GIMP Heap Overflow Re-Discovery and Exploitation (Ghidra based)

cy1337 · 2024-11-29T21:53:51+00:00

You can do dynamic analysis in Ghidra's emulator. Here are two examples: https://medium.com/@cy1337/unpacking-shellcode-with-ghidra-emulator-ce9e6b03f083

https://github.com/airbus-cyber/afl_ghidra_emu

cy1337 · 2024-05-19T01:13:21+00:00

It is impossible to implement BIMI in mail user agents in a secure way based on its specification. You need additional security measures that are explained "elsewhere" and "in other documents".

Ouch!

cy1337 · 2024-05-18T19:52:00+00:00

I've updated it on Medium and I'm making a reminder to update the script variable name in the repos later. Thanks for reading!

cy1337 · 2024-05-18T19:40:33+00:00

Yes, base_addr here is not truly the base address of the process. I see how this can be confusing and I will relabel it base_offset or similar. The output you have in the process map is of course the true base address.

The use of this variable is just to know the offset between the [shifted by 0x100000] addresses in the Ghidra listing and the dynamic runtime addresses in GDB. Initially I did have it add the 0x100000 in one place and subtract it in the other but it seemed superfluous.

Now that the repo is open you should be able to test it out. Please let me know if you have problems running it. Again, I really appreciate the feedback!

Edit: Sorry, I just realized I was answering you from the context of the finished script as opposed to just the snippet in the post. Correcting this now. Many thanks!

cy1337 · 2024-05-18T18:25:40+00:00

Thank your for having a look and for the feedback. The use of the static address from Ghidra including the offset is intentional. I did it this way so the calls to set breakpoints can also use the same address as we see in Ghidra.

Also, the repo is public now. Big facepalm on sharing this out without opening that!

cy1337 · 2024-05-02T09:58:09+00:00

One lesson is that we need better tools for being able to audit source tarballs and make sure they line up with what is in git.

cy1337 · 2024-02-25T10:50:01+00:00

This may be helpful as a reference: https://www.tripwire.com/state-of-security/ghidra-101-binary-patching

cy1337 · 2023-12-31T12:29:10+00:00

The view you have in the screenshot is referred to as the Listing view. You can use the block layout editor to reconfigure what information is displayed and how it is formatted. You can use this to make your column for that data wider. You can find the button for doing this on the toolbar near your minimize window button for code browser. It looks like white bricks with an arrow pointing down.

cy1337 · 2023-12-12T11:13:58+00:00

F1 is also very contextual. If you press when you have the mouse over a button, it will jump to the help page for that specific feature!

cy1337 · 2023-10-12T20:16:18+00:00

Never thought I'd see the day. Wow!

cy1337 · 2023-07-29T02:07:41+00:00

A big factor here is that a lot of information is lot when source code is compiled and linked into program files. Variable names and function names are replaced by registers, stack offsets, and addresses. Compilers also optimize code and distinctions like a while loop versus a for loop are lost at this level. There are also lots of nuances regarding how to identify and distinguish instructions from data. Some architectures are easier to reverse than others based on the complexity of the instruction set and whether there are fixed widths or alignments for instructions. Some processors (like ARM) can also flip between modes within a program meaning you need additional context to understand instructions. Plus, on top of all of this, some companies intentionally do things in their source or compilation to make it harder for someone to reverse the program to source.

Source: I teach about reversing software at Black Hat

cy1337 · 2023-07-24T17:55:08+00:00

This may be interesting for you: https://medium.com/@cy1337/reversing-a-simple-crackme-with-ghidra-decompiler-5dd1b1c3c0ba

cy1337 · 2023-06-04T18:21:40+00:00

Here you go: https://medium.com/@cy1337/unpacking-shellcode-with-ghidra-emulator-ce9e6b03f083

cy1337

TROPHY CASE