Advertising (This ad goes away for registered users. You can Login or Register)

Usermode exploits

Forum rules
Forum rule Nº 15 is strictly enforced in this subforum.
Kankertje
Moderator
Posts: 830
Joined: Mon Apr 23, 2012 12:22 pm
Contact:

Usermode exploits

Post by Kankertje »

new year update: some POC
viewtopic.php?f=6&t=13780&start=10#p221985
viewtopic.php?f=6&t=13780&start=20#p226274
Image
got multiple usermode exploits now :)
--------------------------------------------------------------------------------------------------------------------------------------


EDIT2: another better looking crash viewtopic.php?f=6&t=13780&start=10#p163224
EDIT: new crash on next page viewtopic.php?f=6&t=13780&p=162852#p162852


Image

got control over parts of
a0: 0x00720078
s1: 0x00720078

72(r) and 78(x) can be changed

can this do anything ?
Advertising
Last edited by Kankertje on Sat Jan 12, 2013 11:33 am, edited 5 times in total.
Temik007
Banned
Posts: 82
Joined: Sun Jul 15, 2012 5:53 pm

Re: Crash

Post by Temik007 »

It is not exploitable, but may be you can If you increase the length of the string. Goodluck :)

UPD: you need use UTF-8 tables
Advertising
Kankertje
Moderator
Posts: 830
Joined: Mon Apr 23, 2012 12:22 pm
Contact:

Re: Crash

Post by Kankertje »

Spent few hours on it, got to this

Code: Select all

Exception - Address load/inst fetch
Thread ID -
Th Name   
Module ID - 
Mod Name  -
EPC       - 0x089648D4
Cause     - 0x10000010
BadVAddr  - 0x8EA57590
Status    - 0x60088613
zr:0x00000000 at:0x08A4B1BC v0:0x08C70610 v1:0x09FFF4E0
a0:0x091FEFE0 a1:0x8EA57564 a2:0x6667686A a3:0x00000025
t0:0x66676869 t1:0x00000000 t2:0x00000060 t3:0x00000006
t4:0x087F1E00 t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x093B04A0 s1:0x08C3B148 s2:0x09FFF4E0 s3:0x091F8A68
s4:0x08C3B14C s5:0x091FEFE0 s6:0x08C414A0 s7:0x091FF120
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF3D0 fp:0x00001B59 ra:0x08969E9C
0x089648D4: 0x8CA8002C ',...' - lw         $t0, 44($a1)
got full controll of t0 and a2(which value is t0+1)
Image

Any advice ?
Temik007
Banned
Posts: 82
Joined: Sun Jul 15, 2012 5:53 pm

Re: Crash

Post by Temik007 »

I do not see improvement, it is not exploitable
FrEdDy
HBL Collaborator
Posts: 243
Joined: Mon Sep 27, 2010 7:08 pm
Contact:

Re: Crash

Post by FrEdDy »

Provide a disassembly
https://github.com/freddy-156
<@n00b81> FREDDY CUTTIES
Kankertje
Moderator
Posts: 830
Joined: Mon Apr 23, 2012 12:22 pm
Contact:

Re: Crash

Post by Kankertje »

