e8 9c 4f e5 ff call 0040f79ch 8b f0 mov esi eax
play

... ... e8 9c 4f e5 ff call 0040f79ch - PowerPoint PPT Presentation

Oct 19, 2023 •370 likes •849 views

... ... e8 9c 4f e5 ff call 0040f79ch 8b f0 mov esi,eax 46 inc esi 8d 85 ac fd ff ff lea eax,[ebp-254h] 33 c9 xor

  2. – – – – – – –

  15. ... ... e8 9c 4f e5 ff call 0040f79ch 8b f0 mov esi,eax 46 inc esi 8d 85 ac fd ff ff lea eax,[ebp-254h] 33 c9 xor ecx,ecx ba 04 01 00 00 mov edx,104h e8 63 aa e4 ff call 00405278h 53 push ebx 8d 85 ac fd ff ff lea eax,[ebp-254h] 50 push eax ... ...

  16. ... ... e8 9c 4f e5 ff call 0040f79ch 8b f0 mov esi,eax 46 inc esi 8d 85 ac fd ff ff lea eax,[ebp-254h] 33 c9 xor ecx,ecx ba 04 01 00 00 mov edx,104h e8 63 aa e4 ff call 00405278h 53 push ebx 8d 85 ac fd ff ff lea eax,[ebp-254h] 50 push eax ... ...

  17. ... ... e8 9c 4f e5 ff call 0040f79ch xx xx xx xx xx jmp PATCH xx xx xx xx ; leftovers CONTINUE: 33 c9 xor ecx,ecx ba 04 01 00 00 mov edx,104h e8 63 aa e4 ff call 00405278h 53 push ebx 8d 85 ac fd ff ff lea eax,[ebp-254h] 50 push eax ... ... PATCH: xx xx ; PATCH CODE xx xx ; PATCH CODE Xx xx ; PATCH CODE 8b f0 mov esi,eax 46 inc esi 8d 85 ac fd ff ff lea eax,[ebp-254h] xx xx xx xx xx jmp CONTINUE

  19. MODULE_PATH "C:\vulnerable_app\app.exe" PATCH_ID 87235 VULN_ID 993 patchlet_start PATCHLET_ID 1 PATCHLET_OFFSET 0x0000b979 N_ORIGINALBYTES 5 code_start xor eax, eax code_end patchlet_end

  24. array_extra(JSContext *cx, ArrayExtraMode mode, uintN argc, jsval *vp) { JSObject *obj; jsuint length, newlen; jsval *argv, *elemroot, *invokevp, *sp; JSBool ok, cond, hole; JSObject *callable, *thisp, *newarr; jsint start, end, step, i; void *mark; obj = JS_THIS_OBJECT(cx, vp); if (!obj || !js_GetLengthProperty(cx, obj, &length)) return JS_FALSE; switch (mode) { case REDUCE_RIGHT: start = length - 1, end = -1, step = -1; /* FALL THROUGH */ }

  25. <html> <body> <script> foo = new Array; foo.length = 0x80100000 foo.reduceRight(function(){}, 1) </script> </body> </html>

  26. array_extra(JSContext *cx, ArrayExtraMode mode, uintN argc, jsval *vp) { JSObject *obj; jsuint length, newlen; jsval *argv, *elemroot, *invokevp, *sp; JSBool ok, cond, hole; JSObject *callable, *thisp, *newarr; jsint start, end, step, i; void *mark; obj = JS_THIS_OBJECT(cx, vp); if (!obj || !js_GetLengthProperty(cx, obj, &length)) return JS_FALSE; switch (mode) { case REDUCE_RIGHT: start = length - 1, end = -1, step = -1; /* FALL THROUGH */ }

  27. array_extra(JSContext *cx, ArrayExtraMode mode, uintN argc, jsval *vp) 6b6ab96b 56 push esi { 6b6ab96c 8d7c241c lea edi,[esp+1Ch] JSObject *obj; 6b6ab970 894c242c mov dword ptr [esp+2Ch],ecx jsuint length, newlen; 6b6ab974 e807240000 call js_GetLengthProperty jsval *argv, *elemroot, *invokevp, *sp; 6b6ab979 83c404 add esp,4 JSBool ok, cond, hole; 6b6ab97c 85c0 test eax,eax JSObject *callable, *thisp, *newarr; 6b6ab97e 0f84b1ce0a00 je "return JS_FALSE" jsint start, end, step, i; void *mark; obj = JS_THIS_OBJECT(cx, vp); if (!obj || !js_GetLengthProperty(cx, obj, &length)) return JS_FALSE; switch (mode) { case REDUCE_RIGHT: start = length - 1, end = -1, step = -1; /* FALL THROUGH */ }

