MicroCorruption/18-Chernobyl/Notes


Hash Table, plus one full box:
      0  1 2  3 4  5 6  7 8  9 a  b c  d e  f
5000:[0050 1050 1500]0b00 0300 0500 1650 2c50   .P.P.........P,P
5010:[0050 2650 2100]4250 a250 0251 6251 c251   .P&P!.BP.P.QbQ.Q
5020: 2252 8252 e252[1050 3c50 2100]0b00 0000   "R.R.R.P<P!.....
5030: 0000 0000 0000 0000 0000 0000[2650 9c50   ............&P.P
5040: b500]4141 4141 4141 4141 4141 4141 4141   ..AAAAAAAAAAAAAA
5050: 4100 e004 4141 4141 4141 4141 4141 4141   A...AAAAAAAAAAAA
5060: 4141 4100 e004 4141 4141 4141 4141 4141   AAA...AAAAAAAAAA
5070: 4141 4141 4100 e004 4141 4141 4141 4141   AAAAA...AAAAAAAA
5080: 4141 4141 4141 4100 e004 4141 4141 4141   AAAAAAA...AAAAAA
5090: 4141 4141 4141 4141 4100 e004[4141 4141   AAAAAAAAA...AAAA ; wait a second
50a0: 4141]4141 4141 4141 4141 4100 e004 4141   AAAAAAAAAAA...AA
50b0: 4141 4141 4141 4141 4141 4141 4100 e004   AAAAAAAAAAAAA...
50c0: 4141 4141 4141 4141 4141 4141 4141 4100   AAAAAAAAAAAAAAA.
50d0: e004 4141 4141 4141 4141 4141 4141 4141   ..AAAAAAAAAAAAAA
50e0: 4100 e004 4141 4141 4141 4141 4141 4141   A...AAAAAAAAAAAA
50f0: 4141 4100 e004 4141 4141 4800[9c50 5c51   AAA...AAAAH..P\Q
5100: b500]0000 0000 e004 0000 0000 0000 0000   ................

Heap metadata @ 2400: 0050 0080 0000
Heap start: 0x5000
Heap  size: 0x8000 (0x5000-0xD000)

Hash Table Header:
Hash table header metadata @ 5000: 0050 1050 1500
   [ Prev: 0x5000, Next: 0x5010, Size: 0x000a ] ; malloc block-header ({size:15,status:1})
Data: 0b00 0300 0500 1650 2c50
   00: 000b: Number of registered users(?)
   02: 0003: Parameter 1 (Box bitmask = 2^(<3>+1) - 1)
   04: 0005: Parameter 2 (Rightshift?)
   06: 5016: & Box Pointer List
   08: 502c: & Per-box User Count List

Box Pointer List:
Box list header metadata @ 5010: 0050 2650 2100
   [ Prev: 5000, Next: 5026, Size: 0010 ]
Data: 4250 a250 0251 6251 c251 2252 8252 e252
   00: 5042 & Box 0
   02: 50a2 & Box 1
   04: 5102 & Box 2
   06: 5162 & Box 3
   08: 51c2 & Box 4
   0a: 52c2 & Box 5
   0c: 5282 & Box 6
   0e: 52e2 & Box 7

Other Data Section (?)
Section header metadata @ 5026: 1050 3c50 2100
   [ Prev: 5010, Next: 503c, Size: 0010 ]
Data: 0a00 0000 0000 0000 0000 0000 0000 0000

for c in ['1', '9', 'A', 'I', 'Q', '0', '8', '@', 'H', 'P', 'AAAAAAAAAAAAAAAA', '']:
   print(f'new {c} ;',end="")

Malloc:
- Checks to make sure next pointer is always ASCENDING
- Does not check prev pointer!!!!