FrEdDy wrote:Provide a disassembly

Code: Select all

Exception - Address load/inst fetch
Thread ID - 
Th Name   -
Module ID -
Mod Name 
EPC       - 0x089648D4
Cause     - 0x10000010
BadVAddr  - 0x8EA57590
Status    - 0x60088613
zr:0x00000000 at:0x08A4B1BC v0:0x08C70610 v1:0x09FFF4E0
a0:0x091FEFE0 a1:0x8EA57564 a2:0x67676768 a3:0x00000025
t0:0x67676767 t1:0x00000000 t2:0x00000060 t3:0x00000006
t4:0x087F1E00 t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x093B04A0 s1:0x08C3B148 s2:0x09FFF4E0 s3:0x091F8A68
s4:0x08C3B14C s5:0x091FEFE0 s6:0x08C414A0 s7:0x091FF120
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF3D0 fp:0x00001B59 ra:0x08969E9C
0x089648D4: 0x8CA8002C ',...' - lw         $t0, 44($a1)
disasm 0x089648D4 50
0x089648D4: 0x8CA8002C ',...' - lw         $t0, 44($a1)
0x089648D8: 0x00802825 '%(..' - move       $a1, $a0
0x089648DC: 0x0106302A '*0..' - slt        $a2, $t0, $a2
0x089648E0: 0xAFBF0010 '....' - sw         $ra, 16($sp)
0x089648E4: 0x10C00005 '....' - beqz       $a2, 0x089648FC
0x089648E8: 0x00E02025 '% ..' - move       $a0, $a3
0x089648EC: 0x00803025 '%0..' - move       $a2, $a0
0x089648F0: 0x00A02025 '% ..' - move       $a0, $a1
0x089648F4: 0x0E25921C '..%.' - jal        0x08964870
0x089648F8: 0x00002825 '%(..' - move       $a1, $zr
0x089648FC: 0x8FBF0010 '....' - lw         $ra, 16($sp)
0x08964900: 0x03E00008 '....' - jr         $ra
0x08964904: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x08964908: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32
0x0896490C: 0x00C03825 '%8..' - move       $a3, $a2
0x08964910: 0x00804025 '%@..' - move       $t0, $a0
0x08964914: 0xAFBF0014 '....' - sw         $ra, 20($sp)
0x08964918: 0x0E25920F '..%.' - jal        0x0896483C
0x0896491C: 0x00A04825 '%H..' - move       $t1, $a1
0x08964920: 0x10400006 '..@.' - beqz       $v0, 0x0896493C
0x08964924: 0x8D240000 '..$.' - lw         $a0, 0($t1)
0x08964928: 0x8D050014 '....' - lw         $a1, 20($t0)
0x0896492C: 0xAFA50010 '....' - sw         $a1, 16($sp)
0x08964930: 0x0085282A '*(..' - slt        $a1, $a0, $a1
0x08964934: 0x10A00009 '....' - beqz       $a1, 0x0896495C
0x08964938: 0x00000000 '....' - nop
0x0896493C: 0x00803025 '%0..' - move       $a2, $a0
0x08964940: 0x01002025 '% ..' - move       $a0, $t0
0x08964944: 0x0E25921C '..%.' - jal        0x08964870
0x08964948: 0x34050005 '...4' - li         $a1, 0x5
0x0896494C: 0x01002025 '% ..' - move       $a0, $t0
0x08964950: 0x34050006 '...4' - li         $a1, 0x6
0x08964954: 0x0E25921C '..%.' - jal        0x08964870
0x08964958: 0x00E03025 '%0..' - move       $a2, $a3
0x0896495C: 0x8FBF0014 '....' - lw         $ra, 20($sp)
0x08964960: 0x03E00008 '....' - jr         $ra
0x08964964: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x08964968: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32
0x0896496C: 0x2484002C ',..$' - addiu      $a0, $a0, 44
0x08964970: 0x00002825 '%(..' - move       $a1, $zr
0x08964974: 0xAFBF0010 '....' - sw         $ra, 16($sp)
0x08964978: 0x0E2C5298 '.R,.' - jal        0x08B14A60
0x0896497C: 0x34060100 '...4' - li         $a2, 0x100
0x08964980: 0x8FBF0010 '....' - lw         $ra, 16($sp)
0x08964984: 0x03E00008 '....' - jr         $ra
0x08964988: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x0896498C: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08964990: 0x3C0408BE '...<' - lui        $a0, 0x8BE
0x08964994: 0xC48CC8BC '....' - lwc1       $fpr12, -14148($a0)
0x08964998: 0x3C0440A0 '.@.<' - lui        $a0, 0x40A0
FrEdDy
HBL Collaborator
Posts: 243
Joined: Mon Sep 27, 2010 7:08 pm
Contact:

