Thread: KindleDrip — From Your Kindle’s Email Address to Using Your Credit Card
View Single Post
Old 02-16-2021, 04:54 PM   #23
fonix232
Enthusiast
fonix232 doesn't litterfonix232 doesn't litter
 
Posts: 35
Karma: 102
Join Date: Jul 2016
Device: KOA4
Quote:
Originally Posted by tryol View Post
I think completely "reverse-engineering" the image file would take a considerably longer time than modifying the preexisting encode algorithm, which already has this done.
I'm not talking about complete reverse engineering here - the image structure is relatively cleanly written in the JPEG-XR implementation, and that's pretty much all we need.

Quote:
Originally Posted by tryol View Post
I don't have any experience with exploits, but I know a fair amount about c/c++ and have a basic grasp over how memory management works.
I tried doing it your way first and I managed to get an absolute-write primitive pretty quickly.
Unfortunately if I understand it correctly, this exploit requires at least 2 (1 for GOT spraying and 1 for the actual shell code).

Doing it once is easy because you only need understand how the header works, but in order to pull off this exploit and get your 2nd absolute-write primitive, you'd need to split the image into at least 2 tiles. (tiles_num controls the amount of times the buffer overflow happens.).
In order to get to the 2nd tile's header which gives you the 2nd write primitive, you'd need the header and body of the first tile encoded correctly. This is a considerably larger task than only getting the header encoded (with 1 tile).
Could this be why the exploit video shows two distinct images? At least that's what it looked like to me - two separate images loaded on the same HTML page in the browser.

Quote:
Originally Posted by tryol View Post
After I realized this I was thinking about starting again from scratch with the method simonpacis suggested, but since I don't have a jailbroken kindle to debug the image, I decided to wait until somebody who has one (and is probably more experienced in stuff like this) can do it.
As soon as I can get my PW3 back in working order, I can help out with that - I've done the serial port modification, but for some reason my Kindle won't boot into normal mode properly (screensaver stays on forever, and serial terminal stops receiving input after some time). I'll see if I can wipe the device somehow, maybe that would fix it. Or just flash a stock firmware image back through the recovery mode.
fonix232 is offline   Reply With Quote