ForAllSecure targetted TECHx running CROMU_00094 in round 9.

Type 1 POV

eip:0x6474e39f - esi:0x72c838ab

Execution control corruption via return (return to: 0xbaaaaae0).

Tracing data from eip: 0x804bc21 tracing source of memory: 0xbaaaaae0 (value: 0xbaaaaaa4)

0x804acad : receive syscall (return)
0x804b4a8 : mov dl,byte ptr [eax]
0x804b4aa : mov byte ptr [ebp-0x12],dl
0x804b51a : mov al,byte ptr [ebp-0x12]
0x804b52b : mov byte ptr [ecx],al
0x8048411 : mov dl,byte ptr [eax]
0x8048421 : mov byte ptr [eax],dl
0x8048411 : mov dl,byte ptr [eax]
0x8048421 : mov byte ptr [eax],dl
0x804bc21: ret // address: 0xbaaaaae0 value: 0xbaaaaaa4

Execution of memory occurred that was not part of the initial text sections or an executably allocated page.

Tracing data from eip: 0xbaaaaaa4 tracing source of memory: 0xbaaaaaa4 (value: 0x62afabc)

0x804acad : receive syscall (return)
0x804b4a8 : mov dl,byte ptr [eax]
0x804b4aa : mov byte ptr [ebp-0x12],dl
0x804b51a : mov al,byte ptr [ebp-0x12]
0x804b52b : mov byte ptr [ecx],al
0x8048411 : mov dl,byte ptr [eax]
0x8048421 : mov byte ptr [eax],dl
0x8048411 : mov dl,byte ptr [eax]
0x8048421 : mov byte ptr [eax],dl
0xbaaaaaa4: mov esp,0x8062afa // address: 0xbaaaaaa4 value: 0x62afabc

Negotiated general register: esi:0x72c838ab

Tracing data from eip: 0xbaaaaaaa tracing source of register: esi (value: 0x72c838ab)

0x804acad : receive syscall (return)
0xbaaaaaa9 : pop esi
0xbaaaaaaa: ret // address: esi value: 0x72c838ab

Curated by Lunge Technology, LLC. Questions or comments? Send us email