  28. 6b6ab96b 56 push esi 6b6ab96c 8d7c241c lea edi,[esp+1Ch] 6b6ab970 894c242c mov dword ptr [esp+2Ch],ecx 6b6ab974 e807240000 call js_GetLengthProperty 6b6ab979 83c404 add esp,4 6b6ab97c 85c0 test eax,eax 6b6ab97e 0f84b1ce0a00 je "return JS_FALSE" dword ptr [edi]

  29. 6b6ab96b 56 push esi 6b6ab96c 8d7c241c lea edi,[esp+1Ch] 6b6ab970 894c242c mov dword ptr [esp+2Ch],ecx 6b6ab974 e807240000 call js_GetLengthProperty 6b6ab979 and dword ptr [edi],7FFFFFFFh 6b6ab979 83c404 add esp,4 6b6ab97c 85c0 test eax,eax 6b6ab97e 0f84b1ce0a00 je "return JS_FALSE"

  30. 6b6ab96b 56 push esi 6b6ab96c 8d7c241c lea edi,[esp+1Ch] 6b6ab970 894c242c mov dword ptr [esp+2Ch],ecx 6b6ab974 e807240000 call js_GetLengthProperty 6b6ab979 cmp dword ptr [edi],7FFFFFFFh jbe DONE and dword ptr [edi],7FFFFFFFh call PIT_ExploitBlocked DONE: 6b6ab979 83c404 add esp,4 6b6ab97c 85c0 test eax,eax 6b6ab97e 0f84b1ce0a00 je "return JS_FALSE"

  33. 005ba7fa 53 push ebx ; ebx points to source buffer (line) 005ba7fb e89c4fe5ff call kernel32!lstrlenW ; eax is the length of the line 005ba800 8bf0 mov esi,eax 005ba802 46 inc esi ; esi is the length of the line + 1 005ba803 8d85acfdffff lea eax,[ebp-254h] 005ba809 33c9 xor ecx,ecx 005ba80b ba04010000 mov edx,104h 005ba810 e863aae4ff call zero-ize_destination_buffer 005ba815 53 push ebx ; ebx points to source buffer (line) 005ba816 8d85acfdffff lea eax,[ebp-254h] ; eax points to destination buffer ; which only has 104h bytes on stack 005ba81c 50 push eax 005ba81d e8624fe5ff call kernel32!lstrcpyW

  34. 005ba815 53 push ebx ; ebx points to source buffer (line) 005ba816 8d85acfdffff lea eax,[ebp-254h] ; eax points to destination buffer ; which only has 104h bytes on stack 005ba81c 50 push eax 005ba81d e8624fe5ff call kernel32!lstrcpyW

  35. 005ba815 53 push ebx ; ebx points to source buffer (line) 005ba816 cmp esi,104h ; esi is line length + 1 jbe DONE mov word ptr [ebx+208h],0 call PIT_ExploitBlocked DONE: 005ba816 8d85acfdffff lea eax,[ebp-254h] ; eax points to destination buffer ; which only has 104h bytes on stack 005ba81c 50 push eax 005ba81d e8624fe5ff call kernel32!lstrcpyW

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an

The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an

The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to contribute to the debate about the future of health and care provision in England The aim is to gather views, data

532 views • 17 slides
A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to

A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to

The NHS belongs to everyone: A Call to Action What is Call to Action? A Call to Action is an opportunity for everyone to contribute to the debate about the future of health and care provision in England The aim is to gather views, data

534 views • 17 slides
Transforming call recording to the cloud Record, everything. The future of call recording Call

Transforming call recording to the cloud Record, everything. The future of call recording Call

Transforming call recording to the cloud Record, everything. The future of call recording Call Recording Is a Multi billion dollar industry, which is growing as compliance, regulation and work flow processes Increase demand. Dubbers

323 views • 16 slides
PWSCF and new charge density PWSCF call read_input_file (input.f90) call run_pwscf call setup

PWSCF and new charge density PWSCF call read_input_file (input.f90) call run_pwscf call setup

PWSCF and new charge density PWSCF call read_input_file (input.f90) call run_pwscf call setup --&gt; SETUP call init_run --&gt; INIT_RUN do call electrons --&gt; ELECTRONS call forces call stress call move_ions call

195 views • 16 slides
PWSCF and diagonalization ELECTRONS call electron_scf do iter = 1, niter call c_bands

PWSCF and diagonalization ELECTRONS call electron_scf do iter = 1, niter call c_bands

