Exploiting a Factorio Buffer Overflow

We discussed this vulnerability during Episode 236 on 15 January 2024

A fun but simple buffer overflow in Factorio. When loading save files, the game will load a PropertyTree from the file. It will pre-allocate space for the file data before reading it in by taking the size from a field in the header (data_length), but it will add one. This addition can overflow the size integer to zero, which factorio’s new[] allocator will take to 1. The original unmodified size will be used for the copy, which overflows a large amount of data into the buffer. Exploitation of this issue was straightforward as the binary is compiled without Position Independent Code (PIE), and so a function pointer can be hijacked and set to a fixed gadget to kick off a ROP chain.