1.0.0 • Published 3 months ago

cs2-exploit v1.0.0

Weekly downloads
-
License
GPL-3.0
Repository
github
Last release
3 months ago

The Exploit

This exploit relies on the game:loc metadata key, which when set to a length greater than 2^15 or 32768 and a client is invited, an out of bounds memory write is triggered, leading to an Access Violation/Segmentation Fault which ultimately crashes the CS:GO client. This XML file includes a Javascript file (panorama/scripts/friendlobby.js) that populates the fields such as the lobby members' avatars, the gamemode, the average lobby rank, and most importantly, the lobby location.

	var _SetFlag = function ( elTile )
	{
		var countryCode = PartyBrowserAPI.GetPartySessionSetting( _m_xuid, 'game/loc' );
		var elFlagImg = elTile.FindChildTraverse( 'JsFriendLobbyFlag' );
		if ( countryCode )
		{
			elFlagImg.SetImage( 'file://{images}/flags/'+ countryCode +'.png' );
			elFlagImg.RemoveClass( 'hidden' );
		}
		else
		{
			elFlagImg.AddClass( 'hidden' );
		}
	};

The hash function attempted to call the Clang memset function and write the parsed filepath to another area of memory without validating the size of the source data. This is called an Out-of-bounds Write. Initially, I had attempted to escalate this vulnerability to an RCE or remote code execution since the Valve bug bounty program would consider a client crasher out of scope. After contacting many friends who were much better than I was at reverse engineering, it was concluded that the most that could be achieved with this exploit was Denial of Service.

Credits

  • Thanks to @imhunterand for finding the crash method
  • Thanks to the @pwn0sec CSE Team for being our test subjects
bytebufferinquirerprotobufjsrequeststeam-usersteamidunzipper
1.0.0

3 months ago