spv420/liberum_arbitrium
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
master
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code
-
Clone
Use Git or checkout with SVN using the web URL.
Work fast with our official CLI. Learn more about the CLI.
- Open with GitHub Desktop
- Download ZIP
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Warning: shit write up. I used to have a much, much more cringy description. I've saved you from it. This code is from 2021. It's bad. Sorry. This bug is weird af, sometimes it does weird heap corruption stuff, other times it gives you an arbitrary free. idk python3 poc.py | pbcopy paste into app profit super stable PoC works about 10% of the time if you're lucky should free 0x1515151515151515 it like sprays that in a similar location to the free list, and sometimes ends up freeing it for a more controlled free you might have to find each of the 256 values (i haven't yet), and substitute them example: 0x41 becomes 0x15, and 0xffff becomes 0x4 so if you spray "\x41\x41\uffff\x41\uffff\uffff\uffff\uffff" it'll spray 0x1515041504040404, maybe something else because endianess but fuck you, whatever also there's like an offset of 0x2 or something i add "\uffff\uffff" at the start which seems to pad it for the address to work right it's vaguely functional, and should at least prove the bug exists note: this may have been patched in some big sur version (or 11.0 itself) run on 10.15.7, it's been tested there. /***************************************************************************** * liberum_arbitrium * * * * this uses the other jank af version where you use the length of the added * * string as the address, which works, but is still pretty unstable (moreso i * * think), and also is only really practical at all for small addresses, * * because it's kinda hard to get 0x4141414141414141 bytes into memory, good * * luck tho lmfao * * * * - with love from spv <3 * * * *****************************************************************************/ License: WTFPL.
About
yet again ye olde source
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published