Re: Format string bug in Half-Life client, but is it really exploitable???

[Vade 79 <v9 () fakehalo deadpig org>]

In-Reply-To: <20030929190139.274c91cd.aluigi () altervista org>

> ]%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x
> Unknown command:
> 270b4768.270b47e8.270b4868.270b48e8.27031ae9.0a07f128.00000002.01e11f28.01d
> 1105c

if you can make that occur remotely via client or server, it will almost surely be exploitable.

format bug exploitation is a "write anywheres in memory you want" kind of deal and in almost all situations will allow 
for easy exploitation of the bug.

things like size limitations(of the buffer being parsed, not the buffer writing to), character truncation, and overflow 
of internal buffers while processing are some of the things that can hinder, but not stop, exploitation.

as it looks there, looks like it's ready to go for exploitation.  you said you didn't know much about exploiting them 
though; plenty of (good) how-tos out there, not as hard to understand as many crack it up to be.