AssaultCube RCE: Technical Analysis

(Cube Engine)

Defining Goals

Starting Out

What now?

Function | Address in ASCIImalloc: p}D
_ZTVN10__cxxabiv120__si_class_type_infoE: H]D
strstr: `D
isxdigit: (`D
socket: 0`D
_ZSt9terminatev: 8`D
recvmsg: @`D
accept: H`D
strtoul: P`D
fwrite_unlocked: X`D
strchr: ``D
uncompress: h`D
__cxa_begin_catch: p`D
strspn: x`D
perror: aD
system: (aD
inflateInit2_: 0aD
gmtime: 8aD
openlog: @aD
__cxa_atexit: HaD
time: PaD
strcpy: XaD
_ZdlPv: `aD
select: haD
__isoc99_sscanf: paD
closelog: xaD
gethostbyaddr_r: bD
vfprintf: (bD
fread_unlocked: 0bD
shutdown: 8bD
tmpfile: @bD
putchar: HbD
strcmp: PbD
strtol: XbD
inflateReset: `bD
fprintf: hbD
tolower: pbD
backtrace: xbD
strcat: cD
setsockopt: (cD
remove: 0cD
__cxa_guard_acquire: 8cD
sqrtf: @cD
toupper: HcD
frexp: PcD
inet_pton: XcD
__cxa_pure_virtual: `cD
qsort: hcD
fwrite: pcD
close: xcD
SV_SOUND (2), SV_THROWNADE (8), SV_GAMEMODE (2)
type = checktype(getint(p), cl); // Reading the event type.
A peek into the binary’s imported functions.

The remaining arguments are a format, as in printf(3),

// Goal: Write VAL into ADDR.// Stack
A -> B
B -> C
1. Write ADDR onto the stack using A.
A -> B
B -> ADDR <- ????
2. Write VAL into ADDR using B.
A -> B
B -> ADDR <- VAL
if(text[0] && !strcmp(text, cl->lastsaytext) && servmillis - cl->lastsay < SPAMREPEATINTERVAL*1000)
putint(ws.messages, SV_CLIENT);
putint(ws.messages, c.clientnum); // clientnum is 0.
// syslog's format would be - "{SV_CLIENT}\x00".

Summary

Conclusion

Server Browser (can also scroll for more)

Easter Egg

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store