« Back to the Da Slop Pit Forum

Things that are not BGGP3 Entries

eatscrayon's profile picture

Posted by eatscrayon

posted
updated

Forum: Da Slop Pit Group

View Topics View Profile

Looking for crashes has been fun and I have learned a lot.
I have been down some rabbit holes and found some funny bugs.
Here are some things that are NOT BGGP3 submissions that i wanted to share :)

#1 CHASOPRO 4.0.249 (latest) Buffer Overrun
-------------------------------------------
Buffer overrun when importing a jpg named:
BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3BGGP3333@A^.jpg
File>Import>jpg 
I spent a little time looking at ChaosPro because it is a fun program and they stuff all of the fractal formulas into the exif data when you export an image so that you can import them and keep playing with the fractal.

#2 Famitracker v0.4.6 (latest) DLL Hijacking
-------------------------------------------
Place a file named VERSION.DLL in the same directory as Famitracker and launch it.
If you run process monitor look for "NAME NOT FOUND", that means that the program is looking for a file it can't find. If you create garbage DLL and launch program you get an immediate crash. Could you specially craft a malicious DLL and execute code? Probably.

#3 Tampering with windows event logs
-------------------------------------------
I wanted to crash eventviewer on windows, but it turns out they ignore most of the data in the header of .evtx files!
ANYWAY if you want to modify header data (any probably events too idk) in a windows log file, here is some python that will calculate the correct checksum.

import zlib

signature     = b'\x45\x6C\x66\x46\x69\x6C\x65\x00'
first_chunk   = b'\x00\x00\x00\x00\x00\x00\x00\x00'
last_chunk    = b'\x00\x00\x00\x00\x00\x00\x00\x00'
next_record   = (0).to_bytes(8, byteorder='little')
header_size   = (128).to_bytes(4, byteorder='little') 
minor_version = (2).to_bytes(2, byteorder='little') 
major_version = (3).to_bytes(2, byteorder='little') 
data_offset   = (4096).to_bytes(2, byteorder='little') 
number_chunks = (1).to_bytes(2, byteorder='little') 
padding       = (0).to_bytes(76, byteorder='little')

header   = b''.join([signature,first_chunk,last_chunk,next_record,header_size,minor_version,major_version,data_offset,number_chunks,padding])
flags    = b'\xFF\xFF\xFF\xFF'
checksum = (zlib.crc32(header) & 0xffffffff).to_bytes(4, byteorder='little')

final_header = b''.join([header,flags,checksum])
print(final_header.hex())



That's all for now!


Report Topic

0 Replies