:393E |CMP WORD PTR DS:[ESI],DI | 0045AA7C |. |74 0A |JE SHORT haloded.0045AA88 | 0045AA7E |> |40 |INC EAX | 0045AA7F |. |83C6 44 |ADD ESI,44 | 0045AA82 |. |3BC1 |CMP EAX,ECX | 0045AA84 |.^\7C EE \JL SHORT haloded.0045AA74 -^ A similar overflow problem occurs here on the first line when using ESI, as the code still increments by 44 and attempts to read from the pointer. this overflow occurrs after the previous one, even thought this code is executed prior to the previous code. ####################################################################### ====== 4a) Patches (Assembly: Halo PC 1.00.08.0616 Dedicated Server) ====== This fix consists of code caves, and checks of the registers. ----------------------------------------------------------------------- 004FC9D9 . /E9 BB640C00 JMP haloded_.005C2E99 004FC9DE |90 NOP 004FC9DF |90 NOP ------ 005C2E99 > \83FE 00 CMP ESI,0 005C2E9C . 75 05 JNZ SHORT haloded_.005C2EA3 005C2E9E . BE C8441900 MOV ESI,1944C8 005C2EA3 > 0FBF6E 22 MOVSX EBP,WORD PTR DS:[ESI+22] 005C2EA7 . 8B5E 34 MOV EBX,DWORD PTR DS:[ESI+34] 005C2EAA .^ E9 319BF3FF JMP haloded_.004FC9E0 check for ESI being 0, if it is 0 spoof to a value that worked previously in the code. ----------------------------------------------------------------------- 0042BDB0 $ /E9 FB701900 JMP haloded_.005C2EB0 ------ 005C2EB0 > \813D 144B7600 7F000001 CMP DWORD PTR DS:[764B14],100007F 005C2EBA . 75 0A JNZ SHORT haloded_.005C2EC6 005C2EBC . C705 144B7600 40773040 MOV DWORD PTR DS:[764B14],40307740 005C2EC6 > A1 144B7600 MOV EAX,DWORD PTR DS:[764B14] 005C2ECB .^ E9 E58EE6FF JMP haloded_.0042BDB5 check the value at 0x764B14 for 0x100007F, if the value is 0x100007F spoof the value to a valid value that has worked previously. ----------------------------------------------------------------------- 0045AA9B . /E9 31841600 JMP haloded_.005C2ED1 0045AAA0 |90 NOP ------ 005C2ED1 > \81F9 00540000 CMP ECX,5400 005C2ED7 . 72 0A JB SHORT haloded_.005C2EE3 005C2ED9 . B8 FFFFFFFF MOV EAX,-1 005C2EDE . B9 00000000 MOV ECX,0 005C2EE3 > 8999 8C067600 MOV DWORD PTR DS:[ECX+76068C],EBX 005C2EE9 .^ E9 B37BE9FF JMP haloded_.0045AAA1 Check ECX for being an out of range value, if it is out of range, set it to 0 which will begin rewriting the packet buffer, the after effect of this is slight lag, however it takes a few seconds to actually fill the packet buffer and set the return value to -1 which the loop that calls this function is checking for to exit the loop. ----------------------------------------------------------------------- 0045AA74 > /E9 76841600 JMP haloded_.005C2EEF ------ 005C2EEF > \81FE 00540000 CMP ESI,5400 005C2EF5 . 72 02 JB SHORT haloded_.005C2EF9 005C2EF7 . 5E POP ESI ; kernel32.7C817077 005C2EF8 . C3 RETN 005C2EF9 > 395E FC CMP DWORD PTR DS:[ESI-4],EBX 005C2EFC .^ 0F85 7C7BE9FF JNZ haloded_.0045AA7E 005C2F02 .^ E9 727BE9FF JMP haloded_.0045AA79 Check the value of ESI and if it is out of range, exit the function. ####################################################################### ====== 4b) Fix ====== Patches downloads can be found at: http://brandinimp.com/?p=62 Halo PC 1.00.08.0616 Dedicated Server – http://vivid-abstractions.net/brandinimp/haloded_108.zip Halo CE 1.00.08.0609 Dedicated Server – http://vivid-abstractions.net/brandinimp/haloceded_108.zip Halo PC 1.00.04.0607 Dedicated Server – http://vivid-abstractions.net/brandinimp/haloded_104.zip Halo CE 1.00.00.0619 Dedicated Server – http://vivid-abstractions.net/brandinimp/haloceded_100.zip ####################################################################### End of File #######################################################################