Quote:
Originally Posted by tryol
I think completely "reverse-engineering" the image file would take a considerably longer time than modifying the preexisting encode algorithm, which already has this done.
|
I'm not talking about complete reverse engineering here - the image structure is relatively cleanly written in the JPEG-XR implementation, and that's pretty much all we need.
Quote:
Originally Posted by tryol
I don't have any experience with exploits, but I know a fair amount about c/c++ and have a basic grasp over how memory management works.
I tried doing it your way first and I managed to get an absolute-write primitive pretty quickly.
Unfortunately if I understand it correctly, this exploit requires at least 2 (1 for GOT spraying and 1 for the actual shell code).
Doing it once is easy because you only need understand how the header works, but in order to pull off this exploit and get your 2nd absolute-write primitive, you'd need to split the image into at least 2 tiles. (tiles_num controls the amount of times the buffer overflow happens.).
In order to get to the 2nd tile's header which gives you the 2nd write primitive, you'd need the header and body of the first tile encoded correctly. This is a considerably larger task than only getting the header encoded (with 1 tile).
|
Could this be why the exploit video shows two distinct images? At least that's what it looked like to me - two separate images loaded on the same HTML page in the browser.
Quote:
Originally Posted by tryol
After I realized this I was thinking about starting again from scratch with the method simonpacis suggested, but since I don't have a jailbroken kindle to debug the image, I decided to wait until somebody who has one (and is probably more experienced in stuff like this) can do it.
|
As soon as I can get my PW3 back in working order, I can help out with that - I've done the serial port modification, but for some reason my Kindle won't boot into normal mode properly (screensaver stays on forever, and serial terminal stops receiving input after some time). I'll see if I can wipe the device somehow, maybe that would fix it. Or just flash a stock firmware image back through the recovery mode.