mega.nz/file/hwEHDQSL#…
7.50, expects payload on 9020/tcp. Applied patches: mmap, mprotect, syscall everywhere, kexec, delayed panics. Note: there is no Mira/HEN for 7.50 yet!
Some valid 7.02 addresses:
0x200eb00d8
0x200f300d8
0x200fb00d8
0x2011100d8
The success rate is about 10% for the last one. Unfortunately the exploit then crashes in the critical section in leakJSC. Will now investigate how to fix it.
Another FreeBSD PoC, now utilizing TheFlow's hint. Does not do any zone drains, so should be more portable.
Fun fact: it **seems** that the function tweeted by TheFlow does not need to be buggy. A patched one would also do its job.
Fix for the crash in leakJSC():
after debug_log("[+] Got a relative read"); insert
var tmp_spray = {};
for(var i = 0; i < 100000; i++)
tmp_spray['Z'.repeat(8 * 2 * 8 - 5 - LENGTH_STRINGIMPL) + (''+i).padStart(5, '0')] = 0x1337;