Re: Crash

Post by FrEdDy »

Disasm BEFORE epc
https://github.com/freddy-156
<@n00b81> FREDDY CUTTIES
Kankertje
Moderator
Posts: 830
Joined: Mon Apr 23, 2012 12:22 pm
Contact:

Re: Crash

Post by Kankertje »

FrEdDy wrote:Disasm BEFORE epc
not sure if im doing it correctly but uhm
calc {epc}-50

calc 0x089648D4-50
0x089648A2
disasm 0x089648A2 50

Code: Select all

Exception - Address load/inst fetch
Thread ID - 
Th Name   - 
Module ID -
Mod Name  
EPC       - 0x089648D4
Cause     - 0x10000010
BadVAddr  - 0x8EA57590
Status    - 0x60088613
zr:0x00000000 at:0x08A4B1BC v0:0x08C70610 v1:0x09FFF4E0
a0:0x091FEFE0 a1:0x8EA57564 a2:0x67676768 a3:0x00000025
t0:0x67676767 t1:0x00000000 t2:0x00000060 t3:0x00000006
t4:0x087F1F28 t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x093B04A0 s1:0x08C3B148 s2:0x09FFF4E0 s3:0x091F8A68
s4:0x08C3B14C s5:0x091FEFE0 s6:0x08C414A0 s7:0x091FF120
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF3D0 fp:0x00001B59 ra:0x08969E9C
0x089648D4: 0x8CA8002C ',...' - lw         $t0, 44($a1)
calc 0x089648D4-50
0x089648A2
disasm 0x089648A2 50
0x089648A0: 0x8FBF0010 '....' - lw         $ra, 16($sp)
0x089648A4: 0x03E00008 '....' - jr         $ra
0x089648A8: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x089648AC: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32
0x089648B0: 0x00A03825 '%8..' - move       $a3, $a1
0x089648B4: 0x00072880 '.(..' - sll        $a1, $a3, 2
0x089648B8: 0x00852821 '!(..' - addu       $a1, $a0, $a1
0x089648BC: 0x8CA8002C ',...' - lw         $t0, 44($a1)
0x089648C0: 0x01063021 '!0..' - addu       $a2, $t0, $a2
0x089648C4: 0xACA6002C ',...' - sw         $a2, 44($a1)
0x089648C8: 0x8C850000 '....' - lw         $a1, 0($a0)
0x089648CC: 0x00052880 '.(..' - sll        $a1, $a1, 2
0x089648D0: 0x00852821 '!(..' - addu       $a1, $a0, $a1
0x089648D4: 0x8CA8002C ',...' - lw         $t0, 44($a1)
0x089648D8: 0x00802825 '%(..' - move       $a1, $a0
0x089648DC: 0x0106302A '*0..' - slt        $a2, $t0, $a2
0x089648E0: 0xAFBF0010 '....' - sw         $ra, 16($sp)
0x089648E4: 0x10C00005 '....' - beqz       $a2, 0x089648FC
0x089648E8: 0x00E02025 '% ..' - move       $a0, $a3
0x089648EC: 0x00803025 '%0..' - move       $a2, $a0
0x089648F0: 0x00A02025 '% ..' - move       $a0, $a1
0x089648F4: 0x0E25921C '..%.' - jal        0x08964870
0x089648F8: 0x00002825 '%(..' - move       $a1, $zr
0x089648FC: 0x8FBF0010 '....' - lw         $ra, 16($sp)
0x08964900: 0x03E00008 '....' - jr         $ra
0x08964904: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x08964908: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32
0x0896490C: 0x00C03825 '%8..' - move       $a3, $a2
0x08964910: 0x00804025 '%@..' - move       $t0, $a0
0x08964914: 0xAFBF0014 '....' - sw         $ra, 20($sp)
0x08964918: 0x0E25920F '..%.' - jal        0x0896483C
0x0896491C: 0x00A04825 '%H..' - move       $t1, $a1
0x08964920: 0x10400006 '..@.' - beqz       $v0, 0x0896493C
0x08964924: 0x8D240000 '..$.' - lw         $a0, 0($t1)
0x08964928: 0x8D050014 '....' - lw         $a1, 20($t0)
0x0896492C: 0xAFA50010 '....' - sw         $a1, 16($sp)
0x08964930: 0x0085282A '*(..' - slt        $a1, $a0, $a1
0x08964934: 0x10A00009 '....' - beqz       $a1, 0x0896495C
0x08964938: 0x00000000 '....' - nop
0x0896493C: 0x00803025 '%0..' - move       $a2, $a0
0x08964940: 0x01002025 '% ..' - move       $a0, $t0
0x08964944: 0x0E25921C '..%.' - jal        0x08964870
0x08964948: 0x34050005 '...4' - li         $a1, 0x5
0x0896494C: 0x01002025 '% ..' - move       $a0, $t0
0x08964950: 0x34050006 '...4' - li         $a1, 0x6
0x08964954: 0x0E25921C '..%.' - jal        0x08964870
0x08964958: 0x00E03025 '%0..' - move       $a2, $a3
0x0896495C: 0x8FBF0014 '....' - lw         $ra, 20($sp)
0x08964960: 0x03E00008 '....' - jr         $ra
0x08964964: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
FrEdDy
HBL Collaborator
Posts: 243
Joined: Mon Sep 27, 2010 7:08 pm
Contact:

Re: Crash

Post by FrEdDy »

Yes, you did it right, but disassemble more. Say, 100 from epc-50
https://github.com/freddy-156
<@n00b81> FREDDY CUTTIES
Kankertje
Moderator
Posts: 830
Joined: Mon Apr 23, 2012 12:22 pm
Contact:

Re: Crash

Post by Kankertje »

FrEdDy wrote:Yes, you did it right, but disassemble more. Say, 100 from epc-50

Code: Select all

Exception - Address load/inst fetch
Thread ID - 
Th Name   - 
Module ID - 
Mod Name  -
EPC       - 0x089648D4
Cause     - 0x10000010
BadVAddr  - 0x8EA57590
Status    - 0x60088613
zr:0x00000000 at:0x08A4B1BC v0:0x08C70610 v1:0x09FFF4E0
a0:0x091FEFE0 a1:0x8EA57564 a2:0x67676768 a3:0x00000025
t0:0x67676767 t1:0x00000000 t2:0x00000060 t3:0x00000006
t4:0x087F1E00 t5:0xDEADBEEF t6:0xDEADBEEF t7:0xDEADBEEF
s0:0x093B04A0 s1:0x08C3B148 s2:0x09FFF4E0 s3:0x091F8A68
s4:0x08C3B14C s5:0x091FEFE0 s6:0x08C414A0 s7:0x091FF120
t8:0xDEADBEEF t9:0xDEADBEEF k0:0x09FFFB00 k1:0x00000000
gp:0x00000000 sp:0x09FFF3D0 fp:0x00001B59 ra:0x08969E9C
0x089648D4: 0x8CA8002C ',...' - lw         $t0, 44($a1)
calc 0x089648D4-50
0x089648A2
host0:/> disasm 0x089648A2 100
0x089648A0: 0x8FBF0010 '....' - lw         $ra, 16($sp)
0x089648A4: 0x03E00008 '....' - jr         $ra
0x089648A8: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x089648AC: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32
0x089648B0: 0x00A03825 '%8..' - move       $a3, $a1
0x089648B4: 0x00072880 '.(..' - sll        $a1, $a3, 2
0x089648B8: 0x00852821 '!(..' - addu       $a1, $a0, $a1
0x089648BC: 0x8CA8002C ',...' - lw         $t0, 44($a1)
0x089648C0: 0x01063021 '!0..' - addu       $a2, $t0, $a2
0x089648C4: 0xACA6002C ',...' - sw         $a2, 44($a1)
0x089648C8: 0x8C850000 '....' - lw         $a1, 0($a0)
0x089648CC: 0x00052880 '.(..' - sll        $a1, $a1, 2
0x089648D0: 0x00852821 '!(..' - addu       $a1, $a0, $a1
0x089648D4: 0x8CA8002C ',...' - lw         $t0, 44($a1)
0x089648D8: 0x00802825 '%(..' - move       $a1, $a0
0x089648DC: 0x0106302A '*0..' - slt        $a2, $t0, $a2
0x089648E0: 0xAFBF0010 '....' - sw         $ra, 16($sp)
0x089648E4: 0x10C00005 '....' - beqz       $a2, 0x089648FC
0x089648E8: 0x00E02025 '% ..' - move       $a0, $a3
0x089648EC: 0x00803025 '%0..' - move       $a2, $a0
0x089648F0: 0x00A02025 '% ..' - move       $a0, $a1
