0 Members and 2 Guests are viewing this topic.
char buffer;sprintf(buffer, "%s", string);
Hi, I guess that's also my first post here.Although the idea of the exploit is not by me, I had to rewrite it to make it possible to use it for ndless installation.It's definitely not a secret anymore as ndless is open source and TI already fixed the vulnerability in 4.0 (correctly, with vsnprintf).The vulnerability lies in a serial logging function not checking the buffer size, basically the usualCode: [Select]char buffer;sprintf(buffer, "%s", string);bug you find everywhere as the typical example for buffer overflows.In Q&A mode (that's when you have questions in a document your teacher can correct), there are some more functions publicly accessible,like "tiassert.assert", printing an error message if the assertion fails. This is used to trigger the buffer overflow in the logging function.Exploiting it wasn't particularly easy as "buffer" is on the heap and thus away from any code that could be overwritten easily.Also, the exploit string must not contain any 0-bytes as sprintf stops on those.Exactly 0xbffa2 bytes after the start of buffer there's a pointer pointing to a structure with some function pointers in it we can overwrite to pointto controlled data. The new copy of the structure has a function pointer overwritten that is called on USB connection and points to controlled data again.At this point, custom code is executed and ndless_resources loaded into memory and executed, the struct pointer reset and ndless is installed.Most of the magic happens in MakeQnAInst, so if you want to take a look at it, it should make more sense now with the explanation above.Ndless 3.6 worked in a simliar way, but it was not a overflow in the logging function, it was in the toolpalette, triggered my opening the menu.Ndless 3.1 was reboot proof because the vulnerablity was triggered on booting, AFAIK it was something unchecked in the header of the OS file.
Could it be that the exploit can only be triggered via USB communication?
The new copy of the structure has a function pointer overwritten that is called on USB connection and points to controlled data again.
Page created in 0.132 seconds with 53 queries.