From cb847c47696e38e080d3b9511d68a73a6741ae71 Mon Sep 17 00:00:00 2001
From: "spv.sh" <spv@spv.sh>
Date: Tue, 18 Apr 2023 12:30:16 -0400
Subject: ye olde source

---
 README | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 README

(limited to 'README')

diff --git a/README b/README
new file mode 100644
index 0000000..a956a8f
--- /dev/null
+++ b/README
@@ -0,0 +1,40 @@
+Warning: shit write up.
+I used to have a much, much more cringy description. I've saved you from it.
+
+This code is from 2021. It's bad. Sorry.
+
+This bug is weird af, sometimes it does weird heap corruption stuff, other
+times it gives you an arbitrary free. idk
+
+python3 poc.py | pbcopy
+paste into app
+profit
+
+super stable PoC
+works about 10% of the time if you're lucky
+
+should free 0x1515151515151515
+it like sprays that in a similar location to the free list, and sometimes
+ends up freeing it
+for a more controlled free you might have to find each of the 256 values 
+(i haven't yet), and substitute them example: 0x41 becomes 0x15, and 0xffff 
+becomes 0x4 so if you spray "\x41\x41\uffff\x41\uffff\uffff\uffff\uffff" 
+it'll spray 0x1515041504040404, maybe something else because endianess but 
+fuck you, whatever also there's like an offset of 0x2 or something i add
+"\uffff\uffff" at the start which seems to pad it for the address to work right
+it's vaguely functional, and should at least prove the bug exists
+note: this may have been patched in some big sur version (or 11.0 itself)
+run on 10.15.7, it's been tested there.
+
+ /*****************************************************************************
+ *                              liberum_arbitrium                             *
+ *                                                                            *
+ * this uses the other jank af version where you use the length of the added  *
+ * string as the address, which works, but is still pretty unstable (moreso i *
+ *    think), and also is only really practical at all for small addresses,   *
+ * because it's kinda hard to get 0x4141414141414141 bytes into memory, good  *
+ *                                luck tho lmfao                              *
+ *                                                                            *
+ *                           - with love from spv <3                          *
+ *                                                                            *
+ *****************************************************************************/
-- 
cgit v1.2.3