mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2025-01-18 23:55:59 +00:00
32 lines
787 B
Markdown
32 lines
787 B
Markdown
|
`Taken verbatim from my notebook`
|
||
|
# Page 1
|
||
|
```
|
||
|
Algiers d.01
|
||
|
"LockIT Pro Account Manager"
|
||
|
Tentative TODO:
|
||
|
Authorizer? How to auth user
|
||
|
Interfaces with HSM1
|
||
|
|
||
|
I can overflow heap objects
|
||
|
uname&pass 0x30 long
|
||
|
>0x10 overflows
|
||
|
Can I craft a fake heap object?
|
||
|
username -> overwrite pass blk header?
|
||
|
password -> ???
|
||
|
|
||
|
Hypothesis: arb write in free()
|
||
|
Username
|
||
|
passwordpassword[addr]
|
||
|
"d E "?
|
||
|
4398:
|
||
|
0000 4044 0000 .... Unguarded
|
||
|
in free: free() is arb
|
||
|
r15 = &this_block write~!
|
||
|
r14 = &prev_block
|
||
|
r13 = {size:15,final:1}
|
||
|
r12 = {prev_size:5,final:1}
|
||
|
if prev is final:
|
||
|
skip last-block steps
|
||
|
else last-block steps
|
||
|
```
|