0x089648F4: 0x0E25921C '..%.' - jal        0x08964870
0x089648F8: 0x00002825 '%(..' - move       $a1, $zr
0x089648FC: 0x8FBF0010 '....' - lw         $ra, 16($sp)
0x08964900: 0x03E00008 '....' - jr         $ra
0x08964904: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x08964908: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32
0x0896490C: 0x00C03825 '%8..' - move       $a3, $a2
0x08964910: 0x00804025 '%@..' - move       $t0, $a0
0x08964914: 0xAFBF0014 '....' - sw         $ra, 20($sp)
0x08964918: 0x0E25920F '..%.' - jal        0x0896483C
0x0896491C: 0x00A04825 '%H..' - move       $t1, $a1
0x08964920: 0x10400006 '..@.' - beqz       $v0, 0x0896493C
0x08964924: 0x8D240000 '..$.' - lw         $a0, 0($t1)
0x08964928: 0x8D050014 '....' - lw         $a1, 20($t0)
0x0896492C: 0xAFA50010 '....' - sw         $a1, 16($sp)
0x08964930: 0x0085282A '*(..' - slt        $a1, $a0, $a1
0x08964934: 0x10A00009 '....' - beqz       $a1, 0x0896495C
0x08964938: 0x00000000 '....' - nop
0x0896493C: 0x00803025 '%0..' - move       $a2, $a0
0x08964940: 0x01002025 '% ..' - move       $a0, $t0
0x08964944: 0x0E25921C '..%.' - jal        0x08964870
0x08964948: 0x34050005 '...4' - li         $a1, 0x5
0x0896494C: 0x01002025 '% ..' - move       $a0, $t0
0x08964950: 0x34050006 '...4' - li         $a1, 0x6
0x08964954: 0x0E25921C '..%.' - jal        0x08964870
0x08964958: 0x00E03025 '%0..' - move       $a2, $a3
0x0896495C: 0x8FBF0014 '....' - lw         $ra, 20($sp)
0x08964960: 0x03E00008 '....' - jr         $ra
0x08964964: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x08964968: 0x27BDFFE0 '...'' - addiu      $sp, $sp, -32
0x0896496C: 0x2484002C ',..$' - addiu      $a0, $a0, 44
0x08964970: 0x00002825 '%(..' - move       $a1, $zr
0x08964974: 0xAFBF0010 '....' - sw         $ra, 16($sp)
0x08964978: 0x0E2C5298 '.R,.' - jal        0x08B14A60
0x0896497C: 0x34060100 '...4' - li         $a2, 0x100
0x08964980: 0x8FBF0010 '....' - lw         $ra, 16($sp)
0x08964984: 0x03E00008 '....' - jr         $ra
0x08964988: 0x27BD0020 ' ..'' - addiu      $sp, $sp, 32
0x0896498C: 0x27BDFFF0 '...'' - addiu      $sp, $sp, -16
0x08964990: 0x3C0408BE '...<' - lui        $a0, 0x8BE
0x08964994: 0xC48CC8BC '....' - lwc1       $fpr12, -14148($a0)
