31 Jul
2020
31 Jul
'20
4:56 a.m.
Hi,
On 31. 07. 20, 5:23, Yang Yingliang wrote:
void execute_one(void) { intptr_t res = 0; res = syz_open_dev(0xc, 4, 1);
open(/dev/tty1)
if (res != -1) r[0] = res; *(uint16_t*)0x20000000 = 0xc; *(uint16_t*)0x20000002 = 0x373; *(uint16_t*)0x20000004 = 0x1442; syscall(__NR_ioctl, r[0], 0x5609ul, 0x20000000ul);
VT_RESIZE(12, 883)
memcpy((void*)0x20003500, "\x7f\x45\x4c\x46\x00\x00\x00... syscall(__NR_write, r[0], 0x20003500ul, 0x381ul);
Write 381 bytes of some ELF to the tty.
OK, that's it. Thanks.
--
js