Jump to content

[1.298, 1.310] CRoom::RoomChat() exploit


  • You cannot reply to this topic
No replies to this topic

#1
twostars

twostars

    KO Guru

  • GateKeeper
  • Others:Donator, Snoxd server contributor
  • 5,726 posts
Length check's slightly wrong -- the buffer allows for 256 bytes, their existing length check allows all 256 bytes to be used instead of allowing for the null-terminator. As it's then passed into sprintf(), well... nothing good can come of it.

Easy fix -- just change the "JG" (jump if greater than) instruction to a "JGE" (jump if greater than or equal to) instruction, so we're only allowing the first 255 bytes to be filled, leaving room for that pesky null-terminator.

1.298
004831A7   /0F8D A7000000   JGE 00483254

1.310
0046C06B   /0F8F A4000000   JGE 0046C115