CodeJitsu targetted Shellphish running NRFIN_00063 in round 50.


Type 2 POV

Reading from protected address: 0x4347c000

0xbaaaaf00 : int 128

Tracing data from eip: 0xbaaaaf00 tracing source of register: ecx (value: 0x4347c000)

0xbaaaaef9 : shl ecx,8
0xbaaaaf00: int 128 // address: ecx value: 0x4347c000

The application exited with a segmentation fault

0: 0 // esp: 0

Execution control corruption via call.

Tracing data from eip: 0x804ef07 tracing source of register: edx (value: 0xbaaaaee1)

0x805245d : receive syscall (return)
0x80520df : mov dl,byte ptr [ecx+eax+0xc]
0x80520e3 : mov byte ptr [ebp-0x11],dl
0x80520f5 : movsx eax,byte ptr [ebp-0x11]
0x80520f9 : mov dword ptr [ebp-0x8],eax
0x80520fc : mov eax,dword ptr [ebp-0x8]
0x8051f06 : mov byte ptr [ebp-0x21],dl
0x8051f47 : mov al,byte ptr [ebp-0x21]
0x8051f5b : mov byte ptr [edx+ecx],al
0x804eee6 : mov edx,dword ptr [ebp-0x1c]
0x804ef07: call edx // address: edx value: 0xbaaaaee1

Execution of memory occurred that was not part of the initial text sections or an executably allocated page.

Tracing data from eip: 0xbaaaaee1 tracing source of memory: 0xbaaaaee1 (value: 0xdb31c031)

0x805245d : receive syscall (return)
0x80520df : mov dl,byte ptr [ecx+eax+0xc]
0x80520e3 : mov byte ptr [ebp-0x11],dl
0x80520f5 : movsx eax,byte ptr [ebp-0x11]
0x80520f9 : mov dword ptr [ebp-0x8],eax
0x80520fc : mov eax,dword ptr [ebp-0x8]
0x8051f06 : mov byte ptr [ebp-0x21],dl
0x8051f47 : mov al,byte ptr [ebp-0x21]
0x8051f5b : mov byte ptr [edx+ecx],al
0xbaaaaee1: xor eax,eax // address: 0xbaaaaee1 value: 0xdb31c031

Curated by Lunge Technology, LLC. Questions or comments? Send us email