diff options
Diffstat (limited to 'README')
| -rw-r--r-- | README | 40 |
1 files changed, 40 insertions, 0 deletions
@@ -0,0 +1,40 @@ +Warning: shit write up. +I used to have a much, much more cringy description. I've saved you from it. + +This code is from 2021. It's bad. Sorry. + +This bug is weird af, sometimes it does weird heap corruption stuff, other +times it gives you an arbitrary free. idk + +python3 poc.py | pbcopy +paste into app +profit + +super stable PoC +works about 10% of the time if you're lucky + +should free 0x1515151515151515 +it like sprays that in a similar location to the free list, and sometimes +ends up freeing it +for a more controlled free you might have to find each of the 256 values +(i haven't yet), and substitute them example: 0x41 becomes 0x15, and 0xffff +becomes 0x4 so if you spray "\x41\x41\uffff\x41\uffff\uffff\uffff\uffff" +it'll spray 0x1515041504040404, maybe something else because endianess but +fuck you, whatever also there's like an offset of 0x2 or something i add +"\uffff\uffff" at the start which seems to pad it for the address to work right +it's vaguely functional, and should at least prove the bug exists +note: this may have been patched in some big sur version (or 11.0 itself) +run on 10.15.7, it's been tested there. + + /***************************************************************************** + * liberum_arbitrium * + * * + * this uses the other jank af version where you use the length of the added * + * string as the address, which works, but is still pretty unstable (moreso i * + * think), and also is only really practical at all for small addresses, * + * because it's kinda hard to get 0x4141414141414141 bytes into memory, good * + * luck tho lmfao * + * * + * - with love from spv <3 * + * * + *****************************************************************************/ |