R1CH Quotes

---

On January 20 2010 09:31 R1CH wrote:
First connection:
GET / HTTP/1.0
Host: scantid.teamliquid.net
User-Agent: NSPlayer/11.08.0005.0000
Accept: */*
Accept-Language: en-us, *;q=0.1
Connection: Keep-Alive
Pragma: xClientGuid={3300AD50-2C39-46C0-AE0A-C23A4CC70F59}
Pragma: packet-pair-experiment=1
Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.startupprofile, com.microsoft.wm.predstrm
Pragma: no-cache,stream-time=0,stream-offset=0:0,packet-num=4294967295,max-duration=0
Pragma: LinkBW=2147483647,rate=1.000, AccelDuration=10000, AccelBW=2147483647

HTTP/1.0 200 OK
Content-type: application/octet-stream
Server: Cougar 4.1.0.3921
Pragma: no-cache
Pragma: client-id=15404
Pragma: features="broadcast"
Cache-Control: no-cache

$H..........0&.u.f.......b.lo.................G........ Seh............_."1...................................................................(......_......... Se..................... Se................... Se............M[......_\D+.W. U[......_\D+........7.................h....,.,.......h.......WMV3....................L................ Ser.......@.i.M[......_\D+P....a......... ......................a...D....>......
........\..........@R...1........H.........AR...1........H.........W.i.n.d.o.w.s. .M.e.d.i.a. .V.i.d.e.o. .9.......WMV3..+.W.i.n.d.o.w.s. .M.e.d.i.a. .A.u.d.i.o. .(.v.2.). .7.,. .8. .a.n.d. .9. .S.e.r.i.e.s.......a.6&.u.f.......b.l2............_."1.................

Second connection:
GET / HTTP/1.0
Host: scantid.teamliquid.net
User-Agent: NSPlayer/11.08.0005.0000
Accept: */*
Accept-Language: en-us, *;q=0.1
Connection: Keep-Alive
Pragma: client-id=15404
Pragma: xClientGuid={3300AD50-2C39-46C0-AE0A-C23A4CC70F59}
Pragma: xPlayStrm=1
Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.startupprofile, com.microsoft.wm.predstrm
Pragma: no-cache,stream-time=0,stream-offset=4294967295:4294967295,packet-num=4294967295,max-duration=0
Pragma: LinkBW=1000000,rate=1.000, AccelDuration=10000, AccelBW=1000000
Pragma: stream-switch-count=2
Pragma: stream-switch-entry=ffff:1:0 ffff:2:0

HTTP/1.0 200 OK
Content-type: application/octet-stream
Server: Cougar 4.1.0.3921
Pragma: no-cache
Pragma: client-id=12388
Pragma: features="broadcast"
Cache-Control: no-cache

$H..........0&.u.f.......b.lo.................G........ Seh............_."1...................................................................(......_......... Se..................... Se................... Se............M[......_\D+.W. U[......_\D+........7.................h....,.,.......h.......WMV3....................L................ Ser.......@.i.M[......_\D+P....a......... ......................a...D....>......
........\..........@R...1........H.........AR...1........H.........W.i.n.d.o.w.s. .M.e.d.i.a. .V.i.d.e.o. .9.......WMV3..+.W.i.n.d.o.w.s. .M.e.d.i.a. .A.u.d.i.o. .(.v.2.). .7.,. .8. .a.n.d. .9. .S.e.r.i.e.s.......a.6&.u.f.......b.l2............_."1.................$D...L..........]..^.I.....`......
..^.I.N..un'
.k......k

(disconnects after few kbs)

First connection:
GET / HTTP/1.0
Host: scantid.teamliquid.net
User-Agent: NSPlayer/11.08.0005.0000
Accept: */*
Accept-Language: en-us, *;q=0.1
Connection: Keep-Alive
Pragma: xClientGuid={3300AD50-2C39-46C0-AE0A-F77041AF6FF2}
Pragma: packet-pair-experiment=1
Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.startupprofile, com.microsoft.wm.predstrm
Pragma: no-cache,stream-time=0,stream-offset=0:0,packet-num=4294967295,max-duration=0
Pragma: LinkBW=2147483647,rate=1.000, AccelDuration=10000, AccelBW=2147483647

HTTP/1.0 200 OK
Content-type: application/octet-stream
Server: Cougar 4.1.0.3921
Pragma: no-cache
Pragma: client-id=2287
Pragma: features="broadcast"
Cache-Control: no-cache

$H..........0&.u.f.......b.lo.................G........ Seh............_."1...................................................................(......_......... Se..................... Se................... Se............M[......_\D+.W. U[......_\D+........7.................h....,.,.......h.......WMV3....................L................ Ser.......@.i.M[......_\D+P....a......... ......................a...D....>......
........\..........@R...1........H.........AR...1........H.........W.i.n.d.o.w.s. .M.e.d.i.a. .V.i.d.e.o. .9.......WMV3..+.W.i.n.d.o.w.s. .M.e.d.i.a. .A.u.d.i.o. .(.v.2.). .7.,. .8. .a.n.d. .9. .S.e.r.i.e.s.......a.6&.u.f.......b.l2............_."1.................

