Actually, I'm wrong: once you overwrite the VID/PID from Extigy to FastTrackPro, you can't trigger the Extigy overwrite again,
Even if you used the FastTrackPro to detect when your heap spray failed, you can't do anything to clean up, and you'll crash anyways on device disconnect.
So maybe they used the FastTrackPro because the out of bound access in `usb_set_configuration` is easier to exploit than the out of bound access->arbitrary free in `usb_destroy_configuration`?
Zhuowei Zhang /
npub1cp…9e7uy
2025-04-12 20:16:20
in reply to nevent1q…pkn6
Author Public Key
npub1cppa6rw8av0n2zjc6yarum7k0nmtkka4d7qas3ndy0sqpjfz9u0sx9e7uyPublished at
2025-04-12 20:16:20Event JSON
{
"id": "e9433beee80c4489bd398c0495fcc93e22737f9afc0ae44ab241d7a277e884ac",
"pubkey": "c043dd0dc7eb1f350a58d13a3e6fd67cf6bb5bb56f81d8466d23e000c9222f1f",
"created_at": 1744488980,
"kind": 1,
"tags": [
[
"p",
"c043dd0dc7eb1f350a58d13a3e6fd67cf6bb5bb56f81d8466d23e000c9222f1f",
"wss://relay.mostr.pub"
],
[
"e",
"516793b7d6f611ec1ea016dd74c4711e3c6972a678b1e863e3814492d4391dde",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://notnow.dev/objects/a9068c54-2953-4462-897e-06515c3774e3",
"activitypub"
],
[
"client",
"Mostr",
"31990:6be38f8c63df7dbf84db7ec4a6e6fbbd8d19dca3b980efad18585c46f04b26f9:mostr",
"wss://relay.mostr.pub"
]
],
"content": "Actually, I'm wrong: once you overwrite the VID/PID from Extigy to FastTrackPro, you can't trigger the Extigy overwrite again,\n\nEven if you used the FastTrackPro to detect when your heap spray failed, you can't do anything to clean up, and you'll crash anyways on device disconnect.\n\nSo maybe they used the FastTrackPro because the out of bound access in `usb_set_configuration` is easier to exploit than the out of bound access-\u003earbitrary free in `usb_destroy_configuration`?",
"sig": "6cad30a2128d4e58154719a44d15d77742d07609d4dd0553288c8eec975721b16c353ce351f77061027e31abcf030a5dabfaa963a342d3c939a6e07b38c42f95"
}