0x08964998: 0x3C0440A0 '.@.<' - lui        $a0, 0x40A0
0x0896499C: 0x44846800 '.h.D' - mtc1       $a0, $fcr13
0x089649A0: 0x3C044334 '4C.<' - lui        $a0, 0x4334
0x089649A4: 0x460D6342 'Bc.F' - mul.s      $fpr13, $fpr12, $fpr1
0x089649A8: 0x44847000 '.p.D' - mtc1       $a0, $fcr14
0x089649AC: 0x460E6B43 'Ck.F' - div.s      $fpr13, $fpr13, $fpr1
0x089649B0: 0x3C044000 '.@.<' - lui        $a0, 0x4000
0x089649B4: 0x3C0508BE '...<' - lui        $a1, 0x8BE
0x089649B8: 0xC4B0C8C8 '....' - lwc1       $fpr16, -14136($a1)
0x089649BC: 0x3C0708BE '...<' - lui        $a3, 0x8BE
0x089649C0: 0x44847000 '.p.D' - mtc1       $a0, $fcr14
0x089649C4: 0x460E63C2 '.c.F' - mul.s      $fpr15, $fpr12, $fpr1
0x089649C8: 0xE4EFC8C0 '....' - swc1       $fpr15, -14144($a3)
0x089649CC: 0x460E8382 '...F' - mul.s      $fpr14, $fpr16, $fpr1
0x089649D0: 0x3C0508BE '...<' - lui        $a1, 0x8BE
0x089649D4: 0xC4EFC8C0 '....' - lwc1       $fpr15, -14144($a3)
0x089649D8: 0x3C063F00 '.?.<' - lui        $a2, 0x3F00
0x089649DC: 0xE4ADC8C4 '....' - swc1       $fpr13, -14140($a1)
0x089649E0: 0x44868800 '...D' - mtc1       $a2, $fcr17
0x089649E4: 0x3C0508BE '...<' - lui        $a1, 0x8BE
0x089649E8: 0x46118402 '...F' - mul.s      $fpr16, $fpr16, $fpr1
0x089649EC: 0x3C08457F '.E.<' - lui        $t0, 0x457F
0x089649F0: 0xE4ACC7F0 '....' - swc1       $fpr12, -14352($a1)
0x089649F4: 0x3C0D08BE '...<' - lui        $t5, 0x8BE
0x089649F8: 0x350554CD '.T.5' - ori        $a1, $t0, 0x54CD
0x089649FC: 0x3C094501 '.E.<' - lui        $t1, 0x4501
0x08964A00: 0x44856000 '.`.D' - mtc1       $a1, $fcr12
0x08964A04: 0x3C0E08BE '...<' - lui        $t6, 0x8BE
0x08964A08: 0xE5AFC7F4 '....' - swc1       $fpr15, -14348($t5)
0x08964A0C: 0x3C0F08BE '...<' - lui        $t7, 0x8BE
0x08964A10: 0xE5CEC8CC '....' - swc1       $fpr14, -14132($t6)
0x08964A14: 0x35256800 '.h%5' - ori        $a1, $t1, 0x6800
0x08964A18: 0x3C0A08BE '...<' - lui        $t2, 0x8BE
0x08964A1C: 0x44856800 '.h.D' - mtc1       $a1, $fcr13
0x08964A20: 0xE5F0C8D0 '....' - swc1       $fpr16, -14128($t7)
0x08964A24: 0x3C0B4353 'SC.<' - lui        $t3, 0x4353
0x08964A28: 0xE54CC800 '..L.' - swc1       $fpr12, -14336($t2)
0x08964A2C: 0x2545C800 '..E%' - addiu      $a1, $t2, -14336
Post Reply

Return to “Programming and Security”