PWSCF and diagonalization ELECTRONS call electron_scf do iter = 1, niter call c_bands --&gt; C_BANDS call sum_band --&gt; SUM_BAND call mix_rho call v_of_rho end do iter PWSCF call read_input_file (input.f90) call run_pwscf

458 views • 27 slides
CAM Call-in May 23rd, 2018 If you are not connected through Skype audio, call: 1-503-934-1400 Use

CAM Call-in May 23rd, 2018 If you are not connected through Skype audio, call: 1-503-934-1400 Use

Monthly Statewide CAM Call-in May 23rd, 2018 If you are not connected through Skype audio, call: 1-503-934-1400 Use Conference ID: 571761 1 CAM.oregon.gov cam.communications@state.or.us Call Agenda Project Updates: Kairi Orejuela

469 views • 16 slides
WELCOME TO OUT &amp; EQUALS 2019 SUMMIT PRESENTER CALL This is a Broadcast Audio call from

WELCOME TO OUT &amp; EQUALS 2019 SUMMIT PRESENTER CALL This is a Broadcast Audio call from

WELCOME TO OUT &amp; EQUALS 2019 SUMMIT PRESENTER CALL This is a Broadcast Audio call from 12:001:00pm Pacific Use speakers or headsets on your computer &amp; turn the volume up! Chat in questions &amp; respond to polls during the call.

473 views • 31 slides
Allowable and Unallowable Costs Audio is only available by conference call Please call:

Allowable and Unallowable Costs Audio is only available by conference call Please call:

Allowable and Unallowable Costs Audio is only available by conference call Please call: 877-692-8953 Participant Access Code: 1514610 to join the conference call portion of the webinar OFFICE OF HOUSING COUNSE July 28, 2020 LING Webinar

879 views • 42 slides
One Bay Area Grant Cycle 2 (OBAG 2) Overview Region Regions federal funding framew s

One Bay Area Grant Cycle 2 (OBAG 2) Overview Region Regions federal funding framew s

3/16/2017 Call Call for Proje for Projects Worksh Workshop op Welcom Welcome and introduct e and introduction ons 1. 1. OBAG 2 OBAG 2 over overview 2. 2. Call Call for project for projects 3. 3. Application p lication process

302 views • 11 slides
United Way of North Carolina 875 Walnut Street, Suite 150B Cary, NC 27511 Call 911 in an

United Way of North Carolina 875 Walnut Street, Suite 150B Cary, NC 27511 Call 911 in an

United Way of North Carolina 875 Walnut Street, Suite 150B Cary, NC 27511 Call 911 in an Emergency Call 811 before you dig Call 711 to access telecommunications relay services Call 611 to report a phone service issue Call

512 views • 13 slides
FHA Upda FHA Update te Audio is only available by conference call Please call (800) 260-0718

FHA Upda FHA Update te Audio is only available by conference call Please call (800) 260-0718

FHA Upda FHA Update te Audio is only available by conference call Please call (800) 260-0718 Participant Access Code: 429367 to join the conference call portion of the webinar 9/25/2017 1 OFFICE OF HOUSING COUNSELING Webinar Logistics

775 views • 35 slides
Welcome! If not using speakers and you havent already, please call into the call center number

Welcome! If not using speakers and you havent already, please call into the call center number

4/7/2020 Housekeeping Webinar Experience Welcome! If not using speakers and you havent already, please call into the call center number 02 8518 1923 and enter access code 801 914 146 Judy Grobste tein, , AuD-FAAA, MACAud Please be sure

861 views • 6 slides
Welcome! If not using speakers and you havent already, please call into the call center number

Welcome! If not using speakers and you havent already, please call into the call center number

4/6/2020 Housekeeping Webinar Experience Welcome! If not using speakers and you havent already, please call into the call center number 02 8518 1923 and enter access code 801 781 293 Judy dy Grob obste tein, AuD uD-FAAA, A, MAC ACAud

558 views • 16 slides
Welcome! If not using speakers and you havent already, please call into the call center number

Welcome! If not using speakers and you havent already, please call into the call center number

2/18/2020 Housekeeping Webinar Experience Welcome! If not using speakers and you havent already, please call into the call center number 02 8518 1923 and enter access code 809 815 825 Judy dy Grob obste tein, AuD uD-FAAA, A, MAC ACAud

642 views • 14 slides
Call-by-name, call-by-value, and the -calculus G.D. Plotkin Presented by Dietrich Geisler

Call-by-name, call-by-value, and the -calculus G.D. Plotkin Presented by Dietrich Geisler

