Shellphish targetted CSDS running NRFIN_00063 in round 60.


Type 1 POV

eip:0xe0d28601 - esi:0xe00d7971


Execution control corruption via call.

Tracing data from eip: 0x804ef07 tracing source of register: edx (value: 0xe0d28601)

0x805245d : receive syscall (return)
0x80520df : mov dl,byte ptr [ecx+eax+0xc]
0x80520e3 : mov byte ptr [ebp-0x11],dl
0x80520f5 : movsx eax,byte ptr [ebp-0x11]
0x80520f9 : mov dword ptr [ebp-0x8],eax
0x80520fc : mov eax,dword ptr [ebp-0x8]
0x8051f06 : mov byte ptr [ebp-0x21],dl
0x8051f47 : mov al,byte ptr [ebp-0x21]
0x8051f5b : mov byte ptr [edx+ecx],al
0x804eee6 : mov edx,dword ptr [ebp-0x1c]
0x804ef07: call edx // address: edx value: 0xe0d28601

Negotiated general register: esi:0xe00d7971

Tracing data from eip: 0x804ef07 tracing source of register: esi (value: 0xe00d7971)

0x805245d : receive syscall (return)
0x80520df : mov dl,byte ptr [ecx+eax+0xc]
0x80520e3 : mov byte ptr [ebp-0x11],dl
0x80520f5 : movsx eax,byte ptr [ebp-0x11]
0x80520f9 : mov dword ptr [ebp-0x8],eax
0x80520fc : mov eax,dword ptr [ebp-0x8]
0x8051f06 : mov byte ptr [ebp-0x21],dl
0x8051f47 : mov al,byte ptr [ebp-0x21]
0x8051f5b : mov byte ptr [edx+ecx],al
0x804eee9 : mov esi,dword ptr [ebp-0x18]
0x804eeec : add esi,0x8
0x804ef07: call edx // address: esi value: 0xe00d7971

Curated by Lunge Technology, LLC. Questions or comments? Send us email