Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/

2024-09-27 10:32:08 +08:00
parent ed5918f284
commit 41c959a465
52 changed files with 1 additions and 0 deletions
--- a/PwnCollege/V8Exploitation/Level2/patch
+++ b/PwnCollege/V8Exploitation/Level2/patch
@@ -0,0 +1,123 @@
+diff --git a/src/d8/d8.cc b/src/d8/d8.cc
+index facf0d86d79..6b31fe2c371 100644
+--- a/src/d8/d8.cc
+++ b/src/d8/d8.cc
+@@ -1283,6 +1283,64 @@ struct ModuleResolutionData {
+ 
+ }  // namespace
+ 
+void Shell::GetAddressOf(const v8::FunctionCallbackInfo<v8::Value>& info) {
+  v8::Isolate* isolate = info.GetIsolate();
+
+  if (info.Length() == 0) {
+    isolate->ThrowError("First argument must be provided");
+    return;
+  }
+
+  internal::Handle<internal::Object> arg = Utils::OpenHandle(*info[0]);
+  if (!IsHeapObject(*arg)) {
+    isolate->ThrowError("First argument must be a HeapObject");
+    return;
+  }
+  internal::Tagged<internal::HeapObject> obj = internal::Cast<internal::HeapObject>(*arg);
+
+  uint32_t address = static_cast<uint32_t>(obj->address());
+  info.GetReturnValue().Set(v8::Integer::NewFromUnsigned(isolate, address));
+}
+
+void Shell::ArbRead32(const v8::FunctionCallbackInfo<v8::Value>& info) {
+	Isolate *isolate = info.GetIsolate();
+	if (info.Length() != 1) {
+		isolate->ThrowError("Need exactly one argument");
+		return;
+	}
+	internal::Handle<internal::Object> arg = Utils::OpenHandle(*info[0]);
+	if (!IsNumber(*arg)) {
+		isolate->ThrowError("Argument should be a number");
+		return;
+	}
+	internal::PtrComprCageBase cage_base = internal::GetPtrComprCageBase();
+	internal::Address base_addr = internal::V8HeapCompressionScheme::GetPtrComprCageBaseAddress(cage_base);
+	uint32_t addr = static_cast<uint32_t>(internal::Object::NumberValue(*arg));
+	uint64_t full_addr = base_addr + (uint64_t)addr;
+	uint32_t result = *(uint32_t *)full_addr;
+	info.GetReturnValue().Set(v8::Integer::NewFromUnsigned(isolate, result));
+}
+
+void Shell::ArbWrite32(const v8::FunctionCallbackInfo<v8::Value>& info) {
+	Isolate *isolate = info.GetIsolate();
+	if (info.Length() != 2) {
+		isolate->ThrowError("Need exactly 2 arguments");
+		return;
+	}
+	internal::Handle<internal::Object> arg1 = Utils::OpenHandle(*info[0]);
+	internal::Handle<internal::Object> arg2 = Utils::OpenHandle(*info[1]);
+	if (!IsNumber(*arg1) || !IsNumber(*arg2)) {
+		isolate->ThrowError("Arguments should be numbers");
+		return;
+	}
+	internal::PtrComprCageBase cage_base = internal::GetPtrComprCageBase();
+	internal::Address base_addr = internal::V8HeapCompressionScheme::GetPtrComprCageBaseAddress(cage_base);
+	uint32_t addr = static_cast<uint32_t>(internal::Object::NumberValue(*arg1));
+	uint32_t value = static_cast<uint32_t>(internal::Object::NumberValue(*arg2));
+	uint64_t full_addr = base_addr + (uint64_t)addr;
+	*(uint32_t *)full_addr = value;
+}
+
+ void Shell::ModuleResolutionSuccessCallback(
+     const FunctionCallbackInfo<Value>& info) {
+   DCHECK(i::ValidateCallbackInfo(info));
+@@ -3364,7 +3422,13 @@ Local<FunctionTemplate> Shell::CreateNodeTemplates(
+ 
+ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
+   Local<ObjectTemplate> global_template = ObjectTemplate::New(isolate);
+-  global_template->Set(Symbol::GetToStringTag(isolate),
+  global_template->Set(isolate, "GetAddressOf",
+                       FunctionTemplate::New(isolate, GetAddressOf));
+  global_template->Set(isolate, "ArbRead32",
+                       FunctionTemplate::New(isolate, ArbRead32));
+  global_template->Set(isolate, "ArbWrite32",
+                       FunctionTemplate::New(isolate, ArbWrite32));
+/*  global_template->Set(Symbol::GetToStringTag(isolate),
+                        String::NewFromUtf8Literal(isolate, "global"));
+   global_template->Set(isolate, "version",
+                        FunctionTemplate::New(isolate, Version));
+@@ -3385,13 +3449,13 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
+   global_template->Set(isolate, "readline",
+                        FunctionTemplate::New(isolate, ReadLine));
+   global_template->Set(isolate, "load",
+-                       FunctionTemplate::New(isolate, ExecuteFile));
+                       FunctionTemplate::New(isolate, ExecuteFile));*/
+   global_template->Set(isolate, "setTimeout",
+                        FunctionTemplate::New(isolate, SetTimeout));
+   // Some Emscripten-generated code tries to call 'quit', which in turn would
+   // call C's exit(). This would lead to memory leaks, because there is no way
+   // we can terminate cleanly then, so we need a way to hide 'quit'.
+-  if (!options.omit_quit) {
+/*  if (!options.omit_quit) {
+     global_template->Set(isolate, "quit", FunctionTemplate::New(isolate, Quit));
+   }
+   global_template->Set(isolate, "testRunner",
+@@ -3410,7 +3474,7 @@ Local<ObjectTemplate> Shell::CreateGlobalTemplate(Isolate* isolate) {
+   if (i::v8_flags.expose_async_hooks) {
+     global_template->Set(isolate, "async_hooks",
+                          Shell::CreateAsyncHookTemplate(isolate));
+-  }
+  }*/
+ 
+   return global_template;
+ }
+diff --git a/src/d8/d8.h b/src/d8/d8.h
+index a19d4a0eae4..476675a7150 100644
+--- a/src/d8/d8.h
+++ b/src/d8/d8.h
+@@ -507,6 +507,9 @@ class Shell : public i::AllStatic {
+   };
+   enum class CodeType { kFileName, kString, kFunction, kInvalid, kNone };
+ 
+  static void GetAddressOf(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void ArbRead32(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void ArbWrite32(const v8::FunctionCallbackInfo<v8::Value>& args);
+   static bool ExecuteString(Isolate* isolate, Local<String> source,
+                             Local<String> name,
+                             ReportExceptions report_exceptions,