source: naehrwert @ nwert.wordpress.com (http://nwert.wordpress.com/2012/09/19/exploiting-lv2/)] A long while ago KaKaRoTo pointed me to a stack overflow he found while reversing lv2_kernel. But there are two problems: 1. The vulnerability is in a protected syscall (the SELF calling it got to have the 0×40… control flags set). So you’d first need to find a suitable usermode exploit (don’t ask us), that gives you code execution with the right privileges. 2. The payload data is copied to lv2 heap first and the function will do a free call on it before the payload has any chance to get executed. This might not sound like a problem but it looks like lv2's heap implementation will overwrite the free’ed space with 0xABADCAFE and thus destroy the payload. Here (http://www.dcemu.co.uk/images/submitted/pastie-4755699.cpp) is my sample implementation for 3.41 lv2_kernel (although the vulnerability should be present in all versions of lv2 up to the latest firmware), maybe someone of you will find a way to overcome problem (2.) and can get something nice out of it because right now it’s only good to crash lv2.

http://www.eurasia.nu/modules.php?name=News&file=article&sid=3081