Call-by-name, call-by-value, and the -calculus G.D. Plotkin Presented by Dietrich Geisler Call-by-name vs call-by-value Define square = xy.x*x Evaluate square(2+2, 2+3) Call-by-name (CBN) Call-by-value (CBV) square(2+2, 2+3)

441 views • 12 slides
Welcome! If not using speakers and you havent already, please call into the call center number

Welcome! If not using speakers and you havent already, please call into the call center number

2/4/2020 Housekeeping Webinar Experience Welcome! If not using speakers and you havent already, please call into the call center number 02 8518 1923 and enter access code 802 708 089 Jud udy Gro robstein, AuD uD-FAAA AA, MAC ACAud

646 views • 18 slides
Dynamic Web Applications via Collaborative Hybrid Analysis Xiaoyin Wang* UC Berkeley Lu Zhang

Dynamic Web Applications via Collaborative Hybrid Analysis Xiaoyin Wang* UC Berkeley Lu Zhang

Automating Presentation Changes in Dynamic Web Applications via Collaborative Hybrid Analysis Xiaoyin Wang* UC Berkeley Lu Zhang Peking University Tao Xie NC State University Yingfei Xiong Peking University Hong Mei Peking University *

445 views • 32 slides
Cache Policies Philipp Koehn 21 October 2019 Philipp Koehn Computer Systems Fundamentals: Cache

Cache Policies Philipp Koehn 21 October 2019 Philipp Koehn Computer Systems Fundamentals: Cache

Cache Policies Philipp Koehn 21 October 2019 Philipp Koehn Computer Systems Fundamentals: Cache Policies 21 October 2019 Memory Tradeoff 1 Fastest memory is on same chip as CPU ... but it is not very big (say, 32 KB in L1 cache)

545 views • 29 slides
Introduction to the lambda calculus Polyvios.Pratikakis@imag.fr Based on slides by Jeff Foster,

Introduction to the lambda calculus Polyvios.Pratikakis@imag.fr Based on slides by Jeff Foster,

Introductory Course on Logic and Automata Theory Introduction to the lambda calculus Polyvios.Pratikakis@imag.fr Based on slides by Jeff Foster, UMD Introduction to lambda calculus p. 1/33 History Formal mathematical system Simplest

883 views • 33 slides
Outcome-weighted sampling for Bayesian analysis Themis Sapsis and Antoine Blanchard Department

Outcome-weighted sampling for Bayesian analysis Themis Sapsis and Antoine Blanchard Department

Outcome-weighted sampling for Bayesian analysis Themis Sapsis and Antoine Blanchard Department of Mechanical Engineering Massachusetts Institute of Technology Funding: ONR, AFOSR, Sloan April 23, 2020 1 / 46 Problems-Motivation Risk

924 views • 46 slides
Looking at CNN shower Tag vs Pandora shower Tag Francesca Stocker 10.10.2019 Context: Pion

Looking at CNN shower Tag vs Pandora shower Tag Francesca Stocker 10.10.2019 Context: Pion

Looking at CNN shower Tag vs Pandora shower Tag Francesca Stocker 10.10.2019 Context: Pion Charge Exchange and Absorption Channel Pion Shower from Charge Pi0 Pion Absorption Exchange Primary Pion and Charge Inelastic Exchange

491 views • 15 slides
No-signalling assisted zero- error communication via quantum channels and the Lovsz number

No-signalling assisted zero- error communication via quantum channels and the Lovsz number

No-signalling assisted zero- error communication via quantum channels and the Lovsz number Andreas Winter (ICREA &amp; UAB Barcelona) Runyao Duan (UTS Sydney)xxxxxxxxx arXiv:1409.3426 If youve been partying... Hungover Summary 1. C

1.33k views • 87 slides
Adopting the JVM Ola Bini computational metalinguist ola.bini@gmail.com http://olabini.com/blog

Adopting the JVM Ola Bini computational metalinguist ola.bini@gmail.com http://olabini.com/blog

Adopting the JVM Ola Bini computational metalinguist ola.bini@gmail.com http://olabini.com/blog onsdag, 2010 november 03 Your host From Sweden to Chicago through ThoughtWorks Language geek at ThoughtWorks JRuby core developer, Ioke and Seph

923 views • 68 slides
Search Algorithms Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell (based on

Search Algorithms Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell (based on

Search Algorithms Combinatorial Problem Solving (CPS) Enric Rodr guez-Carbonell (based on materials by Javier Larrosa) March 27, 2020 Basic Backtracking function BT ( , X, D, C ) // : current assignment // X : vars ; D : domains; C :

639 views • 49 slides

More recommend