,------ -----------------------, ,---------------,--- ---
\\ |/ | | \ // : |
| | _ ; \__// | _\ nemo.
| | : |_| _\ ; | | . . .
... .: :..| | | | | : |...: :. . ..
| ; | ,____|_, /_ | |
= = =|= | | | / : | ; |== = == =
// ; ;\___________/ |____: |____________/
|_________|____\ /_____\ //____\
-( nemo @ felinemenace.org )-
exploits ::: papers ::: tools ::: slides ::: cracks ::: misc ::: shellcode ::: public key ::: docs ::: levels
-[nemo@fry:~]$ printf "\xca\xfe\xba\xbe\x66\x66\x66\x66" > bob -[nemo@fry:~]$ otool -L bob Segmentation fault
printf() isn't for everyone apparently ;o
if(dp->adr_mode == PREFIX){
if(prefix_dp != NULL)
printf(dp->name);
prefix_dp = dp;
prefix_byte = byte;
}
or:
case 'C': /* Control Register */
printf(i860_controlregs[GET_RS2(opcode)]);
break;
or:
if(prefix_dp != NULL)
printf(prefix_dp->name);
}
} /* line 1337 */
Just noticed that OSX supported using gdb as a just in time
debugger. ie. Prompting when an application crashes, and allowing you
to launch the debugger.
In order to set this up, the application:
/Developer/Applications/Utilities/CrashReporterPrefs.app
/*
* Get the list of mappings the caller wants us to establish.
*/
mapping_count = uap->mappingCount; /* the number of mappings */
if (mapping_count == 0) {
error = 0; /* no mappings: we're done ! */
goto done;
} else if (mapping_count <= SFM_MAX_STACK) {
mappings = &stack_mappings[0];
} else {
kr = kmem_alloc(kernel_map,
(vm_offset_t *) &mappings,
(vm_size_t) (mapping_count *
sizeof (mappings[0]))); // -( nemo )- big mapping_count wraps
if (kr != KERN_SUCCESS) {
error = ENOMEM;
goto done;
}
}
....
user_mappings = uap->mappings; /* the mappings, in user space */
error = copyin(user_mappings,
mappings,
(mapping_count * sizeof (mappings[0]))); // -( nemo )- wraps here too!
if (error != 0) {
goto done;
}
....
for (j = 0; j < mapping_count; j++) { // -( nemo )- doesnt wrap here though :<
....
/* get a relative offset i##nside the shared segments */
mappings[j].sfm_address -= GLOBAL_SHARED_TEXT_SEGMENT; // ;/
Mar 4 01:31:08 gir kernel[0]: HFS: /rsrc paths are deprecated (file/rsrc)However from the kernel:
/*
* There are only 3 valid fork suffixes:
* "/..namedfork/rsrc"
* "/..namedfork/data"
* "/rsrc" (legacy)
*/
Using file/..namedfork/rsrc works nicely with no alert.
-[nemo@gir:~]$ wc -l /var/log/system.log 18 /var/log/system.log -[nemo@gir:~]$ cat >> file/rsrc hello world -[nemo@gir:~]$ wc -l /var/log/system.log 19 /var/log/system.log -[nemo@gir:~]$ cat >> file/..namedfork/rsrc w00 -[nemo@gir:~]$ wc -l /var/log/system.log 19 /var/log/system.log -[nemo@gir:~]$- nemo
mach_msg_return_t
mach_msg_send(
mach_msg_header_t *msg,
mach_msg_option_t option,
mach_msg_size_t send_size,
mach_msg_timeout_t send_timeout,
mach_port_name_t notify)
{
ipc_space_t space = current_space();
vm_map_t map = current_map();
ipc_kmsg_t kmsg;
mach_msg_return_t mr;
mach_msg_size_t msg_and_trailer_size;
mach_msg_max_trailer_t *trailer;
if ((send_size < sizeof(mach_msg_header_t)) || (send_size & 3)) // -( nemo )- : no need to check max size
return MACH_SEND_MSG_TOO_SMALL;
msg_and_trailer_size = send_size + MAX_TRAILER_SIZE; // -( nemo )- : just let it wrap instead.
kmsg = ipc_kmsg_alloc(msg_and_trailer_size);
if (kmsg == IKM_NULL)
return MACH_SEND_NO_BUFFER;
(void) memcpy((void *) kmsg->ikm_header, (const void *) msg, send_size); // -( nemo )- : yay
- nemo
Proud Winner of Some Mac Sooks award (whom seem to think they know something about something they don't know.)
The above image and comment wasn't done by nemo, as he's on a flight. You have andrewg to thank for that ;) :P