felixm/microcorruption
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Solve Novosibirsk in less than an hour

Browse Source
This commit is contained in:
Felix Martin
2023-03-11 15:22:09 -05:00
parent 5f149b34ce
commit c67b7935b8
1 changed files with 24 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
README.md
View File

@@ -297,7 +297,7 @@ We can use a bug in printf that uses the printf string as the output address of
will then write `3` (number of characters to this point) into that address. will then write `3` (number of characters to this point) into that address.
``` ```
add address of unlock door
/ /
---- ----
603a256e61256e 603a256e61256e
@@ -308,3 +308,26 @@ will then write `3` (number of characters to this point) into that address.
## Novosibirsk ## Novosibirsk
This is the second exercise where we can exploit a printf vulnerability. The key insight we've
gained while playing with different inputs is that '%n' writes the number of characters written so
far to the address defined by the two initial characters. We can use this insight to replace the
HSM-2 interrupt `0x7e` with the door unlock interrupt `0x7f`.
To build the attack, the first to characters must point to `0x44c8` where
`0x7e` is located. Then, we must make the string exactly long enough so that
the final number of characters is `0x7f`. Finally, we add `%n` to trigger the
attack.
```
address of HSM-2 interrupt ID
/ '%n'
/ /
---- -----
c844 + '61' * 0x7d + 256e
-----------
\ Make numbers
```
## Algiers