📚
OpenRCE
is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.
About
Articles
Book Store
Distributed RCE
Downloads
Event Calendar
Forums
Live Discussion
Reference Library
RSS Feeds
Search
Users
What's New
Customize Theme
bluegrey
blackgreen
metal
simple
Flag:
Tornado!
Hurricane!
Login:
Password:
Remember Me
Register
Blogs
>>
lin0xx
's Blog
Created: Thursday, February 4 2010 20:38.25 CST
Direct Link, View / Make / Edit Comments
User-supplied Array Index Exploitation Simplified.. sort of.
Author:
lin0xx
# Views:
3044
Have you ever ran into a case where you controlled an index into an array, but then were tasked with the annoying prospect of massaging the overwrite to suit your needs?
For example, from http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=5 :
#define RFC2231_MAX 64
...
char *pieces[RFC2231_MAX];
and indexed by the signed integer variable 'n':
if(n < RFC2231_MAX){
pieces[n] = parms->value;
^^ Note: parms->value is a pointer to user data.
Say you do some reversing and find out that 'pieces' is 300 bytes away from the stored return address. From the array write, we can tell that overwriting the return address would totally be exploitable (assuming no N^X) since it's overwritten with a pointer to data supplied by you.
We need the following: a negative integer that when multiplied by 4 (assuming a 32 bit architecture here), will yield 300.
Well, I'm not the most k-awesome bithax0r in the world, so I find the prospect of finding a negative integer to exploit this bug to be quite annoying. I know what I want, I just don't want to waste time telling some stupid imperative language how to give it to me! What could possibly solve my quandary? Hmmm, STP.. a constraint solver.. that sounds like just the thing!
Throw this into a file:
dummy: BITVECTOR(32);
overflow : BITVECTOR(64);
multiplyOverflow : BITVECTOR(64);
notDummy : BITVECTOR(32);
evilIndex : BITVECTOR(32);
% Make sure the number is negative via two's compliment ninjutsu
ASSERT(notDummy = ~dummy);
ASSERT(evilIndex = BVPLUS(32, notDummy, 0hex00000001));
% Make sure it's signed too
ASSERT(evilIndex & 0hex80000000 = 0hex80000000);
% Need a bigger bit width to express the overflow
ASSERT(overflow[31:0] = evilIndex);
ASSERT(multiplyOverflow = BVMULT(64, overflow, 0hex0000000000000004));
% We want evilIndex*4 == 300
ASSERT(multiplyOverflow[31:0] = 0hex0000012C);
QUERY(FALSE);
Now feed it to the solver...
$ stp -p array.access.stp
ASSERT( v_solver_0 = 0x00000000 );
ASSERT( overflow = 0x00000000C000004B );
ASSERT( multiplyOverflow = 0x000000030000012C );
ASSERT( evilIndex = 0xC000004B );
ASSERT( notDummy = 0xC000004A );
ASSERT( dummy = 0x3FFFFFB5 );
Invalid.
Well, there you have it: 0xC000004B. Compare this to the alternative (from: http://milw0rm.org/exploits/99 ) :
unsigned int num(int dist) {
int tmp = -1-dist;
unsigned int border = tmp;
int neg = (border/4)*(-1);
unsigned int res;
res = 0xffffffff+neg;
return res;
}
I checked the output of my formula against the return value for num() here - they matched.
Well, I know which method looks more intuitive to me.
Hope someone finds this useful!
Archived Entries for lin0xx
Subject
# Views
Created On
No archived blog entries found.
There are
31,328
total registered users.
Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12
Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM
oleavr
Oct/24
Anatomy of a code tracer
hasherezade
Sep/24
IAT Patcher - new tool for ...
oleavr
Aug/27
CryptoShark: code tracer ba...
oleavr
Jun/25
Build a debugger in 5 minutes
More ...
Recent Blog Comments
nieo
on:
Mar/22
IAT Patcher - new tool for ...
djnemo
on:
Nov/17
Kernel debugger vs user mod...
acel
on:
Nov/14
Kernel debugger vs user mod...
pedram
on:
Dec/21
frida.github.io: scriptable...
capadleman
on:
Jun/19
Using NtCreateThreadEx for ...
More ...
Imagery
SoySauce Blueprint
Jun 6, 2008
[+] expand
View Gallery
(11) /
Submit
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}