The Exploit:
- Overwrite the prev pointer of a block so that it points to ~ the return address on stack
- Overwrite the size parameter so that, when added to the return address, it places pc somewhere nice
- Place pc into a payload on the stack
- INT 0x7f
Add Chernotesbyl 2022-08-15 04:11:30 +00:00
			`Hash Table, plus one full box:`
Solve Chernobyl 2022-09-02 11:24:41 +00:00			`0 1 2 3 4 5 6 7 8 9 a b c d e f`
			`5000:[0050 1050 1500]0b00 0300 0500 1650 2c50 .P.P.........P,P`
			`5010:[0050 2650 2100]4250 a250 0251 6251 c251 .P&P!.BP.P.QbQ.Q`
			`5020: 2252 8252 e252[1050 3c50 2100]0b00 0000 "R.R.R.P<P!.....`
			`5030: 0000 0000 0000 0000 0000 0000[2650 9c50 ............&P.P`
			`5040: b500]4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA`
Add Chernotesbyl 2022-08-15 04:11:30 +00:00			`5050: 4100 e004 4141 4141 4141 4141 4141 4141 A...AAAAAAAAAAAA`
			`5060: 4141 4100 e004 4141 4141 4141 4141 4141 AAA...AAAAAAAAAA`
			`5070: 4141 4141 4100 e004 4141 4141 4141 4141 AAAAA...AAAAAAAA`
			`5080: 4141 4141 4141 4100 e004 4141 4141 4141 AAAAAAA...AAAAAA`
Solve Chernobyl 2022-09-02 11:24:41 +00:00			`5090: 4141 4141 4141 4141 4100 e004[4141 4141 AAAAAAAAA...AAAA ; wait a second`
			`50a0: 4141]4141 4141 4141 4141 4100 e004 4141 AAAAAAAAAAA...AA`
Add Chernotesbyl 2022-08-15 04:11:30 +00:00			`50b0: 4141 4141 4141 4141 4141 4141 4100 e004 AAAAAAAAAAAAA...`
			`50c0: 4141 4141 4141 4141 4141 4141 4141 4100 AAAAAAAAAAAAAAA.`
			`50d0: e004 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA`
			`50e0: 4100 e004 4141 4141 4141 4141 4141 4141 A...AAAAAAAAAAAA`
Solve Chernobyl 2022-09-02 11:24:41 +00:00			`50f0: 4141 4100 e004 4141 4141 4800[9c50 5c51 AAA...AAAAH..P\Q`
			`5100: b500]0000 0000 e004 0000 0000 0000 0000 ................`
Add Chernotesbyl 2022-08-15 04:11:30 +00:00
Changes from August 15 2022-08-15 08:57:45 +00:00			`Heap metadata @ 2400: 0050 0080 0000`
Add Chernotesbyl 2022-08-15 04:11:30 +00:00			`Heap start: 0x5000`
			`Heap size: 0x8000 (0x5000-0xD000)`

			`Hash Table Header:`
			`Hash table header metadata @ 5000: 0050 1050 1500`
			`[ Prev: 0x5000, Next: 0x5010, Size: 0x000a ] ; malloc block-header ({size:15,status:1})`
			`Data: 0b00 0300 0500 1650 2c50`
			`00: 000b: Number of registered users(?)`
			`02: 0003: Parameter 1 (Box bitmask = 2^(<3>+1) - 1)`
			`04: 0005: Parameter 2 (Rightshift?)`
			`06: 5016: & Box Pointer List`
Changes from August 15 2022-08-15 08:57:45 +00:00			`08: 502c: & Per-box User Count List`
Add Chernotesbyl 2022-08-15 04:11:30 +00:00
			`Box Pointer List:`
			`Box list header metadata @ 5010: 0050 2650 2100`
			`[ Prev: 5000, Next: 5026, Size: 0010 ]`
			`Data: 4250 a250 0251 6251 c251 2252 8252 e252`
			`00: 5042 & Box 0`
			`02: 50a2 & Box 1`
			`04: 5102 & Box 2`
			`06: 5162 & Box 3`
			`08: 51c2 & Box 4`
			`0a: 52c2 & Box 5`
			`0c: 5282 & Box 6`
			`0e: 52e2 & Box 7`

			`Other Data Section (?)`
			`Section header metadata @ 5026: 1050 3c50 2100`
			`[ Prev: 5010, Next: 503c, Size: 0010 ]`
			`Data: 0a00 0000 0000 0000 0000 0000 0000 0000`
Changes from August 15 2022-08-15 08:57:45 +00:00
			`for c in ['1', '9', 'A', 'I', 'Q', '0', '8', '@', 'H', 'P', 'AAAAAAAAAAAAAAAA', '']:`
			`print(f'new {c} ;',end="")`
Solve Chernobyl 2022-09-02 11:24:41 +00:00
			`Malloc:`
			`- Checks to make sure next pointer is always ASCENDING`
			`- Does not check prev pointer!!!!`

			`The Exploit:`
			`- Overwrite the prev pointer of a block so that it points to ~ the return address on stack`
			`- Overwrite the size parameter so that, when added to the return address, it places pc somewhere nice`
			`- Place pc into a payload on the stack`
			`- INT 0x7f`