`Taken from my notebook, verbatim` ### Page 5 ``` LAGOS 45a0: 0b41 -> 3041 "ret" WE CAN add #4130, sp ~ MOVE THE STACK ~ 0: input [0x1bf]= 1: ret -> 4444 (sp+0x60) 2: Move stack to 2400+1c0 3: Ret -> arbitrary address (i.e. 2400+1c2) 4: Execute arbitrary code ``` ### Page 1 ``` Lagos Alphanumerics Only `0x200 B -> #2400` Password valid range: 8-16 c Valid chars: [0-9] [A-Z] [a-z] 30-39 41-5a 61-7a We have enough chars to overwrite current function 1b5 bytes before hitting current instruction 3041 = ret 45a0 = 0b41 at index 1b5 Control of return addr -> we can ret to string buffer bypassing sanitizer! ret to 2400+1bb 25b5 run code from there! ret at index 0x11 ... we need a JMP to get there. ... all our jumps are positive ``` ### Page 2 ``` D p 4470 looks like a good place D 0 for code, or 4430 5a37: jge $-14a ? Arithmetic instructions Form addresses with sub? 25 b6 bb25 ^lsb 55-30 7a-30(ish) 547a + 3030 = 5630 - 307a = 25bb! V 0 0 z We can load from our string: pop r4 = 3441 "4 A " -> can be any reg from 0-9: 3r41 add.b = 7x5y 3451 = pop & add to r4 3441 3451 pop r4 add r4 ``` ### Page 3 ``` Instructions in range 30: jn 34: jge 38: jl 3c: jmp 4#: mov 5#: add 6#: addc 7#: subc Feasible addressing modes 10 @Rn Register indirect 11 @Rn+ RI w/ post-inc Subtract the stack from pc? 3071 subc @sp+, pc "Large relative jump" Alignment in 2400 buffer is not same as in PC ``` ### Page 4 ``` What is an alphanumeric character? [0-9] [A-Z] [a-z] 30-39 41-5a 61-7a Buffers: 43ed: stack buffer 2400: load buffer 43ed + 0x57: 4444 45a0: last byte copied (1b3 bytes) &[43ed + 1b3] = 0x30, '0' 43ed + 1c0 = payload Correction: sp at 43ec before we gain exec ret will tak sp to 43ee ... we need to create a fake stack somewhere over in the controllable zone The loop only continues if the FOLLOWING BYTE is valid. ```