Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Steam sockets is the core networking library used in a wide variety of games, such as Dota2. This protocol runs over UDP and also supports WebRTC.

With UDP, reliable transmission needs to happen but this has to be built into the protocol itself (unlike TCP). In the past, this had been done insecurely (Apache and several others). So, this was a natural target for the attackers.

There is a value (nOffset), fully controllable by a user. This is initialized as an unsigned integer but later used as a signed integer. When this offset is used for the writing to the buffer later, it can underflow.

However, there was an issue with this via a sanity check for one of the iterators. This put the program into an undefined state: it will keep treating the output of table queries as valid segment data, even when a query finally returns an end() element. This empty C++ iterator could be an interesting for an attacker though.

C++ iterators use the languages operator overload features to work. The iterator for end returns a pointer to end of array (a pointer). This is actually a pointer just passed the final element in the list.

Complicated data structures, such as maps, are implemented using red-black trees, making the iteration a little more complicated though. The author of the exploit creates a fake hash table to iterate out.

After the data has been validated, all unused areas are freed. This can be used for a House of Spirit attack to free data into an arbitrary location.

To me, the main takeaways are using C++ complex objects for our advantage and C++ silently converting types without us even knowing it.