-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtest.html
More file actions
92 lines (71 loc) · 3.05 KB
/
test.html
File metadata and controls
92 lines (71 loc) · 3.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
<!DOCTYPE html>
<html>
<head>
<title>Fake exploit</title>
</head>
<body>
<script>
let buffer1 = new ArrayBuffer(0x10000);
let buffer2 = new ArrayBuffer(0x20000);
let floatArr1 = new Float64Array(buffer1);
let floatArr2 = new Float64Array(buffer2);
for (let i = 0; i < 8192; i++) floatArr1[i] = 0xDEADBEEF + i;
for (let i = 0; i < 16384; i++) floatArr2[i] = 0xBADC0FFEE + i;
let oob = new Array(1000);
for (let i = 0; i < 1000; i++) oob[i] = i + 0.1;
function vuln(index, value) { oob[index] = value; }
vuln(1022, floatArr1);
vuln(1023, floatArr2);
let fakeBuffer = new ArrayBuffer(0x20000);
let fakeArr = new Uint8Array(fakeBuffer);
vuln(1023, fakeArr);
let leakArr = new Uint8Array(buffer2);
leakArr.set([0xFF, 0xFF, 0x00, 0x00, 0xBB, 0xBB, 0xBB, 0xBB], 0);
let leakView = new Float64Array(buffer2);
console.log("LeakView (0-16):", Array.from(leakView.slice(0, 16)));
let fakeArrForBuffer1 = new Uint8Array(buffer1);
vuln(1022, fakeArrForBuffer1);
let dataView1 = new DataView(buffer1);
let leakedAddr = dataView1.getBigUint64(0, true);
console.log("[+] Leaked Address: 0x" + leakedAddr.toString(16));
let readBuffer = new ArrayBuffer(0x1000);
new DataView(readBuffer).setBigUint64(0, 0x1122334455667788n, true);
vuln(1022, readBuffer);
console.log("[+] Reading Heap:");
let readView = new DataView(buffer1);
for (let i = 0; i < 64; i += 8) {
console.log(`Offset ${i}: 0x${readView.getBigUint64(i, true).toString(16)}`);
}
let targetBuffer = new ArrayBuffer(0x1000);
let targetAddr = dataView1.getBigUint64(8, true);
console.log("[+] Target Buffer Address: 0x" + targetAddr.toString(16));
dataView1.setBigUint64(0, targetAddr, true);
vuln(100, targetBuffer);
console.log("[+] Overwritten backing store!");
readView.setBigUint64(0, 0x4141414141414141n, true);
console.log("[+] Write test: 0x" + readView.getBigUint64(0, true).toString(16));
function jitSpray() {
let spray = [];
for (let i = 0; i < 100; i++) {
spray[i] = function() {
alert("RCE via direct code/ JIT - Mason!");
return 0x1337;
};
}
spray[0]();
console.log("[+] JIT function compiled!");
return spray[0];
}
console.log("[+] Starting JIT Spray...");
let jitFunc = jitSpray();
console.log("[+] JIT Spray completed!");
console.log("[+] Triggering JIT shellcode directly...");
jitFunc();
let jitAddr = leakedAddr; // нужен реальный адрес
console.log("[+] Guessed JIT Address: 0x" + jitAddr.toString(16));
dataView1.setBigUint64(0, jitAddr, true);
vuln(100, jitFunc);
console.log("[+] Attempting to trigger JIT shellcode via OOB...");
</script>
</body>
</html>