ForAllSecure targetted CSDS running CROMU_00055 in round 7.

Type 1 POV

eip:0xeaf4a99b - esi:0xac7e8f2e

Execution control corruption via return (return to: 0xbaaaaeb8).

Tracing data from eip: 0x9465fa5 tracing source of memory: 0xbaaaaeb8 (value: 0xbaaaaebc)

0x9465f96 : receive syscall (return)
0x9465fa5: ret // address: 0xbaaaaeb8 value: 0xbaaaaebc

Execution of memory occurred that was not part of the initial text sections or an executably allocated page.

Tracing data from eip: 0xbaaaaebc tracing source of memory: 0xbaaaaebc (value: 0xfff1fabc)

0x9465f96 : receive syscall (return)
0xbaaaaebc: mov esp,0xb7fff1fa // address: 0xbaaaaebc value: 0xfff1fabc

Negotiated general register: esi:0xac7e8f2e

Tracing data from eip: 0xbaaaaec2 tracing source of register: esi (value: 0xac7e8f2e)

0x9465f96 : receive syscall (return)
0xbaaaaec1 : pop esi
0xbaaaaec2: ret // address: esi value: 0xac7e8f2e

Curated by Lunge Technology, LLC. Questions or comments? Send us email