Not that anyone actually gives a shit lmao. Trying to dump the firmware from my 2025 Kia and this is the best way in I have so far.

6

Currently trying to cannibalize pyatvs Python code for establishing a pairing session to an AirPlay device. No need to reinvent the wheel, I don't feel like reversing encryption algorithms lmao. The overflow is in the SET_PARAMETER handling, it doesn't properly check size for setting volume or artist name over Metadata. Sending a command to set volume to a 2,000,000 char long string instead of a 0-100 int will overflow the buffer.

4

Binary Ninja is also a piece of shit... do you know how hard it is to debug something when the debugger itself has a 25% chance of segfaulting when stepping to the next instruction??

2

The hardest part was actually obtaining a vulnerable and patched copy of an official AirPlay SDK binary. Shout out to Crestron for being one of the few to actually patch the exploit and not encrypt their firmware lmao

1

Then I spent another 3 weeks trying to actually get the damn binary running in QEMU so I can debug it. Got it functioning enough to send commands to and reach the vulnerable code.

1

Now I just have to figure out how to combine this with the other type confusion CVE to leak the stack canary and find the ROP gadgets, and it should be able to get a shell.

1

What year are you

1