David Kaplan depletionmode

## arm-longbranch.S
  add lr, pc, #4
  ldr pc, [pc, #-4]
  dcd <function_address>

## sniff_remote.sh
#!/bin/bash
# usage(): ./sniff_remote.sh <target ip> <ssh passwd> && mkfifo /tmp/pipe
sshpass -p "$2" ssh root@$1 "tcpdump -nn -w - -U -s 0 -w - not port 22" > /tmp/pipe &
wireshark -k -i /tmp/pipe &

## cordova-vuln-google.txt
This is a notification that you have multiple apps, listed below, built on a version of Apache Cordova that contains security vulnerabilities. This includes a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, vulnerable apps could be remotely exploited to steal sensitive information, such as user login credentials.
You should upgrade to Apache Cordova 3.5.1 or higher as soon as possible. For more information about the vulnerabilities, and for guidance on upgrading Apache Cordova, please see http://cordova.apache.org/announcements/2014/08/04/android-351.html.
Please note, applications with vulnerabilities that expose users to risk of compromise may be considered dangerous products and subject to removal from Google Play.

## zircon_minimal_process_creation__ONE.log
Zircon Process Loader Test ONE - @depletionmode

[+] Created process object (koid: 3018)
[i] Root vmar (koid: 3019) - base: 0x1000000, len: 0x7ffffefff000
[+] Created stack region vmo (koid: 3020) - size: 4096
[+] Created code region vmo (koid: 3021) - size: 4096
[+] Wrote code to code vmo
[+] Mapped stack vmar - address: 0x72df27263000
[+] Mapped code vmar - address: 0x4273d98d0000
[+] Created thread object (koid: 3022)

## zircon_minimal_process_creation__G.c
zx_vaddr_t zx_thread_exit_loc;
Dl_info dli;

dladdr(&zx_thread_exit, &dli);
zx_thread_exit_loc = (dli.dli_saddr - dli.dli_fbase) + vdso_base;

uint8_t code[] = { 0xff, 0xd6, /* call rsi */
                   0xeb, 0xfe  /* jmp $2 -- should never be reached */ };

zx_vmo_write(code_vmo, &code, 0, sizeof(code));

## zircon_minimal_process_creation__G.c
uint8_t* elf_buffer = info_buffer;
status = zx_vmo_read(vdso_vmo, elf_buffer, 0, page_size);

off_t e_phoff = *(off_t*)&elf_buffer[0x20];

uint8_t* elf_prog_hdr_tbl = elf_buffer + e_phoff;
off_t vdso_ro_p_offset = *(off_t*)&elf_prog_hdr_tbl[0x08];
size_t vdso_ro_p_filesz = *(size_t*)&elf_prog_hdr_tbl[0x20];
off_t vdso_rx_p_offset = *(off_t*)&elf_prog_hdr_tbl[0x08+0x38];
size_t vdso_rx_p_filesz = *(size_t*)&elf_prog_hdr_tbl[0x20+0x38];

## zircon_minimal_process_creation__F.c
zx_handle_t vdso_vmo = zx_take_startup_handle(PA_HND(PA_VMO_VDSO, 0));

## zircon_minimal_process_creation__E.c
sleep(1); // short delay to ensure the new thread is executing

zx_object_get_info(thread,
                   ZX_INFO_THREAD,
                   info_buffer,
                   sizeof(info_buffer),
                   NULL,
                   NULL);
zx_info_thread_t* thread_info = (zx_info_thread_t*)info_buffer;

## zircon_minimal_process_creation__D.c
zx_handle_t event;
zx_event_create(0u, &event);

zx_process_start(process,
                 thread,
                 code_base,
                 compute_initial_stack_pointer(stack_base, page_size),
                 event,
                 0);

## zircon_minimal_process_creation__C.c
zx_handle_t thread = ZX_HANDLE_INVALID;
zx_thread_create(process, "initial", 7, 0, &thread);
	#!/bin/bash
	# usage(): ./sniff_remote.sh <target ip> <ssh passwd> && mkfifo /tmp/pipe
	sshpass -p "$2" ssh root@$1 "tcpdump -nn -w - -U -s 0 -w - not port 22" > /tmp/pipe &
	wireshark -k -i /tmp/pipe &
	This is a notification that you have multiple apps, listed below, built on a version of Apache Cordova that contains security vulnerabilities. This includes a high severity cross-application scripting (XAS) vulnerability. Under certain circumstances, vulnerable apps could be remotely exploited to steal sensitive information, such as user login credentials.
	You should upgrade to Apache Cordova 3.5.1 or higher as soon as possible. For more information about the vulnerabilities, and for guidance on upgrading Apache Cordova, please see http://cordova.apache.org/announcements/2014/08/04/android-351.html.
	Please note, applications with vulnerabilities that expose users to risk of compromise may be considered dangerous products and subject to removal from Google Play.
	Zircon Process Loader Test ONE - @depletionmode

	[+] Created process object (koid: 3018)
	[i] Root vmar (koid: 3019) - base: 0x1000000, len: 0x7ffffefff000
	[+] Created stack region vmo (koid: 3020) - size: 4096
	[+] Created code region vmo (koid: 3021) - size: 4096
	[+] Wrote code to code vmo
	[+] Mapped stack vmar - address: 0x72df27263000
	[+] Mapped code vmar - address: 0x4273d98d0000
	[+] Created thread object (koid: 3022)
	zx_vaddr_t zx_thread_exit_loc;
	Dl_info dli;

	dladdr(&zx_thread_exit, &dli);
	zx_thread_exit_loc = (dli.dli_saddr - dli.dli_fbase) + vdso_base;

	uint8_t code[] = { 0xff, 0xd6, /* call rsi */
	0xeb, 0xfe /* jmp $2 -- should never be reached */ };

	zx_vmo_write(code_vmo, &code, 0, sizeof(code));
	uint8_t* elf_buffer = info_buffer;
	status = zx_vmo_read(vdso_vmo, elf_buffer, 0, page_size);

	off_t e_phoff = (off_t)&elf_buffer[0x20];

	uint8_t* elf_prog_hdr_tbl = elf_buffer + e_phoff;
	off_t vdso_ro_p_offset = (off_t)&elf_prog_hdr_tbl[0x08];
	size_t vdso_ro_p_filesz = (size_t)&elf_prog_hdr_tbl[0x20];
	off_t vdso_rx_p_offset = (off_t)&elf_prog_hdr_tbl[0x08+0x38];
	size_t vdso_rx_p_filesz = (size_t)&elf_prog_hdr_tbl[0x20+0x38];
	sleep(1); // short delay to ensure the new thread is executing

	zx_object_get_info(thread,
	ZX_INFO_THREAD,
	info_buffer,
	sizeof(info_buffer),
	NULL,
	NULL);
	zx_info_thread_t* thread_info = (zx_info_thread_t*)info_buffer;
	zx_handle_t event;
	zx_event_create(0u, &event);

	zx_process_start(process,
	thread,
	code_base,
	compute_initial_stack_pointer(stack_base, page_size),
	event,
	0);
	zx_handle_t thread = ZX_HANDLE_INVALID;
	zx_thread_create(process, "initial", 7, 0, &thread);