CodeJitsu targetted Shellphish running YAN01_00015 in round 69.

Type 2 POV

Reading from protected address: 0x4347c000

0xbaaaafba : int 128

Tracing data from eip: 0xbaaaafba tracing source of register: ecx (value: 0x4347c000)

0x804939a : receive syscall (return)
0x804909b : mov bl,byte ptr [esi+ecx]
0x804909e : mov byte ptr [ebp-0x29],bl
0x80490a1 : mov bl,byte ptr [ebp-0x29]
0x80490aa : mov byte ptr [edx+ecx],bl
0x80489a8 : mov dword ptr [esp+0x4],esi
0x8048f4f : mov edx,dword ptr [ebp+0xc]
0x8048f58 : mov dword ptr [ebp-0x18],edx
0x8049127 : mov ecx,dword ptr [ebp-0x18]
0xbaaaafba: int 128 // address: ecx value: 0x4347c000

The application exited with a segmentation fault

0: 0 // esp: 0

Execution control corruption via return (return to: 0xbaaaaff8).

Tracing data from eip: 0x8048ba9 tracing source of memory: 0xbaaaaff8 (value: 0xbaaaaf6c)

0x804939a : receive syscall (return)
0x804909b : mov bl,byte ptr [esi+ecx]
0x804909e : mov byte ptr [ebp-0x29],bl
0x80490a1 : mov bl,byte ptr [ebp-0x29]
0x80490aa : mov byte ptr [edx+ecx],bl
0x8048ba9: ret // address: 0xbaaaaff8 value: 0xbaaaaf6c

Execution of memory occurred that was not part of the initial text sections or an executably allocated page.

Tracing data from eip: 0xbaaaaf6c tracing source of memory: 0xbaaaaf6c (value: 0x3a2d5851)

0x804939a : receive syscall (return)
0x804909b : mov bl,byte ptr [esi+ecx]
0x804909e : mov byte ptr [ebp-0x29],bl
0x80490a1 : mov bl,byte ptr [ebp-0x29]
0x80490aa : mov byte ptr [edx+ecx],bl
0xbaaaaf6c: push ecx // address: 0xbaaaaf6c value: 0x3a2d5851

Curated by Lunge Technology, LLC. Questions or comments? Send us email