CodeJitsu targetted ForAllSecure running NRFIN_00063 in round 58.


Type 1 POV

eip:0xa8402ea4 - ebp:0xa4624ce6


The application exited with a segmentation fault

0x804e970: 0x804e970 // esp: 0xbaaaaf14

Execution control corruption via return (return to: 0xbaaaaf14).

Tracing data from eip: 0x804e970 tracing source of memory: 0xbaaaaf14 (value: 0xa8402ea4)

0x805245d : receive syscall (return)
0x80520df : mov dl,byte ptr [ecx+eax+0xc]
0x80520e3 : mov byte ptr [ebp-0x11],dl
0x80520f5 : movsx eax,byte ptr [ebp-0x11]
0x80520f9 : mov dword ptr [ebp-0x8],eax
0x80520fc : mov eax,dword ptr [ebp-0x8]
0x8051f06 : mov byte ptr [ebp-0x21],dl
0x8051f47 : mov al,byte ptr [ebp-0x21]
0x8051f5b : mov byte ptr [edx+ecx],al
0x804e970: ret // address: 0xbaaaaf14 value: 0xa8402ea4

Negotiated general register: ebp:0xa4624ce6

Tracing data from eip: 0x804e970 tracing source of register: ebp (value: 0xa4624ce6)

0x805245d : receive syscall (return)
0x80520df : mov dl,byte ptr [ecx+eax+0xc]
0x80520e3 : mov byte ptr [ebp-0x11],dl
0x80520f5 : movsx eax,byte ptr [ebp-0x11]
0x80520f9 : mov dword ptr [ebp-0x8],eax
0x80520fc : mov eax,dword ptr [ebp-0x8]
0x8051f06 : mov byte ptr [ebp-0x21],dl
0x8051f47 : mov al,byte ptr [ebp-0x21]
0x8051f5b : mov byte ptr [edx+ecx],al
0x804e96f : pop ebp
0x804e970: ret // address: ebp value: 0xa4624ce6

Curated by Lunge Technology, LLC. Questions or comments? Send us email