[EN] A-Z: PrBoom-plus (part II) and message_nottobefuckedwith
As in the previous post, I was digging in PrBoom-plus’s code. When I was going through
hu_stuff.c these two variables caught my eye:
It’s always funny to find such names in source code. It was even better when I found out that it’s part of original Doom’s code. So I took a challange I tried to have some fun with it.
chat macro buffer overflow
I looked at code in
m_misc.c responsible for parsing a configuration file. I noticed that chat macro variables are accepted with quite large length limit (excatly 31988 bytes).
These macros may be used during the game by starting chat (by pressing
t) and then selecting a specific macro with a key combination
alt + macro number. Code responsible for handling this situation is in
Macro message is retrieved from the array at line 2825, lines 2827 - 2833 are responsible for preparing the text to be displayed. Then, at line 2837 the text (which has no length boundaries) is copied to
lastmessage variable. This buffer has fixed size, 81 bytes.
Summarizing, we have control over
chat_macros value, which may have up to 31988 bytes read from configuration file. Then, these bytes are copied the
lastmessage for which only 81 bytes are allocated - this is typical buffer overflow. As uninitialized global and static variables reside in a .
bss segment, I hoped that I will be able use this overflow to overwrite them.
I prepared a configuration file with a payload (0x61 is a):
I compiled the game with additional compiler flag
-D_FORTIFY_SOURCE=0 which disables a modern protection against buffer overflow exploitation. Then I started the server and the first client.
The second client I ran using gdb,
and set up a breakpoint on vulnerable line (
In the game I used my macro (by pressing
0), and the breakpoint was hit.
Memory before triggering vulnerablity:
just one step calling
and the result shows how I fucked with DOOM and its message_nottobefuckedwith:
- submission: https://sourceforge.net/p/prboom-plus/bugs/254/