Arbitrary code execution exploit

[krzys_h]

Did you ever think that CBot is quite limited and you would like it to be able to do more stuff, like open applications on your computer? Now you can do that! I present you the first exploit for Colobot ever published. This CBot program exploits a buffer overflow vulnerability in CBot debugger to achieve arbitrary code execution and open Notepad.

[video=youtube]https://youtu.be/DC6mNpyRN9g[/video]

I'm attaching the program code. It is designed to work on the 1.9 PL version of original Colobot, the exact version that is available in our download, and will probably not work on any other version. It may or may not work operating systems other than Windows 10 (with WinXP SP3 compatibility enabled in program settings) - not tested. Note that the program code includes a lot of binary characters that you can't normally type on a keyboard, so a simple copy-paste may not work.

PS. This vulnerability is already patched in Gold, see https://github.com/colobot/colobot/commi...142166429b

[tomangelo]

In my case (Windows 7 x64 with XP compatibility and running with admin privileges) it only cause crash. Colobot is quite unstable itself on this machine, sometimes starting after 4 retries, so it's maybe my bad luck.

[krzys_h]

This can mean one of two things:
1) Your version of Colobot is different. Make sure it's the same one as available in our download (MD5 of colobot.exe is 83e54ee377bcdf9f4930e0892952c4ab)
2) The stack layout is slightly different between versions of Windows. This is kinda what I expected to happen, but I didn't manage to write this exploit without hardcoding an address on the stack. The best I could do would be to add a lot of NOPs all around it and hope we jump somewhere close.
Do you perhaps have any way of providing a backtrace and possibly registers and stack at the time of a crash? gdb should work (start with 'handle SIGTRAP nostop' before running because one element of the exploit generates a debugger break and try some of these commands: 'info registers', 'info stack', 'info frame', 'x/128xw $esp')

[tomangelo]

I think that I've edition from KŚ Gry, I'll try with our version.
Current msys2/gdb version crash immediately (https://github.com/Alexpux/MSYS2-packages/issues/716), so I cannot debug it right now. Currently trying to compile it from source, but got some errors.

[RaptorParkowsky]

I think that I've edition from KŚ Gry, I'll try with our version.

The version that @krzys_h has linked actually is from KŚ Gry. I've never shared original Manta release ISO (well, some stuff is still to do and to upload).

[krzys_h]

Did you ever want original Colobot to be able to run faster than x2 without use of external tools like Cheat Engine (which probably most people who were there before source code was released remember)? Now it can! Buy it at your nearest Interplanetary Colobot Community shop or download it in the description.
Oh, and negative speed in original Colobot is always fun :>
[video=youtube]https://youtu.be/NhceP4tH7SU[/video]

[tomangelo]

$ md5sum.exe colobot.exe
83e54ee377bcdf9f4930e0892952c4ab *colobot.exe

Looks similar, so I guess it's correct binary.
And these programs ends with same result - crash.

[kompowiec]

I tested on debian testing, script does nothing.

[krzys_h]

I tested on debian testing, script does nothing.

I clearly stated that this is made for original Colobot and already patched in Gold Edition.

[patrol]

Look good. And these programs ends with same result - crash.