mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-12-11 21:05:59 +00:00
787 B
787 B
Taken verbatim from my notebook
Page 1
Algiers d.01
"LockIT Pro Account Manager"
Tentative TODO:
Authorizer? How to auth user
Interfaces with HSM1
I can overflow heap objects
uname&pass 0x30 long
>0x10 overflows
Can I craft a fake heap object?
username -> overwrite pass blk header?
password -> ???
Hypothesis: arb write in free()
Username
passwordpassword[addr]
"d E "?
4398:
0000 4044 0000 .... Unguarded
in free: free() is arb
r15 = &this_block write~!
r14 = &prev_block
r13 = {size:15,final:1}
r12 = {prev_size:5,final:1}
if prev is final:
skip last-block steps
else last-block steps