[01:03:17] *** Joins: [Franklin] (~franklin@unaffiliated/franklin) [01:03:30] <[Franklin]> shadowcoder: did you get my messages from last night? [01:04:28] Yeah [01:05:39] <[Franklin]> ok, did you check them out? [01:06:45] <[Franklin]> I'd say this one's the most promising: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=5dddcc45a03b336860436a180aec5b358517336b [01:06:55] Moment, [01:06:56] <[Franklin]> an old-as-ages off-by-one bug [01:07:41] a close IRL friend sent me some rather time-critical writing with edit mode, so I'm assuming I'm suppose to edit it ^_^ [01:12:42] <[Franklin]> ? [01:13:18] <[Franklin]> so... how to exploit these vulnerabilities? [01:13:47] <[Franklin]> like you, I can't find a TTF assembler [01:14:19] Let's get really close to a Hex Editor, shall we? [01:14:30] <[Franklin]> I'm guessing that a very simple program would cause a crash or possible arbitrary execution [01:14:38] <[Franklin]> so it needn't be a good one [01:15:05] crashes are easy here [01:15:11] it's the actual exec which I'm worried about [01:15:16] <[Franklin]> really? [01:15:37] <[Franklin]> well, can you crash it already? [01:16:04] haven't tried, [01:16:06] but in general they are [01:16:22] <[Franklin]> it'd be good to prove that it's indeed freetype with the vulns [01:16:30] afk [01:16:45] * [Franklin] will be afk for ~2hrs now [01:16:51] <[Franklin]> cya [01:23:11] back, assuming [Franklin] isn't tho >.< [01:33:33] <[Franklin]> ah forget that [01:33:35] <[Franklin]> it can wait [01:39:20] lel [01:39:34] Let's figure out how to get some code on this thing [01:39:41] <[Franklin]> anyway, I really can't find any doc about truetype [01:40:26] What's the CVE ID for that off-by-one bug? [01:42:17] @[Franklin] [01:42:38] <[Franklin]> hmm... [01:43:01] <[Franklin]> forgot [01:43:04] <[Franklin]> but searching [01:43:09] Mmk [01:43:36] <[Franklin]> ok CVE-2012-1135 [01:45:03] [Franklin]: Do you think it would be beneficial to use join.me? [01:45:51] <[Franklin]> nah [01:45:54] <[Franklin]> too complicated [01:45:58] lolk [01:46:01] <[Franklin]> just IRC is fine [01:46:10] Fair enough [01:46:12] * [Franklin] invites shadowcoder to #rockbox [02:47:14] Cross your fingers; uploading a modified font as we speak [02:47:20] c'mon wingdings [02:47:29] <[Franklin]> :D [03:00:34] Phew [03:00:41] Thought I had bricked this [03:00:49] Thank you to whomever discovered DFU mode on this [03:25:47] *** Joins: prof_wolfff (~prof_wolf@82.158.1.206.dyn.user.ono.com) [03:36:19] TheSeven [Franklin]: I can now modify fonts! Woo-hoo! [03:36:39] <[Franklin]> progress! :D [03:36:49] <[Franklin]> now to make really weird fonts [03:36:52] Indeed [03:36:56] well, this is pretty weird haha [03:37:41] <[Franklin]> pics? [03:37:46] sec [03:54:06] OK, TheSeven, [Franklin], user890104, I have modified a font on the device and I have a working (albeit rather time consuming) method of preserving the length and checksums easily. Going to sign off for the night at 0200 (10 minutes), but I am another step closer to getting code exec :D [03:54:34] (this weekend is going to be the hard part of finding a working vuln) [03:57:28] <[Franklin]> :D [03:57:28] <[Franklin]> nice [04:00:48] *** Quits: gevaerts (~fg@rockbox/developer/gevaerts) (*.net *.split) [04:00:48] *** Quits: [Saint] (~saint@rockbox/staff/saint) (*.net *.split) [04:00:48] *** Quits: Elfish (amba@2001:1608:12:1:13:3:3:7) (*.net *.split) [04:01:26] yay netsplit [04:32:36] *** Joins: Elfish (amba@2001:1608:12:1:13:3:3:7) [04:33:00] *** Joins: gevaerts (~fg@rockbox/developer/gevaerts) [04:33:00] *** Joins: [Saint] (~saint@rockbox/staff/saint) [04:33:29] <[Franklin]> welcome back [04:40:12] *** Quits: gevaerts (~fg@rockbox/developer/gevaerts) (*.net *.split) [04:40:13] *** Quits: [Saint] (~saint@rockbox/staff/saint) (*.net *.split) [04:46:32] *** Joins: gevaerts (~fg@rockbox/developer/gevaerts) [04:46:32] *** Joins: [Saint] (~saint@rockbox/staff/saint) [04:47:28] *** Quits: [Franklin] (~franklin@unaffiliated/franklin) (Ping timeout: 250 seconds) [05:12:05] *** Quits: prof_wolfff (~prof_wolf@82.158.1.206.dyn.user.ono.com) (Ping timeout: 265 seconds) [06:45:22] *** Quits: TheSeven (~quassel@rockbox/developer/TheSeven) (Ping timeout: 265 seconds) [06:46:45] *** Joins: TheSeven (~quassel@rockbox/developer/TheSeven) [09:55:49] *** Quits: fmibot (~ircbot@freemyipod.org) (Remote host closed the connection) [09:56:38] *** Joins: fmibot (~ircbot@freemyipod.org) [09:56:38] *** ChanServ sets mode: +o fmibot [11:06:29] *** Joins: prof_wolfff (~prof_wolf@82.158.1.206.dyn.user.ono.com) [12:54:36] *** Joins: benedikt93 (~benedikt9@unaffiliated/benedikt93) [13:07:15] *** Quits: Elfish (amba@2001:1608:12:1:13:3:3:7) (*.net *.split) [13:10:15] *** Joins: Elfish (amba@2001:1608:12:1:13:3:3:7) [13:11:50] *** Quits: gevaerts (~fg@rockbox/developer/gevaerts) (*.net *.split) [13:11:50] *** Quits: [Saint] (~saint@rockbox/staff/saint) (*.net *.split) [13:13:03] *** Joins: gevaerts (~fg@rockbox/developer/gevaerts) [13:13:03] *** Joins: [Saint] (~saint@rockbox/staff/saint) [17:24:07] *** Quits: benedikt93 (~benedikt9@unaffiliated/benedikt93) (Ping timeout: 272 seconds) [19:11:26] *** Joins: benedikt93 (~benedikt9@unaffiliated/benedikt93) [19:19:14] *** Quits: benedikt93 (~benedikt9@unaffiliated/benedikt93) (Ping timeout: 264 seconds) [19:31:19] *** Joins: [Franklin] (~franklin@unaffiliated/franklin) [20:17:11] <[Franklin]> shadowcoder: any news? [23:57:57] *** Quits: [Franklin] (~franklin@unaffiliated/franklin) (Ping timeout: 240 seconds) [23:59:00] *** Joins: [Franklin] (~franklin@cpe-071-071-039-006.triad.res.rr.com)