Second connection:
GET / HTTP/1.0
Host: scantid.teamliquid.net
User-Agent: NSPlayer/11.08.0005.0000
Accept: */*
Accept-Language: en-us, *;q=0.1
Connection: Keep-Alive
Pragma: client-id=2287
Pragma: xClientGuid={3300AD50-2C39-46C0-AE0A-F77041AF6FF2}
Pragma: xPlayStrm=1
Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.startupprofile, com.microsoft.wm.predstrm
Pragma: no-cache,stream-time=0,stream-offset=4294967295:4294967295,packet-num=4294967295,max-duration=0
Pragma: LinkBW=1000000,rate=1.000, AccelDuration=10000, AccelBW=1000000
Pragma: stream-switch-count=2
Pragma: stream-switch-entry=ffff:1:0 ffff:2:0

HTTP/1.0 200 OK
Content-type: application/octet-stream
Server: Cougar 4.1.0.3921
Pragma: no-cache
Pragma: client-id=19947
Pragma: features="broadcast"
Cache-Control: no-cache

$H..........0&.u.f.......b.lo.................G........ Seh............_."1...................................................................(......_......... Se..................... Se................... Se............M[......_\D+.W. U[......_\D+........7.................h....,.,.......h.......WMV3....................L................ Ser.......@.i.M[......_\D+P....a......... ......................a...D....>......
........\..........@R...1........H.........AR...1........H.........W.i.n.d.o.w.s. .M.e.d.i.a. .V.i.d.e.o. .9.......WMV3..+.W.i.n.d.o.w.s. .M.e.d.i.a. .A.u.d.i.o. .(.v.2.). .7.,. .8. .a.n.d. .9. .S.e.r.i.e.s.......a.6&.u.f.......b.l2............_."1.................$D...M..........]...
I.....z......&...

(WORKING!)

So what the hell is the difference between these two connections .

---

---

Sent a copy of this to hacks@blizzard, but if you catch anyone in person, direct them to this thread as this seems serious enough to warrant attention:

---------------------

There appears to be a hack circulating in SC:BW where an oversized game name is passed to bnet upon game creation. Bnet does not perform input sanitization on this value before storing it. Bnet then sends this information back to the client when the client is at the join game screen, at which point the oversized game name is added to the join game list box. When the user clicks the entry, the list box text is copied into an unchecked 128 byte buffer and a stack-based buffer overflow occurs.

On a quick glance, the return address looks possibly controllable, meaning with the right length and combination of characters, this could be exploited to execute arbitrary code on the StarCraft client.

Vulnerable code resides in battle.snp @ base + 0x237D0:

190237D0 |. 8B1D BCA20319 mov ebx,dword ptr ds:[<&USER32.SendMessa>; USER32.SendMessageA
190237D6 |. 6A 00 push 0 ; /lParam = 0
190237D8 |. 6A 00 push 0 ; |wParam = 0
190237DA |. 68 88010000 push 188 ; |Message = LB_GETCURSEL
190237DF |. 56 push esi ; |hWnd
190237E0 |. FFD3 call ebx ; \SendMessageA
190237E2 |. 83F8 FF cmp eax,-1
190237E5 |. 0F84 7D000000 je battle.19023868
190237EB |. 8D95 70FFFFFF lea edx,dword ptr ss:[ebp-90]
190237F1 |. 52 push edx ; /lParam
190237F2 |. 50 push eax ; |wParam
190237F3 |. 68 89010000 push 189 ; |Message = LB_GETTEXT
190237F8 |. 56 push esi ; |hWnd
190237F9 |. FFD3 call ebx ; \SendMessageA

As shown here, LB_GETTEXT is used to pull the string out of the listbox into edx. edx points to a stack buffer of 128 bytes. Since the string in the listbox is controlled by the attacker as no bounds checking is done on either the client or the server, a stack-based buffer overflow occurs.

My suggested immediate fix would be to limit the maximum game name / mapname and other user-controlled parameters that the battle.net server will accept as this would not require a client patch. If the user submits to bnet values of greater length than the BW client would normally allow, they can be flagged as malicious and handled accordingly. An additional suggested client-side update in the next patch would validate the game name and other parameters received from battle.net before working with them, to protect the player from 3rd party servers.

I would appreciate being informed of any updates to this issue, as if no action is taken I will make my own unofficial patch to address this bug. Thanks!

---

---

[5:05] HotBid: again, no idea what that means lol
[5:05] R1CH: r1ch made bad r1ch fix now
[5:05] HotBid: nice ok
[5:05] R1CH: k fixed

---