Register

Execute buffer overflow by using a corrupted .g1m?

Discuss issues related to Calculator Hacking/Modding.
Junior Member
Posts: 9
Joined: Sun Aug 21, 2016 10:33 am
Calculators: None

Execute buffer overflow by using a corrupted .g1m?

Postby Zezombye » Sat Aug 05, 2017 6:39 pm

Hi everyone, I wanted to know whether it is possible to execute assembly using a buffer overflow.
Using a corrupted g1m I managed to do a System error.
First execute the following code:
Code: Select all
""->Str 1
""->Str 2
For 1->I To 255
"A"+Str 1 -> Str 1
Next
For 1->I To 127
"■"+Str 2 -> Str 2
Next

Then export Str 1 and Str 2. This will give you a g1m (or g2m, this is the same thing).
Now open it using a hex editor, then replace the null byte(s) at the end of Str 1 by another character.
Import the modified g1m, then try to do anything with Str 1 (display it, rotate it, etc). You will get a system error.

Would it be possible to execute code using that system error, or another buffer overflow? (I would be surprised if we could, but this would be a revolution for basic programs)

Edit: After a few more tests I have been able to determinate that the absolute limit for strings is 316 bytes. With Str 1 = 128 bytes (without a null terminator) and Str 2 = 188 bytes (with a null terminator immediately after), you can treat these strings with the following functions:
<normal display with Locate>, StrInv, StrLeft, StrLwr, StrMid, StrRight, StrShift and StrUpr.
Those functions behave correctly and do not throw an error, though StrRight will throw an error if I make a string more than 316 bytes (and I assume the other functions do, too)

These functions throw a System ERROR with either "ADDRESS(W)" then 2 pointers, or "INTERRUPT":
StrCmp, StrLen, StrRotate, StrSrc
Interestingly, the function StrJoin only throws a memory error, not a system error.

What we'd have to do is overwrite the return pointer, which is seemingly at 317-320 bytes after the string buffer (based on what I've read about buffer overflows), then point it to a specific location - the "interrupt" thrown by some functions (StrRotate throws "ADDRESS(W)" but StrSrc throws "INTERRUPT") is probably because the pointer is recognized but invalid (but that's pure speculation). We'd have to see if we can indeed overwrite the return address, then see how we could know the offset of a specific file in RAM (for example, the offset of a program or a picture, which could contain as much code as we could fit in 64 kib).

Senior Member
User avatar
Posts: 605
Joined: Sat Sep 15, 2012 6:59 am
Location: Krautland ****
Calculators: Casio fx-7400GII, Casio fx-7400GII (SH4), Casio fx-9750GII, Casio fx-9750GII (SH4), Casio fx-9860G, Casio fx-9860G SD, Casio fx-9860G Slim, Casio fx-9860GII SD, Casio fx-9860GII SD Power Graphic 2, Casio Classpad 330 plus, Casio fx-CG20, Casio fx-CG50, Casio Classpad fx-CP400

Re: Execute buffer overflow by using a corrupted .g1m?

Postby SimonLothar » Thu Aug 10, 2017 6:34 am

SH-Routines, which call another sub using BSR or JSR, initially push the contents of register PR onto the stack.
sts.l pr, @-r15

In most cases the local stack-workspace is reserved after that, f. i.
sts.l pr, @-r15
add #-h'58, r15

If any code would erroneously write h'5C bytes to the local workspace, the PR-value stored on the stack would be overwritten and the finalizing code
add #h'58, r15
lds.l @r15+, pr
rts
nop
would try to jump to the address represented by the four overflowing bytes in the workspace.

If this is not a valid address, the processor throws an exception.
If you manage to place a valid address into these four bytes using an overflow bug, the procedure should indeed return to this address.
If you place an assembler routine into the first file of the main memory, this assembler routine should reside at a well known address in physical RAM, which could be used.
The problem is to find the proper routine in the OS, which does the overflow.

As far as I am concerned, this is a very theoretical approach, only.
There could occur problems concerning the processor state or the OS state.
It is unlikely, that such a stunt would leave a stable system.

---
A different way would be the redirection of the interrupt-handler-table.
But that would require to run some addin beforehand.
I use that feature with the UBC-interrupt on SH3-machines only.
I'll be back!

Return to Calculator Hacking/Modding Discussions

Who is online

Users browsing this forum: No registered users and 41 guests