Quote:
Originally Posted by gabbia
alright illl scroll. although im not too sure scrolling 80 pages and developing exploits can be compared...two different kinds of skill
EDIT: can't find it. i searched through the original dev's posts.
all i can gather so far is that there is most probably some sort of overflow going on, and i can't understand ;fc-cache in the browser
EDIT2: also, there must be something going on with the long url @stage1, and also the main exploit is that magicfun i guess. just can't figure out how he gets "jb" script to execute...
EDIT3: also that html frame in "frame.html" makes no fucking sense to me..
EDIT4: from what i can gather:
- arbitrary bash commands can be executed on the device. root execution is left up to the exploit (i gather this from the fact you guys say only jb needs to be put into the device)
- there is probably an injection exploit in the browser's search feature ";fc-cache"
- the main concept is all about filling up the heap with memory until the bash script is able to write to /etc/uks/pubdevkey01.pem
- i still don't understand where the "jb" gets called nor how magicfun helps out with writing to that root protected file...also there are some things which _seem_ unnecessary to me. like that "magic string" that gets passed to magicfun...does it have to be weird unicode stuff or can it just be something else?
|
If you don't fully understand what was said, don't attempt it.
Oh and I can't answer your questions because I am not sure of the answers myself.