Solve Novosibirsk in less than an hour

2023-03-11 15:22:09 -05:00 · 2023-03-11 15:22:09 -05:00 · c67b7935b8
parent 5f149b34ce
commit c67b7935b8
1 changed files with 24 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -297,7 +297,7 @@ We can use a bug in printf that uses the printf string as the output address of
 will then write `3` (number of characters to this point) into that address.

 ```
-     add
+     address of unlock door
    /
 ----
 603a256e61256e
@ -308,3 +308,26 @@ will then write `3` (number of characters to this point) into that address.

 ## Novosibirsk

+This is the second exercise where we can exploit a printf vulnerability. The key insight we've
+gained while playing with different inputs is that '%n' writes the number of characters written so
+far to the address defined by the two initial characters. We can use this insight to replace the
+HSM-2 interrupt `0x7e` with the door unlock interrupt `0x7f`.
+
+To build the attack, the first to characters must point to `0x44c8` where
+`0x7e` is located. Then, we must make the string exactly long enough so that
+the final number of characters is `0x7f`. Finally, we add `%n` to trigger the
+attack.
+
+```
+      address of HSM-2 interrupt ID
+     /                      '%n'
+    /                     /
+----                 -----
+c844 + '61' * 0x7d + 256e
+       -----------
+                  \ Make numbers
+```
+
+## Algiers
+
+