GithubHelp home page GithubHelp logo

liberum_arbitrium's Introduction

Warning: shit write up.
I used to have a much, much more cringy description. I've saved you from it.

This code is from 2021. It's bad. Sorry.

This bug is weird af, sometimes it does weird heap corruption stuff, other
times it gives you an arbitrary free. idk

python3 poc.py | pbcopy
paste into app
profit

super stable PoC
works about 10% of the time if you're lucky

should free 0x1515151515151515
it like sprays that in a similar location to the free list, and sometimes
ends up freeing it
for a more controlled free you might have to find each of the 256 values 
(i haven't yet), and substitute them example: 0x41 becomes 0x15, and 0xffff 
becomes 0x4 so if you spray "\x41\x41\uffff\x41\uffff\uffff\uffff\uffff" 
it'll spray 0x1515041504040404, maybe something else because endianess but 
fuck you, whatever also there's like an offset of 0x2 or something i add
"\uffff\uffff" at the start which seems to pad it for the address to work right
it's vaguely functional, and should at least prove the bug exists
note: this may have been patched in some big sur version (or 11.0 itself)
run on 10.15.7, it's been tested there.

 /*****************************************************************************
 *                              liberum_arbitrium                             *
 *                                                                            *
 * this uses the other jank af version where you use the length of the added  *
 * string as the address, which works, but is still pretty unstable (moreso i *
 *    think), and also is only really practical at all for small addresses,   *
 * because it's kinda hard to get 0x4141414141414141 bytes into memory, good  *
 *                                luck tho lmfao                              *
 *                                                                            *
 *                           - with love from spv <3                          *
 *                                                                            *
 *****************************************************************************/

License: WTFPL.

liberum_arbitrium's People

Contributors

spv420 avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.