mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-12-11 23:35:59 +00:00
32 lines
787 B
Markdown
32 lines
787 B
Markdown
`Taken verbatim from my notebook`
|
|
# Page 1
|
|
```
|
|
Algiers d.01
|
|
"LockIT Pro Account Manager"
|
|
Tentative TODO:
|
|
Authorizer? How to auth user
|
|
Interfaces with HSM1
|
|
|
|
I can overflow heap objects
|
|
uname&pass 0x30 long
|
|
>0x10 overflows
|
|
Can I craft a fake heap object?
|
|
username -> overwrite pass blk header?
|
|
password -> ???
|
|
|
|
Hypothesis: arb write in free()
|
|
Username
|
|
passwordpassword[addr]
|
|
"d E "?
|
|
4398:
|
|
0000 4044 0000 .... Unguarded
|
|
in free: free() is arb
|
|
r15 = &this_block write~!
|
|
r14 = &prev_block
|
|
r13 = {size:15,final:1}
|
|
r12 = {prev_size:5,final:1}
|
|
if prev is final:
|
|
skip last-block steps
|
|
else last-block steps
|
|
```
|