j/MicroCorruption
1
0
Fork 0
mirror of https://git.soft.fish/val/MicroCorruption.git synced 2025-10-30 02:29:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Changes from August 15

Browse Source
This commit is contained in:
Val
2022-08-15 03:57:45 -05:00
parent 417ec16b59
commit 3532abb66e
6 changed files with 86 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
17-Chernobyl/Notes
View File

@@ -3,14 +3,14 @@ Hash Table, plus one full box:
5000: 0050 1050 1500 0b00 0300 0500 1650 2c50 .P.P.........P,P
5010: 0050 2650 2100 4250 a250 0251 6251 c251 .P&P!.BP.P.QbQ.Q
5020: 2252 8252 e252 1050 3c50 2100 0a00 0000 "R.R.R.P<P!.....
5020: 2252 8252 e252 1050 3c50 2100 0b00 0000 "R.R.R.P<P!.....
5030: 0000 0000 0000 0000 0000 0000 2650 9c50 ............&P.P
5040: b500 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA
5050: 4100 e004 4141 4141 4141 4141 4141 4141 A...AAAAAAAAAAAA
5060: 4141 4100 e004 4141 4141 4141 4141 4141 AAA...AAAAAAAAAA
5070: 4141 4141 4100 e004 4141 4141 4141 4141 AAAAA...AAAAAAAA
5080: 4141 4141 4141 4100 e004 4141 4141 4141 AAAAAAA...AAAAAA
5090: 4141 4141 4141 4141 4100 e004 4141 4141 AAAAAAAAA...AAAA
5090: 4141 4141 4141 4141 4100 e004 4141 4141 AAAAAAAAA...AAAA ; wait a second
50a0: 4141 4141 4141 4141 4141 4100 e004 4141 AAAAAAAAAAA...AA
50b0: 4141 4141 4141 4141 4141 4141 4100 e004 AAAAAAAAAAAAA...
50c0: 4141 4141 4141 4141 4141 4141 4141 4100 AAAAAAAAAAAAAAA.
@@ -19,7 +19,7 @@ Hash Table, plus one full box:
50f0: 4141 4100 e004 4141 4141 4800 9c50 5c51 AAA...AAAAH..P\Q
5100: b500 0000 0000 e004 0000 0000 0000 0000 ................
Heap metadata @ 4d9e:
Heap metadata @ 2400: 0050 0080 0000
Heap start: 0x5000
Heap size: 0x8000 (0x5000-0xD000)
@@ -31,7 +31,7 @@ Data: 0b00 0300 0500 1650 2c50
02: 0003: Parameter 1 (Box bitmask = 2^(<3>+1) - 1)
04: 0005: Parameter 2 (Rightshift?)
06: 5016: & Box Pointer List
08: 502c: & Other Data Section
08: 502c: & Per-box User Count List
Box Pointer List:
Box list header metadata @ 5010: 0050 2650 2100
@@ -50,3 +50,11 @@ Other Data Section (?)
Section header metadata @ 5026: 1050 3c50 2100
[ Prev: 5010, Next: 503c, Size: 0010 ]
Data: 0a00 0000 0000 0000 0000 0000 0000 0000
The Exploit:
When an 11th user is added, the software will attempt to double the size of the heap. Overwriting a heap Next pointer allows us toAAAA
for c in ['1', '9', 'A', 'I', 'Q', '0', '8', '@', 'H', 'P', 'AAAAAAAAAAAAAAAA', '']:
print(f'new {c} ;',end="")