![]() This assumption allowed us to predict where our exploit’s allocations were going relative to the leaked pointer, allowing us to compute the approximate tip of our sprayed data:Ġx7fd186200b50: 0x0000000000000000 0x0000000000000000. We also noticed that the MALLOC_TINY heap rather deterministically ‘expands backwards’ in chunks of ~256mb. ![]() While we didn’t have time to research the true purpose of this pointer, we noted that it gave us a rough idea as to where the end of the MALLOC_TINY heap was in a fresh WindowServer instance. ![]() Int ( * CGSNewConnection )( int, int * ) int ( * SLPSRegisterForKeyOnConnection )( int, void *, unsigned int, bool ) void resolve_symbols () ![]() compiled with: clang -framework Foundation -framework Cocoa poc.m -o poc #import CVE-2018-4193 Proof-of-Concept by RET2 Systems, Inc.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |