Counter Strike 1.6/CZ GoldSrc BSP Map Exploit HD

Through fuzzing of Half-Life 1 (Counter Strike: Condition Zero) map files (.BSP), I discovered a buffer overflow that allowed me to create an exploit to run arbitrary code. Full writeup: https://hernan.de/blog/2017/07/07/lock-and-load-exploiting-counter-strike-via-bsp-map-files/ Exploit details: The BSP map file is loaded and parsed by hl.exe (which can run Half-Life, CZ, or 1.6), but when loading edges from a model, the engine will load too many on to the stack which causes the program to crash. In investigating this crash, I noticed there were no canaries (stack cookies) used to prevent this, so I was able to construct a ROP chain using mona to disable DEP and then pivot to a cmd.exe CreateProcess shellcode. Tools used: * CERT BFF - fuzzer and crash detection * !exploitable - crash triage (bundled with BFF) * WinDBG - general debugging * ImmDBG - !mona ROP chain generation * Python - for exploit creation and injection in to map file