Solve Novosibirsk in less than an hour
parent
5f149b34ce
commit
c67b7935b8
25
README.md
25
README.md
|
@ -297,7 +297,7 @@ We can use a bug in printf that uses the printf string as the output address of
|
|||
will then write `3` (number of characters to this point) into that address.
|
||||
|
||||
```
|
||||
add
|
||||
address of unlock door
|
||||
/
|
||||
----
|
||||
603a256e61256e
|
||||
|
@ -308,3 +308,26 @@ will then write `3` (number of characters to this point) into that address.
|
|||
|
||||
## Novosibirsk
|
||||
|
||||
This is the second exercise where we can exploit a printf vulnerability. The key insight we've
|
||||
gained while playing with different inputs is that '%n' writes the number of characters written so
|
||||
far to the address defined by the two initial characters. We can use this insight to replace the
|
||||
HSM-2 interrupt `0x7e` with the door unlock interrupt `0x7f`.
|
||||
|
||||
To build the attack, the first to characters must point to `0x44c8` where
|
||||
`0x7e` is located. Then, we must make the string exactly long enough so that
|
||||
the final number of characters is `0x7f`. Finally, we add `%n` to trigger the
|
||||
attack.
|
||||
|
||||
```
|
||||
address of HSM-2 interrupt ID
|
||||
/ '%n'
|
||||
/ /
|
||||
---- -----
|
||||
c844 + '61' * 0x7d + 256e
|
||||
-----------
|
||||
\ Make numbers
|
||||
```
|
||||
|
||||
## Algiers
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue