ForAllSecure targetted Shellphish running CROMU_00094 in round 4.

Type 2 POV

Reading from protected address: 0x4347c47c

0xbaaaaaa4 : mov ecx,dword ptr [edi-0xf0b7dd7]

Execution control corruption via return (return to: 0xbaaaaad8).

Tracing data from eip: 0x8048dcf tracing source of memory: 0xbaaaaad8 (value: 0xbaaaaa9f)

0x804d18d : receive syscall (return)
0x804bff9 : mov dl,byte ptr [eax]
0x804bffb : mov byte ptr [ebp-0x12],dl
0x804c0f2 : mov al,byte ptr [ebp-0x12]
0x804c103 : mov byte ptr [ecx],al
0x804c587 : mov dl,byte ptr [eax]
0x804c597 : mov byte ptr [eax],dl
0x804c587 : mov dl,byte ptr [eax]
0x804c597 : mov byte ptr [eax],dl
0x8048dcf: ret // address: 0xbaaaaad8 value: 0xbaaaaa9f

Execution of memory occurred that was not part of the initial text sections or an executably allocated page.

Tracing data from eip: 0xbaaaaa9f tracing source of memory: 0xbaaaaa9f (value: 0x534253bf)

0x804d18d : receive syscall (return)
0x804bff9 : mov dl,byte ptr [eax]
0x804bffb : mov byte ptr [ebp-0x12],dl
0x804c0f2 : mov al,byte ptr [ebp-0x12]
0x804c103 : mov byte ptr [ecx],al
0x804c587 : mov dl,byte ptr [eax]
0x804c597 : mov byte ptr [eax],dl
0x804c587 : mov dl,byte ptr [eax]
0x804c597 : mov byte ptr [eax],dl
0xbaaaaa9f: mov edi,0x52534253 // address: 0xbaaaaa9f value: 0x534253bf

Curated by Lunge Technology, LLC. Questions or comments? Send us email