Quote:
Originally Posted by fonix232
The reason why I wanted to implement it in Python is because the JPEG-XR codec is incredibly complex - at least for me. Writing a simplified solution that takes an input image, encodes it to JPEG-XR using the system-provided codec, then parses the output file and adds the appropriate exploit bytes in a properly parsed object sounds much more doable. All you need is the objectified structure of the file, and addressing the exploitable parts.
|
I think completely "reverse-engineering" the image file would take a considerably longer time than modifying the preexisting encode algorithm, which already has this done.
I don't have any experience with exploits, but I know a fair amount about c/c++ and have a basic grasp over how memory management works.
I tried doing it your way first and I managed to get an absolute-write primitive pretty quickly.
Unfortunately if I understand it correctly, this exploit requires at least 2 (1 for GOT spraying and 1 for the actual shell code).
Doing it once is easy because you only need understand how the header works, but in order to pull off this exploit and get your 2nd absolute-write primitive, you'd need to split the image into at least 2 tiles. (tiles_num controls the amount of times the buffer overflow happens.).
In order to get to the 2nd tile's header which gives you the 2nd write primitive, you'd need the header and body of the first tile encoded correctly. This is a considerably larger task than only getting the header encoded (with 1 tile).
After I realized this I was thinking about starting again from scratch with the method simonpacis suggested, but since I don't have a jailbroken kindle to debug the image, I decided to wait until somebody who has one (and is probably more experienced in stuff like this) can do it.